[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20200811.161029.1720063119338694115.davem@davemloft.net>
Date: Tue, 11 Aug 2020 16:10:29 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: xiyou.wangcong@...il.com
Cc: linmiaohe@...wei.com, kuba@...nel.org, edumazet@...gle.com,
kafai@...com, daniel@...earbox.net, jakub@...udflare.com,
keescook@...omium.org, zhang.lin16@....com.cn,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net: Fix potential memory leak in proto_register()
From: Cong Wang <xiyou.wangcong@...il.com>
Date: Tue, 11 Aug 2020 16:02:51 -0700
>> @@ -3406,6 +3406,16 @@ static void sock_inuse_add(struct net *net, int val)
>> }
>> #endif
>>
>> +static void tw_prot_cleanup(struct timewait_sock_ops *twsk_prot)
>> +{
>> + if (!twsk_prot)
>> + return;
>> + kfree(twsk_prot->twsk_slab_name);
>> + twsk_prot->twsk_slab_name = NULL;
>> + kmem_cache_destroy(twsk_prot->twsk_slab);
>
> Hmm, are you sure you can free the kmem cache name before
> kmem_cache_destroy()? To me, it seems kmem_cache_destroy()
> frees the name via slab_kmem_cache_release() via kfree_const().
> With your patch, we have a double-free on the name?
>
> Or am I missing anything?
Yep, there is a double free here.
Please fix this.
Powered by blists - more mailing lists