diff options
author | Eric Dumazet <edumazet@google.com> | 2015-11-02 09:03:11 -0800 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2015-11-02 22:47:14 -0500 |
commit | 1d6119baf0610f813eb9d9580eb4fd16de5b4ceb (patch) | |
tree | 0ea51e8f1fc3135c901acce5f49469b5e37f61b9 /net/ipv4/inet_fragment.c | |
parent | c451113291c193d3bfbd0682011d2979d649010c (diff) | |
download | linux-1d6119baf0610f813eb9d9580eb4fd16de5b4ceb.tar.gz linux-1d6119baf0610f813eb9d9580eb4fd16de5b4ceb.tar.bz2 linux-1d6119baf0610f813eb9d9580eb4fd16de5b4ceb.zip |
net: fix percpu memory leaks
This patch fixes following problems :
1) percpu_counter_init() can return an error, therefore
init_frag_mem_limit() must propagate this error so that
inet_frags_init_net() can do the same up to its callers.
2) If ip[46]_frags_ns_ctl_register() fail, we must unwind
properly and free the percpu_counter.
Without this fix, we leave freed object in percpu_counters
global list (if CONFIG_HOTPLUG_CPU) leading to crashes.
This bug was detected by KASAN and syzkaller tool
(http://github.com/google/syzkaller)
Fixes: 6d7b857d541e ("net: use lib/percpu_counter API for fragmentation mem accounting")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Jesper Dangaard Brouer <brouer@redhat.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/inet_fragment.c')
-rw-r--r-- | net/ipv4/inet_fragment.c | 6 |
1 files changed, 0 insertions, 6 deletions
diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c index d0a7c0319e3d..fe144dae7372 100644 --- a/net/ipv4/inet_fragment.c +++ b/net/ipv4/inet_fragment.c @@ -209,12 +209,6 @@ int inet_frags_init(struct inet_frags *f) } EXPORT_SYMBOL(inet_frags_init); -void inet_frags_init_net(struct netns_frags *nf) -{ - init_frag_mem_limit(nf); -} -EXPORT_SYMBOL(inet_frags_init_net); - void inet_frags_fini(struct inet_frags *f) { cancel_work_sync(&f->frags_work); |