[PATCH 5.3 69/95] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, David Miller <davem@davemloft.net>,
	Lukas Bulwahn <lukas.bulwahn@gmail.com>,
	Jouni Hogander <jouni.hogander@unikie.com>
Subject: [PATCH 5.3 69/95] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
Date: Wed, 27 Nov 2019 21:32:26 +0100	[thread overview]
Message-ID: <20191127202933.720832752@linuxfoundation.org> (raw)
In-Reply-To: <20191127202845.651587549@linuxfoundation.org>

From: Jouni Hogander <jouni.hogander@unikie.com>

commit b8eb718348b8fb30b5a7d0a8fce26fb3f4ac741b upstream.

kobject_init_and_add takes reference even when it fails. This has
to be given up by the caller in error handling. Otherwise memory
allocated by kobject_init_and_add is never freed. Originally found
by Syzkaller:

BUG: memory leak
unreferenced object 0xffff8880679f8b08 (size 8):
  comm "netdev_register", pid 269, jiffies 4294693094 (age 12.132s)
  hex dump (first 8 bytes):
    72 78 2d 30 00 36 20 d4                          rx-0.6 .
  backtrace:
    [<000000008c93818e>] __kmalloc_track_caller+0x16e/0x290
    [<000000001f2e4e49>] kvasprintf+0xb1/0x140
    [<000000007f313394>] kvasprintf_const+0x56/0x160
    [<00000000aeca11c8>] kobject_set_name_vargs+0x5b/0x140
    [<0000000073a0367c>] kobject_init_and_add+0xd8/0x170
    [<0000000088838e4b>] net_rx_queue_update_kobjects+0x152/0x560
    [<000000006be5f104>] netdev_register_kobject+0x210/0x380
    [<00000000e31dab9d>] register_netdevice+0xa1b/0xf00
    [<00000000f68b2465>] __tun_chr_ioctl+0x20d5/0x3dd0
    [<000000004c50599f>] tun_chr_ioctl+0x2f/0x40
    [<00000000bbd4c317>] do_vfs_ioctl+0x1c7/0x1510
    [<00000000d4c59e8f>] ksys_ioctl+0x99/0xb0
    [<00000000946aea81>] __x64_sys_ioctl+0x78/0xb0
    [<0000000038d946e5>] do_syscall_64+0x16f/0x580
    [<00000000e0aa5d8f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [<00000000285b3d1a>] 0xffffffffffffffff

Cc: David Miller <davem@davemloft.net>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/core/net-sysfs.c |   24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -923,21 +923,23 @@ static int rx_queue_add_kobject(struct n
 	error = kobject_init_and_add(kobj, &rx_queue_ktype, NULL,
 				     "rx-%u", index);
 	if (error)
-		return error;
+		goto err;
 
 	dev_hold(queue->dev);
 
 	if (dev->sysfs_rx_queue_group) {
 		error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group);
-		if (error) {
-			kobject_put(kobj);
-			return error;
-		}
+		if (error)
+			goto err;
 	}
 
 	kobject_uevent(kobj, KOBJ_ADD);
 
 	return error;
+
+err:
+	kobject_put(kobj);
+	return error;
 }
 #endif /* CONFIG_SYSFS */
 
@@ -1461,21 +1463,21 @@ static int netdev_queue_add_kobject(stru
 	error = kobject_init_and_add(kobj, &netdev_queue_ktype, NULL,
 				     "tx-%u", index);
 	if (error)
-		return error;
+		goto err;
 
 	dev_hold(queue->dev);
 
 #ifdef CONFIG_BQL
 	error = sysfs_create_group(kobj, &dql_group);
-	if (error) {
-		kobject_put(kobj);
-		return error;
-	}
+	if (error)
+		goto err;
 #endif
 
 	kobject_uevent(kobj, KOBJ_ADD);
 
-	return 0;
+err:
+	kobject_put(kobj);
+	return error;
 }
 #endif /* CONFIG_SYSFS */

next prev parent reply	other threads:[~2019-11-27 21:11 UTC|newest]

Thread overview: 103+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-27 20:31 [PATCH 5.3 00/95] 5.3.14-stable review Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 01/95] mlxsw: spectrum_router: Fix determining underlay for a GRE tunnel Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 02/95] net/mlx4_en: fix mlx4 ethtool -N insertion Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 03/95] net/mlx4_en: Fix wrong limitation for number of TX rings Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 04/95] net: rtnetlink: prevent underflows in do_setvfinfo() Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 05/95] net/sched: act_pedit: fix WARN() in the traffic path Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 06/95] net: sched: ensure opts_len <= IP_TUNNEL_OPTS_MAX in act_tunnel_key Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 07/95] sfc: Only cancel the PPS workqueue if it exists Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 08/95] net/mlxfw: Verify FSM error code translation doesnt exceed array size Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 09/95] net/mlx5e: Fix set vf link state error flow Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 10/95] net/mlx5: Fix auto group size calculation Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 11/95] net/tls: enable sk_msg redirect to tls socket egress Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 12/95] ipv6/route: return if there is no fib_nh_gw_family Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 13/95] taprio: dont reject same mqprio settings Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 14/95] net/ipv4: fix sysctl max for fib_multipath_hash_policy Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 15/95] net/mlx5e: Fix error flow cleanup in mlx5e_tc_tun_create_header_ipv4/6 Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 16/95] net/mlx5e: Do not use non-EXT link modes in EXT mode Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 17/95] net/mlx5: Update the list of the PCI supported devices Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 18/95] vhost/vsock: split packets to send using multiple buffers Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 19/95] gpio: max77620: Fixup debounce delays Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 20/95] gpio: bd70528: Use correct unit for debounce times Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 21/95] tools: gpio: Correctly add make dependencies for gpio_utils Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 22/95] fork: fix pidfd_poll()s return type Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 23/95] nbd:fix memory leak in nbd_get_socket() Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 24/95] virtio_console: allocate inbufs in add_port() only if it is needed Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 25/95] virtio_ring: fix return code on DMA mapping fails Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 26/95] virtio_balloon: fix shrinker count Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 27/95] Revert "fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry()" Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 29/95] mm/ksm.c: dont WARN if page is still mapped in remove_stable_node() Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 30/95] drm/amdgpu: disable gfxoff when using register read interface Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 31/95] drm/amdgpu: disable gfxoff on original raven Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 32/95] drm/amd/powerplay: issue no PPSMC_MSG_GetCurrPkgPwr on unsupported ASICs Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 33/95] drm/i915: Dont oops in dumb_create ioctl if we have no crtcs Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 34/95] drm/i915/pmu: "Frequency" is reported as accumulated cycles Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 35/95] drm/i915/userptr: Try to acquire the page lock around set_page_dirty() Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 36/95] Bluetooth: Fix invalid-free in bcsp_close() Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 37/95] ath10k: restore QCA9880-AR1A (v1) detection Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 38/95] ath10k: Fix HOST capability QMI incompatibility Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 39/95] ath10k: Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 40/95] ath9k_hw: fix uninitialized variable data Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 41/95] Revert "Bluetooth: hci_ll: set operational frequency earlier" Greg Kroah-Hartman
2019-11-27 20:31 ` [PATCH 5.3 42/95] Revert "dm crypt: use WQ_HIGHPRI for the IO and crypt workqueues" Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 43/95] md/raid10: prevent access of uninitialized resync_pages offset Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 44/95] mdio_bus: Fix init if CONFIG_RESET_CONTROLLER=n Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 45/95] ARM: 8904/1: skip nomap memblocks while finding the lowmem/highmem boundary Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 46/95] x86/insn: Fix awk regexp warnings Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 47/95] x86/speculation: Fix incorrect MDS/TAA mitigation status Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 48/95] x86/speculation: Fix redundant MDS mitigation message Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 49/95] nbd: prevent memory leak Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 50/95] gve: fix dma sync bug where not all pages synced Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 51/95] x86/stackframe/32: Repair 32-bit Xen PV Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 52/95] x86/xen/32: Make xen_iret_crit_fixup() independent of frame layout Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 53/95] x86/xen/32: Simplify ring check in xen_iret_crit_fixup() Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 54/95] x86/doublefault/32: Fix stack canaries in the double fault handler Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 55/95] x86/pti/32: Size initial_page_table correctly Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 56/95] x86/cpu_entry_area: Add guard page for entry stack on 32bit Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 57/95] x86/entry/32: Fix IRET exception Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 58/95] x86/entry/32: Use %ss segment where required Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 59/95] x86/entry/32: Move FIXUP_FRAME after pushing %fs in SAVE_ALL Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 60/95] x86/entry/32: Unwind the ESPFIX stack earlier on exception entry Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 61/95] x86/entry/32: Fix NMI vs ESPFIX Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 62/95] selftests/x86/mov_ss_trap: Fix the SYSENTER test Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 63/95] selftests/x86/sigreturn/32: Invalidate DS and ES when abusing the kernel Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 64/95] x86/pti/32: Calculate the various PTI cpu_entry_area sizes correctly, make the CPU_ENTRY_AREA_PAGES assert precise Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 65/95] x86/entry/32: Fix FIXUP_ESPFIX_STACK with user CR3 Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 66/95] futex: Prevent robust futex exit race Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 67/95] ALSA: usb-audio: Fix NULL dereference at parsing BADD Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 68/95] nfc: port100: handle command failure cleanly Greg Kroah-Hartman
2019-11-27 20:32 ` Greg Kroah-Hartman [this message]
2019-11-27 20:32 ` [PATCH 5.3 70/95] media: vivid: Set vid_cap_streaming and vid_out_streaming to true Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 71/95] media: vivid: Fix wrong locking that causes race conditions on streaming stop Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 72/95] media: usbvision: Fix invalid accesses after device disconnect Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 73/95] media: usbvision: Fix races among open, close, and disconnect Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 74/95] cpufreq: Add NULL checks to show() and store() methods of cpufreq Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 75/95] media: uvcvideo: Fix error path in control parsing failure Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 76/95] media: b2c2-flexcop-usb: add sanity checking Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 77/95] media: cxusb: detect cxusb_ctrl_msg error in query Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 78/95] media: imon: invalid dereference in imon_touch_event Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 79/95] media: mceusb: fix out of bounds read in MCE receiver buffer Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 80/95] mm/slub.c: init_on_free=1 should wipe freelist ptr for bulk allocations Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 81/95] USBIP: add config dependency for SGL_ALLOC Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 82/95] usbip: tools: fix fd leakage in the function of read_attr_usbip_status Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 83/95] usbip: Fix uninitialized symbol nents in stub_recv_cmd_submit() Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 84/95] usb-serial: cp201x: support Mark-10 digital force gauge Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 85/95] USB: chaoskey: fix error case of a timeout Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 86/95] appledisplay: fix error handling in the scheduled work Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 87/95] USB: serial: mos7840: add USB ID to support Moxa UPort 2210 Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 88/95] USB: serial: mos7720: fix remote wakeup Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 89/95] USB: serial: mos7840: " Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 90/95] USB: serial: option: add support for DW5821e with eSIM support Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 91/95] USB: serial: option: add support for Foxconn T77W968 LTE modules Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 92/95] staging: comedi: usbduxfast: usbduxfast_ai_cmdtest rounding error Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 93/95] powerpc/64s: support nospectre_v2 cmdline option Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 94/95] powerpc/book3s64: Fix link stack flush on context switch Greg Kroah-Hartman
2019-11-27 20:32 ` [PATCH 5.3 95/95] KVM: PPC: Book3S HV: Flush link stack on guest exit to host kernel Greg Kroah-Hartman
2019-11-28  9:15 ` [PATCH 5.3 00/95] 5.3.14-stable review Jon Hunter
2019-11-28 10:36   ` Greg Kroah-Hartman
2019-11-28 12:03     ` Jon Hunter
2019-11-28 15:47 ` shuah
2019-11-28 15:59   ` Greg Kroah-Hartman
2019-11-28 23:56     ` shuah
2019-11-28 16:21 ` Guenter Roeck
2019-11-28 21:29 ` Daniel Díaz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191127202933.720832752@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=jouni.hogander@unikie.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lukas.bulwahn@gmail.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).