lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 20 Jul 2020 17:35:55 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-kernel@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, stable@...r.kernel.org, Jamal Hadi Salim <jhs@...atatu.com>, Jiri Pirko <jiri@...nulli.us>, Cong Wang <xiyou.wangcong@...il.com>, "David S. Miller" <davem@...emloft.net>, syzbot+d411cff6ab29cc2c311b@...kaller.appspotmail.com Subject: [PATCH 4.19 008/133] net_sched: fix a memory leak in atm_tc_init() From: Cong Wang <xiyou.wangcong@...il.com> [ Upstream commit 306381aec7c2b5a658eebca008c8a1b666536cba ] When tcf_block_get() fails inside atm_tc_init(), atm_tc_put() is called to release the qdisc p->link.q. But the flow->ref prevents it to do so, as the flow->ref is still zero. Fix this by moving the p->link.ref initialization before tcf_block_get(). Fixes: 6529eaba33f0 ("net: sched: introduce tcf block infractructure") Reported-and-tested-by: syzbot+d411cff6ab29cc2c311b@...kaller.appspotmail.com Cc: Jamal Hadi Salim <jhs@...atatu.com> Cc: Jiri Pirko <jiri@...nulli.us> Signed-off-by: Cong Wang <xiyou.wangcong@...il.com> Signed-off-by: David S. Miller <davem@...emloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org> --- net/sched/sch_atm.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- a/net/sched/sch_atm.c +++ b/net/sched/sch_atm.c @@ -551,16 +551,16 @@ static int atm_tc_init(struct Qdisc *sch if (!p->link.q) p->link.q = &noop_qdisc; pr_debug("atm_tc_init: link (%p) qdisc %p\n", &p->link, p->link.q); + p->link.vcc = NULL; + p->link.sock = NULL; + p->link.common.classid = sch->handle; + p->link.ref = 1; err = tcf_block_get(&p->link.block, &p->link.filter_list, sch, extack); if (err) return err; - p->link.vcc = NULL; - p->link.sock = NULL; - p->link.common.classid = sch->handle; - p->link.ref = 1; tasklet_init(&p->task, sch_atm_dequeue, (unsigned long)sch); return 0; }
Powered by blists - more mailing lists