Message ID | 20200810121658.54657-1-linmiaohe@huawei.com |
---|---|
State | Accepted |
Delegated to: | David Miller |
Headers | show |
Series | net: Fix potential memory leak in proto_register() | expand |
From: Miaohe Lin <linmiaohe@huawei.com> Date: Mon, 10 Aug 2020 08:16:58 -0400 > If we failed to assign proto idx, we free the twsk_slab_name but forget to > free the twsk_slab. Add a helper function tw_prot_cleanup() to free these > together and also use this helper function in proto_unregister(). > > Fixes: b45ce32135d1 ("sock: fix potential memory leak in proto_register()") > Signed-off-by: Miaohe Lin <linmiaohe@huawei.com> Applied and queued up for -stable, thanks.
On Mon, Aug 10, 2020 at 5:19 AM Miaohe Lin <linmiaohe@huawei.com> wrote: > > If we failed to assign proto idx, we free the twsk_slab_name but forget to > free the twsk_slab. Add a helper function tw_prot_cleanup() to free these > together and also use this helper function in proto_unregister(). > > Fixes: b45ce32135d1 ("sock: fix potential memory leak in proto_register()") > Signed-off-by: Miaohe Lin <linmiaohe@huawei.com> > --- > net/core/sock.c | 25 +++++++++++++++---------- > 1 file changed, 15 insertions(+), 10 deletions(-) > > diff --git a/net/core/sock.c b/net/core/sock.c > index 49cd5ffe673e..c9083ad44ea1 100644 > --- a/net/core/sock.c > +++ b/net/core/sock.c > @@ -3406,6 +3406,16 @@ static void sock_inuse_add(struct net *net, int val) > } > #endif > > +static void tw_prot_cleanup(struct timewait_sock_ops *twsk_prot) > +{ > + if (!twsk_prot) > + return; > + kfree(twsk_prot->twsk_slab_name); > + twsk_prot->twsk_slab_name = NULL; > + kmem_cache_destroy(twsk_prot->twsk_slab); Hmm, are you sure you can free the kmem cache name before kmem_cache_destroy()? To me, it seems kmem_cache_destroy() frees the name via slab_kmem_cache_release() via kfree_const(). With your patch, we have a double-free on the name? Or am I missing anything? Thanks.
From: Cong Wang <xiyou.wangcong@gmail.com> Date: Tue, 11 Aug 2020 16:02:51 -0700 >> @@ -3406,6 +3406,16 @@ static void sock_inuse_add(struct net *net, int val) >> } >> #endif >> >> +static void tw_prot_cleanup(struct timewait_sock_ops *twsk_prot) >> +{ >> + if (!twsk_prot) >> + return; >> + kfree(twsk_prot->twsk_slab_name); >> + twsk_prot->twsk_slab_name = NULL; >> + kmem_cache_destroy(twsk_prot->twsk_slab); > > Hmm, are you sure you can free the kmem cache name before > kmem_cache_destroy()? To me, it seems kmem_cache_destroy() > frees the name via slab_kmem_cache_release() via kfree_const(). > With your patch, we have a double-free on the name? > > Or am I missing anything? Yep, there is a double free here. Please fix this.
diff --git a/net/core/sock.c b/net/core/sock.c index 49cd5ffe673e..c9083ad44ea1 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -3406,6 +3406,16 @@ static void sock_inuse_add(struct net *net, int val) } #endif +static void tw_prot_cleanup(struct timewait_sock_ops *twsk_prot) +{ + if (!twsk_prot) + return; + kfree(twsk_prot->twsk_slab_name); + twsk_prot->twsk_slab_name = NULL; + kmem_cache_destroy(twsk_prot->twsk_slab); + twsk_prot->twsk_slab = NULL; +} + static void req_prot_cleanup(struct request_sock_ops *rsk_prot) { if (!rsk_prot) @@ -3476,7 +3486,7 @@ int proto_register(struct proto *prot, int alloc_slab) prot->slab_flags, NULL); if (prot->twsk_prot->twsk_slab == NULL) - goto out_free_timewait_sock_slab_name; + goto out_free_timewait_sock_slab; } } @@ -3484,15 +3494,15 @@ int proto_register(struct proto *prot, int alloc_slab) ret = assign_proto_idx(prot); if (ret) { mutex_unlock(&proto_list_mutex); - goto out_free_timewait_sock_slab_name; + goto out_free_timewait_sock_slab; } list_add(&prot->node, &proto_list); mutex_unlock(&proto_list_mutex); return ret; -out_free_timewait_sock_slab_name: +out_free_timewait_sock_slab: if (alloc_slab && prot->twsk_prot) - kfree(prot->twsk_prot->twsk_slab_name); + tw_prot_cleanup(prot->twsk_prot); out_free_request_sock_slab: if (alloc_slab) { req_prot_cleanup(prot->rsk_prot); @@ -3516,12 +3526,7 @@ void proto_unregister(struct proto *prot) prot->slab = NULL; req_prot_cleanup(prot->rsk_prot); - - if (prot->twsk_prot != NULL && prot->twsk_prot->twsk_slab != NULL) { - kmem_cache_destroy(prot->twsk_prot->twsk_slab); - kfree(prot->twsk_prot->twsk_slab_name); - prot->twsk_prot->twsk_slab = NULL; - } + tw_prot_cleanup(prot->twsk_prot); } EXPORT_SYMBOL(proto_unregister);
If we failed to assign proto idx, we free the twsk_slab_name but forget to free the twsk_slab. Add a helper function tw_prot_cleanup() to free these together and also use this helper function in proto_unregister(). Fixes: b45ce32135d1 ("sock: fix potential memory leak in proto_register()") Signed-off-by: Miaohe Lin <linmiaohe@huawei.com> --- net/core/sock.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-)