| From 6fa3dbd6d86cc74c70bb69414e3a3d3b5c0640ef Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Sat, 4 Jul 2020 15:54:19 +0200 |
| Subject: mac80211: mesh: Free pending skb when destroying a mpath |
| |
| From: Remi Pommarel <repk@triplefau.lt> |
| |
| [ Upstream commit 5e43540c2af0a0c0a18e39579b1ad49541f87506 ] |
| |
| A mpath object can hold reference on a list of skb that are waiting for |
| mpath resolution to be sent. When destroying a mpath this skb list |
| should be cleaned up in order to not leak memory. |
| |
| Fixing that kind of leak: |
| |
| unreferenced object 0xffff0000181c9300 (size 1088): |
| comm "openvpn", pid 1782, jiffies 4295071698 (age 80.416s) |
| hex dump (first 32 bytes): |
| 00 00 00 00 00 00 00 00 f9 80 36 00 00 00 00 00 ..........6..... |
| 02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ |
| backtrace: |
| [<000000004bc6a443>] kmem_cache_alloc+0x1a4/0x2f0 |
| [<000000002caaef13>] sk_prot_alloc.isra.39+0x34/0x178 |
| [<00000000ceeaa916>] sk_alloc+0x34/0x228 |
| [<00000000ca1f1d04>] inet_create+0x198/0x518 |
| [<0000000035626b1c>] __sock_create+0x134/0x328 |
| [<00000000a12b3a87>] __sys_socket+0xb0/0x158 |
| [<00000000ff859f23>] __arm64_sys_socket+0x40/0x58 |
| [<00000000263486ec>] el0_svc_handler+0xd0/0x1a0 |
| [<0000000005b5157d>] el0_svc+0x8/0xc |
| unreferenced object 0xffff000012973a40 (size 216): |
| comm "openvpn", pid 1782, jiffies 4295082137 (age 38.660s) |
| hex dump (first 32 bytes): |
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
| 00 c0 06 16 00 00 ff ff 00 93 1c 18 00 00 ff ff ................ |
| backtrace: |
| [<000000004bc6a443>] kmem_cache_alloc+0x1a4/0x2f0 |
| [<0000000023c8c8f9>] __alloc_skb+0xc0/0x2b8 |
| [<000000007ad950bb>] alloc_skb_with_frags+0x60/0x320 |
| [<00000000ef90023a>] sock_alloc_send_pskb+0x388/0x3c0 |
| [<00000000104fb1a3>] sock_alloc_send_skb+0x1c/0x28 |
| [<000000006919d2dd>] __ip_append_data+0xba4/0x11f0 |
| [<0000000083477587>] ip_make_skb+0x14c/0x1a8 |
| [<0000000024f3d592>] udp_sendmsg+0xaf0/0xcf0 |
| [<000000005aabe255>] inet_sendmsg+0x5c/0x80 |
| [<000000008651ea08>] __sys_sendto+0x15c/0x218 |
| [<000000003505c99b>] __arm64_sys_sendto+0x74/0x90 |
| [<00000000263486ec>] el0_svc_handler+0xd0/0x1a0 |
| [<0000000005b5157d>] el0_svc+0x8/0xc |
| |
| Fixes: 2bdaf386f99c (mac80211: mesh: move path tables into if_mesh) |
| Signed-off-by: Remi Pommarel <repk@triplefau.lt> |
| Link: https://lore.kernel.org/r/20200704135419.27703-1-repk@triplefau.lt |
| Signed-off-by: Johannes Berg <johannes.berg@intel.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| net/mac80211/mesh_pathtbl.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c |
| index 8c17d498df301..7c409ba1ddc74 100644 |
| --- a/net/mac80211/mesh_pathtbl.c |
| +++ b/net/mac80211/mesh_pathtbl.c |
| @@ -555,6 +555,7 @@ static void mesh_path_free_rcu(struct mesh_table *tbl, |
| del_timer_sync(&mpath->timer); |
| atomic_dec(&sdata->u.mesh.mpaths); |
| atomic_dec(&tbl->entries); |
| + mesh_path_flush_pending(mpath); |
| kfree_rcu(mpath, rcu); |
| } |
| |
| -- |
| 2.25.1 |
| |