]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob - queue-5.1/ipv4-igmp-fix-another-memory-leak-in-igmpv3_del_delrec.patch
projects / thirdparty / kernel / stable-queue.git / blob
? search:


ea66392b6de405f2be97ffc4bbbf8743a82bef9d
[thirdparty/kernel/stable-queue.git] / queue-5.1 / ipv4-igmp-fix-another-memory-leak-in-igmpv3_del_delrec.patch
1 From foo@baz Fri 31 May 2019 03:16:39 PM PDT
2 From: Eric Dumazet <edumazet@google.com>
3 Date: Wed, 22 May 2019 16:51:22 -0700
4 Subject: ipv4/igmp: fix another memory leak in igmpv3_del_delrec()
5
6 From: Eric Dumazet <edumazet@google.com>
7
8 [ Upstream commit 3580d04aa674383c42de7b635d28e52a1e5bc72c ]
9
10 syzbot reported memory leaks [1] that I have back tracked to
11 a missing cleanup from igmpv3_del_delrec() when
12 (im->sfmode != MCAST_INCLUDE)
13
14 Add ip_sf_list_clear_all() and kfree_pmc() helpers to explicitely
15 handle the cleanups before freeing.
16
17 [1]
18
19 BUG: memory leak
20 unreferenced object 0xffff888123e32b00 (size 64):
21 comm "softirq", pid 0, jiffies 4294942968 (age 8.010s)
22 hex dump (first 32 bytes):
23 00 00 00 00 00 00 00 00 e0 00 00 01 00 00 00 00 ................
24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
25 backtrace:
26 [<000000006105011b>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
27 [<000000006105011b>] slab_post_alloc_hook mm/slab.h:439 [inline]
28 [<000000006105011b>] slab_alloc mm/slab.c:3326 [inline]
29 [<000000006105011b>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
30 [<000000004bba8073>] kmalloc include/linux/slab.h:547 [inline]
31 [<000000004bba8073>] kzalloc include/linux/slab.h:742 [inline]
32 [<000000004bba8073>] ip_mc_add1_src net/ipv4/igmp.c:1961 [inline]
33 [<000000004bba8073>] ip_mc_add_src+0x36b/0x400 net/ipv4/igmp.c:2085
34 [<00000000a46a65a0>] ip_mc_msfilter+0x22d/0x310 net/ipv4/igmp.c:2475
35 [<000000005956ca89>] do_ip_setsockopt.isra.0+0x1795/0x1930 net/ipv4/ip_sockglue.c:957
36 [<00000000848e2d2f>] ip_setsockopt+0x3b/0xb0 net/ipv4/ip_sockglue.c:1246
37 [<00000000b9db185c>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2616
38 [<000000003028e438>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3130
39 [<0000000015b65589>] __sys_setsockopt+0x98/0x120 net/socket.c:2078
40 [<00000000ac198ef0>] __do_sys_setsockopt net/socket.c:2089 [inline]
41 [<00000000ac198ef0>] __se_sys_setsockopt net/socket.c:2086 [inline]
42 [<00000000ac198ef0>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2086
43 [<000000000a770437>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
44 [<00000000d3adb93b>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
45
46 Fixes: 9c8bb163ae78 ("igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()")
47 Signed-off-by: Eric Dumazet <edumazet@google.com>
48 Cc: Hangbin Liu <liuhangbin@gmail.com>
49 Reported-by: syzbot <syzkaller@googlegroups.com>
50 Signed-off-by: David S. Miller <davem@davemloft.net>
51 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
52 ---
53 net/ipv4/igmp.c | 47 ++++++++++++++++++++++++++++++-----------------
54 1 file changed, 30 insertions(+), 17 deletions(-)
55
56 --- a/net/ipv4/igmp.c
57 +++ b/net/ipv4/igmp.c
58 @@ -633,6 +633,24 @@ static void igmpv3_clear_zeros(struct ip
59 }
60 }
61
62 +static void ip_sf_list_clear_all(struct ip_sf_list *psf)
63 +{
64 + struct ip_sf_list *next;
65 +
66 + while (psf) {
67 + next = psf->sf_next;
68 + kfree(psf);
69 + psf = next;
70 + }
71 +}
72 +
73 +static void kfree_pmc(struct ip_mc_list *pmc)
74 +{
75 + ip_sf_list_clear_all(pmc->sources);
76 + ip_sf_list_clear_all(pmc->tomb);
77 + kfree(pmc);
78 +}
79 +
80 static void igmpv3_send_cr(struct in_device *in_dev)
81 {
82 struct ip_mc_list *pmc, *pmc_prev, *pmc_next;
83 @@ -669,7 +687,7 @@ static void igmpv3_send_cr(struct in_dev
84 else
85 in_dev->mc_tomb = pmc_next;
86 in_dev_put(pmc->interface);
87 - kfree(pmc);
88 + kfree_pmc(pmc);
89 } else
90 pmc_prev = pmc;
91 }
92 @@ -1215,14 +1233,18 @@ static void igmpv3_del_delrec(struct in_
93 im->interface = pmc->interface;
94 if (im->sfmode == MCAST_INCLUDE) {
95 im->tomb = pmc->tomb;
96 + pmc->tomb = NULL;
97 +
98 im->sources = pmc->sources;
99 + pmc->sources = NULL;
100 +
101 for (psf = im->sources; psf; psf = psf->sf_next)
102 psf->sf_crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv;
103 } else {
104 im->crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv;
105 }
106 in_dev_put(pmc->interface);
107 - kfree(pmc);
108 + kfree_pmc(pmc);
109 }
110 spin_unlock_bh(&im->lock);
111 }
112 @@ -1243,21 +1265,18 @@ static void igmpv3_clear_delrec(struct i
113 nextpmc = pmc->next;
114 ip_mc_clear_src(pmc);
115 in_dev_put(pmc->interface);
116 - kfree(pmc);
117 + kfree_pmc(pmc);
118 }
119 /* clear dead sources, too */
120 rcu_read_lock();
121 for_each_pmc_rcu(in_dev, pmc) {
122 - struct ip_sf_list *psf, *psf_next;
123 + struct ip_sf_list *psf;
124
125 spin_lock_bh(&pmc->lock);
126 psf = pmc->tomb;
127 pmc->tomb = NULL;
128 spin_unlock_bh(&pmc->lock);
129 - for (; psf; psf = psf_next) {
130 - psf_next = psf->sf_next;
131 - kfree(psf);
132 - }
133 + ip_sf_list_clear_all(psf);
134 }
135 rcu_read_unlock();
136 }
137 @@ -2123,7 +2142,7 @@ static int ip_mc_add_src(struct in_devic
138
139 static void ip_mc_clear_src(struct ip_mc_list *pmc)
140 {
141 - struct ip_sf_list *psf, *nextpsf, *tomb, *sources;
142 + struct ip_sf_list *tomb, *sources;
143
144 spin_lock_bh(&pmc->lock);
145 tomb = pmc->tomb;
146 @@ -2135,14 +2154,8 @@ static void ip_mc_clear_src(struct ip_mc
147 pmc->sfcount[MCAST_EXCLUDE] = 1;
148 spin_unlock_bh(&pmc->lock);
149
150 - for (psf = tomb; psf; psf = nextpsf) {
151 - nextpsf = psf->sf_next;
152 - kfree(psf);
153 - }
154 - for (psf = sources; psf; psf = nextpsf) {
155 - nextpsf = psf->sf_next;
156 - kfree(psf);
157 - }
158 + ip_sf_list_clear_all(tomb);
159 + ip_sf_list_clear_all(sources);
160 }
161
162 /* Join a multicast group
Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git