From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Fedor Pchelkin <pchelkin@ispras.ru>,
Alexey Khoroshilov <khoroshilov@ispras.ru>,
Eelco Chaudron <echaudro@redhat.com>,
Simon Horman <simon.horman@corigine.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 07/53] net: openvswitch: fix flow memory leak in ovs_flow_cmd_new
Date: Mon, 20 Feb 2023 14:35:33 +0100 [thread overview]
Message-ID: <20230220133548.440527348@linuxfoundation.org> (raw)
In-Reply-To: <20230220133548.158615609@linuxfoundation.org>
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit 0c598aed445eb45b0ee7ba405f7ece99ee349c30 ]
Syzkaller reports a memory leak of new_flow in ovs_flow_cmd_new() as it is
not freed when an allocation of a key fails.
BUG: memory leak
unreferenced object 0xffff888116668000 (size 632):
comm "syz-executor231", pid 1090, jiffies 4294844701 (age 18.871s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000defa3494>] kmem_cache_zalloc include/linux/slab.h:654 [inline]
[<00000000defa3494>] ovs_flow_alloc+0x19/0x180 net/openvswitch/flow_table.c:77
[<00000000c67d8873>] ovs_flow_cmd_new+0x1de/0xd40 net/openvswitch/datapath.c:957
[<0000000010a539a8>] genl_family_rcv_msg_doit+0x22d/0x330 net/netlink/genetlink.c:739
[<00000000dff3302d>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
[<00000000dff3302d>] genl_rcv_msg+0x328/0x590 net/netlink/genetlink.c:800
[<000000000286dd87>] netlink_rcv_skb+0x153/0x430 net/netlink/af_netlink.c:2515
[<0000000061fed410>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
[<000000009dc0f111>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
[<000000009dc0f111>] netlink_unicast+0x545/0x7f0 net/netlink/af_netlink.c:1339
[<000000004a5ee816>] netlink_sendmsg+0x8e7/0xde0 net/netlink/af_netlink.c:1934
[<00000000482b476f>] sock_sendmsg_nosec net/socket.c:651 [inline]
[<00000000482b476f>] sock_sendmsg+0x152/0x190 net/socket.c:671
[<00000000698574ba>] ____sys_sendmsg+0x70a/0x870 net/socket.c:2356
[<00000000d28d9e11>] ___sys_sendmsg+0xf3/0x170 net/socket.c:2410
[<0000000083ba9120>] __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439
[<00000000c00628f8>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46
[<000000004abfdcf4>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
To fix this the patch rearranges the goto labels to reflect the order of
object allocations and adds appropriate goto statements on the error
paths.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 68bb10101e6b ("openvswitch: Fix flow lookup to use unmasked key")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Link: https://lore.kernel.org/r/20230201210218.361970-1-pchelkin@ispras.ru
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/datapath.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index 8598bc101244..3ae4ccb9895d 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -961,14 +961,14 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
key = kzalloc(sizeof(*key), GFP_KERNEL);
if (!key) {
error = -ENOMEM;
- goto err_kfree_key;
+ goto err_kfree_flow;
}
ovs_match_init(&match, key, false, &mask);
error = ovs_nla_get_match(net, &match, a[OVS_FLOW_ATTR_KEY],
a[OVS_FLOW_ATTR_MASK], log);
if (error)
- goto err_kfree_flow;
+ goto err_kfree_key;
ovs_flow_mask_key(&new_flow->key, key, true, &mask);
@@ -976,14 +976,14 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
error = ovs_nla_get_identifier(&new_flow->id, a[OVS_FLOW_ATTR_UFID],
key, log);
if (error)
- goto err_kfree_flow;
+ goto err_kfree_key;
/* Validate actions. */
error = ovs_nla_copy_actions(net, a[OVS_FLOW_ATTR_ACTIONS],
&new_flow->key, &acts, log);
if (error) {
OVS_NLERR(log, "Flow actions may not be safe on all matching packets.");
- goto err_kfree_flow;
+ goto err_kfree_key;
}
reply = ovs_flow_cmd_alloc_info(acts, &new_flow->id, info, false,
@@ -1083,10 +1083,10 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
kfree_skb(reply);
err_kfree_acts:
ovs_nla_free_flow_actions(acts);
-err_kfree_flow:
- ovs_flow_free(new_flow, false);
err_kfree_key:
kfree(key);
+err_kfree_flow:
+ ovs_flow_free(new_flow, false);
error:
return error;
}
--
2.39.0
next prev parent reply other threads:[~2023-02-20 13:38 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-20 13:35 [PATCH 4.14 00/53] 4.14.306-rc1 review Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 01/53] firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 02/53] bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 03/53] ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 04/53] netrom: Fix use-after-free caused by accept on already connected socket Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 05/53] squashfs: harden sanity check in squashfs_read_xattr_id_table Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 06/53] sctp: do not check hb_timer.expires when resetting hb_timer Greg Kroah-Hartman
2023-02-20 13:35 ` Greg Kroah-Hartman [this message]
2023-02-20 13:35 ` [PATCH 4.14 08/53] scsi: target: core: Fix warning on RT kernels Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 09/53] scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 10/53] net/x25: Fix to not accept on connected socket Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 11/53] usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 12/53] fbcon: Check font dimension limits Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 13/53] watchdog: diag288_wdt: do not use stack buffers for hardware data Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 14/53] watchdog: diag288_wdt: fix __diag288() inline assembly Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 15/53] efi: Accept version 2 of memory attributes table Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 16/53] iio: hid: fix the retval in accel_3d_capture_sample Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 17/53] iio: adc: berlin2-adc: Add missing of_node_put() in error path Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 18/53] iio:adc:twl6030: Enable measurements of VUSB, VBAT and others Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 19/53] parisc: Fix return code of pdc_iodc_print() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 20/53] parisc: Wire up PTRACE_GETREGS/PTRACE_SETREGS for compat case Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 21/53] mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 22/53] mm/swapfile: add cond_resched() in get_swap_pages() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 23/53] Squashfs: fix handling and sanity checking of xattr_ids count Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 24/53] serial: 8250_dma: Fix DMA Rx completion race Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 25/53] serial: 8250_dma: Fix DMA Rx rearm race Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 26/53] btrfs: limit device extents to the device size Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 27/53] ALSA: emux: Avoid potential array out-of-bound in snd_emux_xg_control() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 28/53] ALSA: pci: lx6464es: fix a debug loop Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 29/53] pinctrl: aspeed: Fix confusing types in return value Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 30/53] pinctrl: single: fix potential NULL dereference Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 31/53] net: USB: Fix wrong-direction WARNING in plusb.c Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 32/53] usb: core: add quirk for Alcor Link AK9563 smartcard reader Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 33/53] migrate: hugetlb: check for hugetlb shared PMD in node migration Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 34/53] tools/virtio: fix the vringh test for virtio ring changes Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 35/53] net/rose: Fix to not accept on connected socket Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 36/53] nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 37/53] aio: fix mremap after fork null-deref Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 38/53] Revert "x86/fpu: Use _Alignof to avoid undefined behavior in TYPE_ALIGN" Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 39/53] mmc: sdio: fix possible resource leaks in some error paths Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 40/53] ALSA: hda/conexant: add a new hda codec SN6180 Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 41/53] hugetlb: check for undefined shift on 32 bit architectures Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 42/53] revert "squashfs: harden sanity check in squashfs_read_xattr_id_table" Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 43/53] i40e: add double of VLAN header when computing the max MTU Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 44/53] net: bgmac: fix BCM5358 support by setting correct flags Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 45/53] dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 46/53] net/usb: kalmia: Dont pass act_len in usb_bulk_msg error path Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 47/53] net: stmmac: Restrict warning on disabling DMA store and fwd mode Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 48/53] net: mpls: fix stale pointer if allocation fails during device rename Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 49/53] ipv6: Fix datagram socket connection with DSCP Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 50/53] ipv6: Fix tcp " Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 51/53] i40e: Add checking for null for nlmsg_find_attr() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 52/53] kvm: initialize all of the kvm_debugregs structure before sending it to userspace Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 53/53] nilfs2: fix underflow in second superblock position calculations Greg Kroah-Hartman
2023-02-21 12:41 ` [PATCH 4.14 00/53] 4.14.306-rc1 review Naresh Kamboju
2023-02-21 16:19 ` Guenter Roeck
2023-02-23 2:55 ` Slade Watkins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230220133548.440527348@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=echaudro@redhat.com \
--cc=khoroshilov@ispras.ru \
--cc=kuba@kernel.org \
--cc=patches@lists.linux.dev \
--cc=pchelkin@ispras.ru \
--cc=sashal@kernel.org \
--cc=simon.horman@corigine.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).