release/5.2.35/vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From 5a7159e84a33f99fd80f640c70c7bc3011a36579 Mon Sep 17 00:00:00 2001
 From: Eric Dumazet <edumazet@google.com>
 Date: Tue, 7 Jan 2020 01:42:24 -0800
 Subject: [PATCH] vlan: fix memory leak in vlan_dev_set_egress_priority

 commit 9bbd917e0bec9aebdbd0c8dbc966caec15eb33e9 upstream.

 There are few cases where the ndo_uninit() handler might be not
 called if an error happens while device is initialized.

 Since vlan_newlink() calls vlan_changelink() before
 trying to register the netdevice, we need to make sure
 vlan_dev_uninit() has been called at least once,
 or we might leak allocated memory.

 BUG: memory leak
 unreferenced object 0xffff888122a206c0 (size 32):
   comm "syz-executor511", pid 7124, jiffies 4294950399 (age 32.240s)
   hex dump (first 32 bytes):
     00 00 00 00 00 00 61 73 00 00 00 00 00 00 00 00  ......as........
     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   backtrace:
     [<000000000eb3bb85>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
     [<000000000eb3bb85>] slab_post_alloc_hook mm/slab.h:586 [inline]
     [<000000000eb3bb85>] slab_alloc mm/slab.c:3320 [inline]
     [<000000000eb3bb85>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3549
     [<000000007b99f620>] kmalloc include/linux/slab.h:556 [inline]
     [<000000007b99f620>] vlan_dev_set_egress_priority+0xcc/0x150 net/8021q/vlan_dev.c:194
     [<000000007b0cb745>] vlan_changelink+0xd6/0x140 net/8021q/vlan_netlink.c:126
     [<0000000065aba83a>] vlan_newlink+0x135/0x200 net/8021q/vlan_netlink.c:181
     [<00000000fb5dd7a2>] __rtnl_newlink+0x89a/0xb80 net/core/rtnetlink.c:3305
     [<00000000ae4273a1>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3363
     [<00000000decab39f>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5424
     [<00000000accba4ee>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477
     [<00000000319fe20f>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
     [<00000000d51938dc>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
     [<00000000d51938dc>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328
     [<00000000e539ac79>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917
     [<000000006250c27e>] sock_sendmsg_nosec net/socket.c:639 [inline]
     [<000000006250c27e>] sock_sendmsg+0x54/0x70 net/socket.c:659
     [<00000000e2a156d1>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330
     [<000000008c87466e>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384
     [<00000000110e3054>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417
     [<00000000d71077c8>] __do_sys_sendmsg net/socket.c:2426 [inline]
     [<00000000d71077c8>] __se_sys_sendmsg net/socket.c:2424 [inline]
     [<00000000d71077c8>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424

 Fixe: 07b5b17e157b ("[VLAN]: Use rtnl_link API")
 Signed-off-by: Eric Dumazet <edumazet@google.com>
 Reported-by: syzbot <syzkaller@googlegroups.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/net/8021q/vlan.h b/net/8021q/vlan.h
 index c46daf09a501..bb7ec1a3915d 100644
 --- a/net/8021q/vlan.h
 +++ b/net/8021q/vlan.h
 @@ -126,6 +126,7 @@ int vlan_check_real_dev(struct net_device *real_dev,
  void vlan_setup(struct net_device *dev);
  int register_vlan_dev(struct net_device *dev, struct netlink_ext_ack *extack);
  void unregister_vlan_dev(struct net_device *dev, struct list_head *head);
 +void vlan_dev_uninit(struct net_device *dev);
  bool vlan_dev_inherit_address(struct net_device *dev,
  			      struct net_device *real_dev);

 diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
 index a0b2d8b9def7..2ab1107ef19f 100644
 --- a/net/8021q/vlan_dev.c
 +++ b/net/8021q/vlan_dev.c
 @@ -617,7 +617,8 @@ static int vlan_dev_init(struct net_device *dev)
  	return 0;
  }

 -static void vlan_dev_uninit(struct net_device *dev)
 +/* Note: this function might be called multiple times for the same device. */
 +void vlan_dev_uninit(struct net_device *dev)
  {
  	struct vlan_priority_tci_mapping *pm;
  	struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
 diff --git a/net/8021q/vlan_netlink.c b/net/8021q/vlan_netlink.c
 index c482a6fe9393..b2a4b8b5a0cd 100644
 --- a/net/8021q/vlan_netlink.c
 +++ b/net/8021q/vlan_netlink.c
 @@ -179,10 +179,11 @@ static int vlan_newlink(struct net *src_net, struct net_device *dev,
  		return -EINVAL;

  	err = vlan_changelink(dev, tb, data, extack);
 -	if (err < 0)
 -		return err;
 -
 -	return register_vlan_dev(dev, extack);
 +	if (!err)
 +		err = register_vlan_dev(dev, extack);
 +	if (err)
 +		vlan_dev_uninit(dev);
 +	return err;
  }

  static inline size_t vlan_qos_map_size(unsigned int n)
 --
 2.7.4
	From 5a7159e84a33f99fd80f640c70c7bc3011a36579 Mon Sep 17 00:00:00 2001
	From: Eric Dumazet <edumazet@google.com>
	Date: Tue, 7 Jan 2020 01:42:24 -0800
	Subject: [PATCH] vlan: fix memory leak in vlan_dev_set_egress_priority

	commit 9bbd917e0bec9aebdbd0c8dbc966caec15eb33e9 upstream.

	There are few cases where the ndo_uninit() handler might be not
	called if an error happens while device is initialized.

	Since vlan_newlink() calls vlan_changelink() before
	trying to register the netdevice, we need to make sure
	vlan_dev_uninit() has been called at least once,
	or we might leak allocated memory.

	BUG: memory leak
	unreferenced object 0xffff888122a206c0 (size 32):
	comm "syz-executor511", pid 7124, jiffies 4294950399 (age 32.240s)
	hex dump (first 32 bytes):
	00 00 00 00 00 00 61 73 00 00 00 00 00 00 00 00 ......as........
	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	backtrace:
	[<000000000eb3bb85>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
	[<000000000eb3bb85>] slab_post_alloc_hook mm/slab.h:586 [inline]
	[<000000000eb3bb85>] slab_alloc mm/slab.c:3320 [inline]
	[<000000000eb3bb85>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3549
	[<000000007b99f620>] kmalloc include/linux/slab.h:556 [inline]
	[<000000007b99f620>] vlan_dev_set_egress_priority+0xcc/0x150 net/8021q/vlan_dev.c:194
	[<000000007b0cb745>] vlan_changelink+0xd6/0x140 net/8021q/vlan_netlink.c:126
	[<0000000065aba83a>] vlan_newlink+0x135/0x200 net/8021q/vlan_netlink.c:181
	[<00000000fb5dd7a2>] __rtnl_newlink+0x89a/0xb80 net/core/rtnetlink.c:3305
	[<00000000ae4273a1>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3363
	[<00000000decab39f>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5424
	[<00000000accba4ee>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477
	[<00000000319fe20f>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
	[<00000000d51938dc>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
	[<00000000d51938dc>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328
	[<00000000e539ac79>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917
	[<000000006250c27e>] sock_sendmsg_nosec net/socket.c:639 [inline]
	[<000000006250c27e>] sock_sendmsg+0x54/0x70 net/socket.c:659
	[<00000000e2a156d1>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330
	[<000000008c87466e>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384
	[<00000000110e3054>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417
	[<00000000d71077c8>] __do_sys_sendmsg net/socket.c:2426 [inline]
	[<00000000d71077c8>] __se_sys_sendmsg net/socket.c:2424 [inline]
	[<00000000d71077c8>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424

	Fixe: 07b5b17e157b ("[VLAN]: Use rtnl_link API")
	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Reported-by: syzbot <syzkaller@googlegroups.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/net/8021q/vlan.h b/net/8021q/vlan.h
	index c46daf09a501..bb7ec1a3915d 100644
	--- a/net/8021q/vlan.h
	+++ b/net/8021q/vlan.h
	@@ -126,6 +126,7 @@ int vlan_check_real_dev(struct net_device *real_dev,
	void vlan_setup(struct net_device *dev);
	int register_vlan_dev(struct net_device dev, struct netlink_ext_ack extack);
	void unregister_vlan_dev(struct net_device dev, struct list_head head);
	+void vlan_dev_uninit(struct net_device *dev);
	bool vlan_dev_inherit_address(struct net_device *dev,
	struct net_device *real_dev);

	diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
	index a0b2d8b9def7..2ab1107ef19f 100644
	--- a/net/8021q/vlan_dev.c
	+++ b/net/8021q/vlan_dev.c
	@@ -617,7 +617,8 @@ static int vlan_dev_init(struct net_device *dev)
	return 0;
	}

	-static void vlan_dev_uninit(struct net_device *dev)
	+/* Note: this function might be called multiple times for the same device. */
	+void vlan_dev_uninit(struct net_device *dev)
	{
	struct vlan_priority_tci_mapping *pm;
	struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
	diff --git a/net/8021q/vlan_netlink.c b/net/8021q/vlan_netlink.c
	index c482a6fe9393..b2a4b8b5a0cd 100644
	--- a/net/8021q/vlan_netlink.c
	+++ b/net/8021q/vlan_netlink.c
	@@ -179,10 +179,11 @@ static int vlan_newlink(struct net src_net, struct net_device dev,
	return -EINVAL;

	err = vlan_changelink(dev, tb, data, extack);
	- if (err < 0)
	- return err;
	-
	- return register_vlan_dev(dev, extack);
	+ if (!err)
	+ err = register_vlan_dev(dev, extack);
	+ if (err)
	+ vlan_dev_uninit(dev);
	+ return err;
	}

	static inline size_t vlan_qos_map_size(unsigned int n)
	--
	2.7.4