Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/net
History
Eric Dumazet c627e24f97 igmp: fix memory leak in igmpv3_del_delrec() 
commit e5b1c6c6277d5a283290a8c033c72544746f9b5b upstream.

im->tomb and/or im->sources might not be NULL, but we
currently overwrite their values blindly.

Using swap() will make sure the following call to kfree_pmc(pmc)
will properly free the psf structures.

Tested with the C repro provided by syzbot, which basically does :

 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
 setsockopt(3, SOL_IP, IP_ADD_MEMBERSHIP, "\340\0\0\2\177\0\0\1\0\0\0\0", 12) = 0
 ioctl(3, SIOCSIFFLAGS, {ifr_name="lo", ifr_flags=0}) = 0
 setsockopt(3, SOL_IP, IP_MSFILTER, "\340\0\0\2\177\0\0\1\1\0\0\0\1\0\0\0\377\377\377\377", 20) = 0
 ioctl(3, SIOCSIFFLAGS, {ifr_name="lo", ifr_flags=IFF_UP}) = 0
 exit_group(0)                    = ?

BUG: memory leak
unreferenced object 0xffff88811450f140 (size 64):
  comm "softirq", pid 0, jiffies 4294942448 (age 32.070s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00  ................
    00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000c7bad083>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<00000000c7bad083>] slab_post_alloc_hook mm/slab.h:439 [inline]
    [<00000000c7bad083>] slab_alloc mm/slab.c:3326 [inline]
    [<00000000c7bad083>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
    [<000000009acc4151>] kmalloc include/linux/slab.h:547 [inline]
    [<000000009acc4151>] kzalloc include/linux/slab.h:742 [inline]
    [<000000009acc4151>] ip_mc_add1_src net/ipv4/igmp.c:1976 [inline]
    [<000000009acc4151>] ip_mc_add_src+0x36b/0x400 net/ipv4/igmp.c:2100
    [<000000004ac14566>] ip_mc_msfilter+0x22d/0x310 net/ipv4/igmp.c:2484
    [<0000000052d8f995>] do_ip_setsockopt.isra.0+0x1795/0x1930 net/ipv4/ip_sockglue.c:959
    [<000000004ee1e21f>] ip_setsockopt+0x3b/0xb0 net/ipv4/ip_sockglue.c:1248
    [<0000000066cdfe74>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2618
    [<000000009383a786>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3126
    [<00000000d8ac0c94>] __sys_setsockopt+0x98/0x120 net/socket.c:2072
    [<000000001b1e9666>] __do_sys_setsockopt net/socket.c:2083 [inline]
    [<000000001b1e9666>] __se_sys_setsockopt net/socket.c:2080 [inline]
    [<000000001b1e9666>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2080
    [<00000000420d395e>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
    [<000000007fd83a4b>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 24803f38a5c0 ("igmp: do not remove igmp souce list info when set link down")
Change-Id: I01882debe8d62ab933db82a435386a5387c02a1a
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Hangbin Liu <liuhangbin@gmail.com>
Reported-by: syzbot+6ca1abd0db68b5173a4f@syzkaller.appspotmail.com
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 		2019-10-27 19:33:52 +01:00
..
9p
802
8021q
appletalk net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
atm
ax25 net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
batman-adv
bluetooth Bluetooth: Check state in l2cap_disconnect_rsp 2019-08-05 03:10:33 +02:00
bridge net: bridge: multicast: use rcu to access port list from br_multicast_start_querier 2019-08-15 21:02:28 +02:00
caif
can net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
ceph libceph: introduce ceph_crypt() for in-place en/decryption 2017-04-22 23:02:50 +02:00
core net: neigh: fix multiple neigh timer scheduling 2019-10-27 19:33:27 +01:00
dcb
dccp net/dccp: fix use after free in tw_timer_handler() 2019-07-27 22:08:37 +02:00
decnet net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
dns_resolver dns_resolver: Do not accept domain names longer than 255 chars 2019-07-27 22:07:53 +02:00
dsa
ethernet
ieee802154 net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
ipc_router net: ipc_router: Initialize the sockaddr in recvmsg() handler 2019-07-27 22:08:44 +02:00
ipv4 igmp: fix memory leak in igmpv3_del_delrec() 2019-10-27 19:33:52 +01:00
ipv6 igmp, mld: Fix memory leak in igmpv3/mld_del_delrec() 2019-10-27 19:33:52 +01:00
ipx net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
irda net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
iucv
key net: af_key: fix sleeping under rcu 2019-07-27 22:08:21 +02:00
l2tp net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
lapb
llc net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
mac80211 mac80211: use constant time comparison with keys 2019-07-27 21:45:47 +02:00
mac802154
netfilter netfilter: compat: initialize all fields in xt_init 2019-07-27 22:10:42 +02:00
netlabel netlabel: check for IPV4MASK in addrinfo_get 2019-09-28 20:28:33 +02:00
netlink net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
netrom net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
nfc net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
openvswitch
packet net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
phonet net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
rds net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
rfkill net: rfkill: move poll work to power efficient workqueue 2019-07-27 22:11:06 +02:00
rmnet_data net: rmnet_data: Change the log level for unknown IOCTL's 2019-07-27 21:51:01 +02:00
rose net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
rxrpc net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
sched net: Prevent invalid access to skb->prev in __qdisc_drop_all 2019-07-27 21:53:24 +02:00
sctp sctp: fix a type cast warnings that causes a_rwnd gets the wrong value 2019-07-27 21:45:39 +02:00
sunrpc kernel: make groups_sort calling a responsibility group_info allocators 2019-07-27 21:46:18 +02:00
tipc net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
unix net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
vmw_vsock net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
wimax
wireless nl80211: validate beacon head 2019-10-18 20:58:58 +02:00
x25 net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
xfrm xfrm: validate template mode 2019-09-28 20:28:33 +02:00
Kconfig
Makefile
activity_stats.c
compat.c net: support compat 64-bit time in {s,g}etsockopt 2019-07-27 21:49:09 +02:00
nonet.c
socket.c kernel-wide: fix missing validations on __get/__put/__copy_to/__copy_from_user() 2019-07-27 22:10:26 +02:00
sysctl_net.c