mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-01 10:43:43 +00:00
sctp: fix memory leak in sctp_stream_outq_migrate()
When sctp_stream_outq_migrate() is called to release stream out resources,
the memory pointed to by prio_head in stream out is not released.
The memory leak information is as follows:
unreferenced object 0xffff88801fe79f80 (size 64):
comm "sctp_repo", pid 7957, jiffies 4294951704 (age 36.480s)
hex dump (first 32 bytes):
80 9f e7 1f 80 88 ff ff 80 9f e7 1f 80 88 ff ff ................
90 9f e7 1f 80 88 ff ff 90 9f e7 1f 80 88 ff ff ................
backtrace:
[<ffffffff81b215c6>] kmalloc_trace+0x26/0x60
[<ffffffff88ae517c>] sctp_sched_prio_set+0x4cc/0x770
[<ffffffff88ad64f2>] sctp_stream_init_ext+0xd2/0x1b0
[<ffffffff88aa2604>] sctp_sendmsg_to_asoc+0x1614/0x1a30
[<ffffffff88ab7ff1>] sctp_sendmsg+0xda1/0x1ef0
[<ffffffff87f765ed>] inet_sendmsg+0x9d/0xe0
[<ffffffff8754b5b3>] sock_sendmsg+0xd3/0x120
[<ffffffff8755446a>] __sys_sendto+0x23a/0x340
[<ffffffff87554651>] __x64_sys_sendto+0xe1/0x1b0
[<ffffffff89978b49>] do_syscall_64+0x39/0xb0
[<ffffffff89a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Link: https://syzkaller.appspot.com/bug?exrid=29c402e56c4760763cc0
Fixes: 637784ade2
("sctp: introduce priority based stream scheduler")
Reported-by: syzbot+29c402e56c4760763cc0@syzkaller.appspotmail.com
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Link: https://lore.kernel.org/r/20221126031720.378562-1-shaozhengchao@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
parent
b85f628aa1
commit
9ed7bfc795
@ -26,6 +26,8 @@ struct sctp_sched_ops {
|
|||||||
int (*init)(struct sctp_stream *stream);
|
int (*init)(struct sctp_stream *stream);
|
||||||
/* Init a stream */
|
/* Init a stream */
|
||||||
int (*init_sid)(struct sctp_stream *stream, __u16 sid, gfp_t gfp);
|
int (*init_sid)(struct sctp_stream *stream, __u16 sid, gfp_t gfp);
|
||||||
|
/* free a stream */
|
||||||
|
void (*free_sid)(struct sctp_stream *stream, __u16 sid);
|
||||||
/* Frees the entire thing */
|
/* Frees the entire thing */
|
||||||
void (*free)(struct sctp_stream *stream);
|
void (*free)(struct sctp_stream *stream);
|
||||||
|
|
||||||
|
@ -52,6 +52,19 @@ static void sctp_stream_shrink_out(struct sctp_stream *stream, __u16 outcnt)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void sctp_stream_free_ext(struct sctp_stream *stream, __u16 sid)
|
||||||
|
{
|
||||||
|
struct sctp_sched_ops *sched;
|
||||||
|
|
||||||
|
if (!SCTP_SO(stream, sid)->ext)
|
||||||
|
return;
|
||||||
|
|
||||||
|
sched = sctp_sched_ops_from_stream(stream);
|
||||||
|
sched->free_sid(stream, sid);
|
||||||
|
kfree(SCTP_SO(stream, sid)->ext);
|
||||||
|
SCTP_SO(stream, sid)->ext = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
/* Migrates chunks from stream queues to new stream queues if needed,
|
/* Migrates chunks from stream queues to new stream queues if needed,
|
||||||
* but not across associations. Also, removes those chunks to streams
|
* but not across associations. Also, removes those chunks to streams
|
||||||
* higher than the new max.
|
* higher than the new max.
|
||||||
@ -70,16 +83,14 @@ static void sctp_stream_outq_migrate(struct sctp_stream *stream,
|
|||||||
* sctp_stream_update will swap ->out pointers.
|
* sctp_stream_update will swap ->out pointers.
|
||||||
*/
|
*/
|
||||||
for (i = 0; i < outcnt; i++) {
|
for (i = 0; i < outcnt; i++) {
|
||||||
kfree(SCTP_SO(new, i)->ext);
|
sctp_stream_free_ext(new, i);
|
||||||
SCTP_SO(new, i)->ext = SCTP_SO(stream, i)->ext;
|
SCTP_SO(new, i)->ext = SCTP_SO(stream, i)->ext;
|
||||||
SCTP_SO(stream, i)->ext = NULL;
|
SCTP_SO(stream, i)->ext = NULL;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for (i = outcnt; i < stream->outcnt; i++) {
|
for (i = outcnt; i < stream->outcnt; i++)
|
||||||
kfree(SCTP_SO(stream, i)->ext);
|
sctp_stream_free_ext(stream, i);
|
||||||
SCTP_SO(stream, i)->ext = NULL;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static int sctp_stream_alloc_out(struct sctp_stream *stream, __u16 outcnt,
|
static int sctp_stream_alloc_out(struct sctp_stream *stream, __u16 outcnt,
|
||||||
@ -174,9 +185,9 @@ void sctp_stream_free(struct sctp_stream *stream)
|
|||||||
struct sctp_sched_ops *sched = sctp_sched_ops_from_stream(stream);
|
struct sctp_sched_ops *sched = sctp_sched_ops_from_stream(stream);
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
sched->free(stream);
|
sched->unsched_all(stream);
|
||||||
for (i = 0; i < stream->outcnt; i++)
|
for (i = 0; i < stream->outcnt; i++)
|
||||||
kfree(SCTP_SO(stream, i)->ext);
|
sctp_stream_free_ext(stream, i);
|
||||||
genradix_free(&stream->out);
|
genradix_free(&stream->out);
|
||||||
genradix_free(&stream->in);
|
genradix_free(&stream->in);
|
||||||
}
|
}
|
||||||
|
@ -46,6 +46,10 @@ static int sctp_sched_fcfs_init_sid(struct sctp_stream *stream, __u16 sid,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void sctp_sched_fcfs_free_sid(struct sctp_stream *stream, __u16 sid)
|
||||||
|
{
|
||||||
|
}
|
||||||
|
|
||||||
static void sctp_sched_fcfs_free(struct sctp_stream *stream)
|
static void sctp_sched_fcfs_free(struct sctp_stream *stream)
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
@ -96,6 +100,7 @@ static struct sctp_sched_ops sctp_sched_fcfs = {
|
|||||||
.get = sctp_sched_fcfs_get,
|
.get = sctp_sched_fcfs_get,
|
||||||
.init = sctp_sched_fcfs_init,
|
.init = sctp_sched_fcfs_init,
|
||||||
.init_sid = sctp_sched_fcfs_init_sid,
|
.init_sid = sctp_sched_fcfs_init_sid,
|
||||||
|
.free_sid = sctp_sched_fcfs_free_sid,
|
||||||
.free = sctp_sched_fcfs_free,
|
.free = sctp_sched_fcfs_free,
|
||||||
.enqueue = sctp_sched_fcfs_enqueue,
|
.enqueue = sctp_sched_fcfs_enqueue,
|
||||||
.dequeue = sctp_sched_fcfs_dequeue,
|
.dequeue = sctp_sched_fcfs_dequeue,
|
||||||
|
@ -204,6 +204,24 @@ static int sctp_sched_prio_init_sid(struct sctp_stream *stream, __u16 sid,
|
|||||||
return sctp_sched_prio_set(stream, sid, 0, gfp);
|
return sctp_sched_prio_set(stream, sid, 0, gfp);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void sctp_sched_prio_free_sid(struct sctp_stream *stream, __u16 sid)
|
||||||
|
{
|
||||||
|
struct sctp_stream_priorities *prio = SCTP_SO(stream, sid)->ext->prio_head;
|
||||||
|
int i;
|
||||||
|
|
||||||
|
if (!prio)
|
||||||
|
return;
|
||||||
|
|
||||||
|
SCTP_SO(stream, sid)->ext->prio_head = NULL;
|
||||||
|
for (i = 0; i < stream->outcnt; i++) {
|
||||||
|
if (SCTP_SO(stream, i)->ext &&
|
||||||
|
SCTP_SO(stream, i)->ext->prio_head == prio)
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
kfree(prio);
|
||||||
|
}
|
||||||
|
|
||||||
static void sctp_sched_prio_free(struct sctp_stream *stream)
|
static void sctp_sched_prio_free(struct sctp_stream *stream)
|
||||||
{
|
{
|
||||||
struct sctp_stream_priorities *prio, *n;
|
struct sctp_stream_priorities *prio, *n;
|
||||||
@ -323,6 +341,7 @@ static struct sctp_sched_ops sctp_sched_prio = {
|
|||||||
.get = sctp_sched_prio_get,
|
.get = sctp_sched_prio_get,
|
||||||
.init = sctp_sched_prio_init,
|
.init = sctp_sched_prio_init,
|
||||||
.init_sid = sctp_sched_prio_init_sid,
|
.init_sid = sctp_sched_prio_init_sid,
|
||||||
|
.free_sid = sctp_sched_prio_free_sid,
|
||||||
.free = sctp_sched_prio_free,
|
.free = sctp_sched_prio_free,
|
||||||
.enqueue = sctp_sched_prio_enqueue,
|
.enqueue = sctp_sched_prio_enqueue,
|
||||||
.dequeue = sctp_sched_prio_dequeue,
|
.dequeue = sctp_sched_prio_dequeue,
|
||||||
|
@ -90,6 +90,10 @@ static int sctp_sched_rr_init_sid(struct sctp_stream *stream, __u16 sid,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void sctp_sched_rr_free_sid(struct sctp_stream *stream, __u16 sid)
|
||||||
|
{
|
||||||
|
}
|
||||||
|
|
||||||
static void sctp_sched_rr_free(struct sctp_stream *stream)
|
static void sctp_sched_rr_free(struct sctp_stream *stream)
|
||||||
{
|
{
|
||||||
sctp_sched_rr_unsched_all(stream);
|
sctp_sched_rr_unsched_all(stream);
|
||||||
@ -177,6 +181,7 @@ static struct sctp_sched_ops sctp_sched_rr = {
|
|||||||
.get = sctp_sched_rr_get,
|
.get = sctp_sched_rr_get,
|
||||||
.init = sctp_sched_rr_init,
|
.init = sctp_sched_rr_init,
|
||||||
.init_sid = sctp_sched_rr_init_sid,
|
.init_sid = sctp_sched_rr_init_sid,
|
||||||
|
.free_sid = sctp_sched_rr_free_sid,
|
||||||
.free = sctp_sched_rr_free,
|
.free = sctp_sched_rr_free,
|
||||||
.enqueue = sctp_sched_rr_enqueue,
|
.enqueue = sctp_sched_rr_enqueue,
|
||||||
.dequeue = sctp_sched_rr_dequeue,
|
.dequeue = sctp_sched_rr_dequeue,
|
||||||
|
Loading…
Reference in New Issue
Block a user