releases/4.4.16/ipv6-fix-mem-leak-in-rt6i_pcpu.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From foo@baz Thu Jul 14 07:36:31 JST 2016
 From: Martin KaFai Lau <kafai@fb.com>
 Date: Tue, 5 Jul 2016 12:10:23 -0700
 Subject: ipv6: Fix mem leak in rt6i_pcpu

 From: Martin KaFai Lau <kafai@fb.com>

 [ Upstream commit 903ce4abdf374e3365d93bcb3df56c62008835ba ]

 It was first reported and reproduced by Petr (thanks!) in
 https://bugzilla.kernel.org/show_bug.cgi?id=119581

 free_percpu(rt->rt6i_pcpu) used to always happen in ip6_dst_destroy().

 However, after fixing a deadlock bug in
 commit 9c7370a166b4 ("ipv6: Fix a potential deadlock when creating pcpu rt"),
 free_percpu() is not called before setting non_pcpu_rt->rt6i_pcpu to NULL.

 It is worth to note that rt6i_pcpu is protected by table->tb6_lock.

 kmemleak somehow did not report it.  We nailed it down by
 observing the pcpu entries in /proc/vmallocinfo (first suggested
 by Hannes, thanks!).

 Signed-off-by: Martin KaFai Lau <kafai@fb.com>
 Fixes: 9c7370a166b4 ("ipv6: Fix a potential deadlock when creating pcpu rt")
 Reported-by: Petr Novopashenniy <pety@rusnet.ru>
 Tested-by: Petr Novopashenniy <pety@rusnet.ru>
 Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
 Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
 Cc: Petr Novopashenniy <pety@rusnet.ru>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  net/ipv6/ip6_fib.c |    1 +
  1 file changed, 1 insertion(+)

 --- a/net/ipv6/ip6_fib.c
 +++ b/net/ipv6/ip6_fib.c
 @@ -179,6 +179,7 @@ static void rt6_free_pcpu(struct rt6_inf
  		}
  	}

 +	free_percpu(non_pcpu_rt->rt6i_pcpu);
  	non_pcpu_rt->rt6i_pcpu = NULL;
  }
	From foo@baz Thu Jul 14 07:36:31 JST 2016
	From: Martin KaFai Lau <kafai@fb.com>
	Date: Tue, 5 Jul 2016 12:10:23 -0700
	Subject: ipv6: Fix mem leak in rt6i_pcpu

	From: Martin KaFai Lau <kafai@fb.com>

	[ Upstream commit 903ce4abdf374e3365d93bcb3df56c62008835ba ]

	It was first reported and reproduced by Petr (thanks!) in
	https://bugzilla.kernel.org/show_bug.cgi?id=119581

	free_percpu(rt->rt6i_pcpu) used to always happen in ip6_dst_destroy().

	However, after fixing a deadlock bug in
	commit 9c7370a166b4 ("ipv6: Fix a potential deadlock when creating pcpu rt"),
	free_percpu() is not called before setting non_pcpu_rt->rt6i_pcpu to NULL.

	It is worth to note that rt6i_pcpu is protected by table->tb6_lock.

	kmemleak somehow did not report it. We nailed it down by
	observing the pcpu entries in /proc/vmallocinfo (first suggested
	by Hannes, thanks!).

	Signed-off-by: Martin KaFai Lau <kafai@fb.com>
	Fixes: 9c7370a166b4 ("ipv6: Fix a potential deadlock when creating pcpu rt")
	Reported-by: Petr Novopashenniy <pety@rusnet.ru>
	Tested-by: Petr Novopashenniy <pety@rusnet.ru>
	Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
	Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
	Cc: Petr Novopashenniy <pety@rusnet.ru>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	net/ipv6/ip6_fib.c \| 1 +
	1 file changed, 1 insertion(+)

	--- a/net/ipv6/ip6_fib.c
	+++ b/net/ipv6/ip6_fib.c
	@@ -179,6 +179,7 @@ static void rt6_free_pcpu(struct rt6_inf
	}
	}

	+ free_percpu(non_pcpu_rt->rt6i_pcpu);
	non_pcpu_rt->rt6i_pcpu = NULL;
	}