Skip to main content

Browse the archive

https://github.com/torvalds/linux
23 October 2021, 00:29:24 UTC
Revision 2127d22509aec3a83dffb2a3c736df7ba747a7ce authored by Miaohe Lin on 18 October 2021, 22:15:52 UTC, committed by Linus Torvalds on 19 October 2021, 06:22:03 UTC 
mm, slub: fix two bugs in slab_debug_trace_open()
 
Patch series "Fixups for slub".

This series contains various bug fixes for slub.  We fix memoryleak,
use-afer-free, NULL pointer dereferencing and so on in slub.  More
details can be found in the respective changelogs.

This patch (of 5):

It's possible that __seq_open_private() will return NULL.  So we should
check it before using lest dereferencing NULL pointer.  And in error
paths, we forgot to release private buffer via seq_release_private().
Memory will leak in these paths.

Link: https://lkml.kernel.org/r/20210916123920.48704-1-linmiaohe@huawei.com
Link: https://lkml.kernel.org/r/20210916123920.48704-2-linmiaohe@huawei.com
Fixes: 64dd68497be7 ("mm: slub: move sysfs slab alloc/free interfaces to debugfs")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Faiyaz Mohammed <faiyazm@codeaurora.org>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Bharata B Rao <bharata@linux.ibm.com>
Cc: Roman Gushchin <guro@fb.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 6d2aec9
Raw File
Tip revision: 2127d22509aec3a83dffb2a3c736df7ba747a7ce authored by Miaohe Lin on 18 October 2021, 22:15:52 UTC
mm, slub: fix two bugs in slab_debug_trace_open()
Tip revision: 2127d22
test_blackhole_dev.c 
// SPDX-License-Identifier: GPL-2.0
/*
 * This module tests the blackhole_dev that is created during the
 * net subsystem initialization. The test this module performs is
 * by injecting an skb into the stack with skb->dev as the
 * blackhole_dev and expects kernel to behave in a sane manner
 * (in other words, *not crash*)!
 *
 * Copyright (c) 2018, Mahesh Bandewar <maheshb@google.com>
 */

#include <linux/init.h>
#include <linux/module.h>
#include <linux/printk.h>
#include <linux/skbuff.h>
#include <linux/netdevice.h>
#include <linux/udp.h>
#include <linux/ipv6.h>

#include <net/dst.h>

#define SKB_SIZE  256
#define HEAD_SIZE (14+40+8)	/* Ether + IPv6 + UDP */
#define TAIL_SIZE 32		/* random tail-room */

#define UDP_PORT 1234

static int __init test_blackholedev_init(void)
{
	struct ipv6hdr *ip6h;
	struct sk_buff *skb;
	struct ethhdr *ethh;
	struct udphdr *uh;
	int data_len;
	int ret;

	skb = alloc_skb(SKB_SIZE, GFP_KERNEL);
	if (!skb)
		return -ENOMEM;

	/* Reserve head-room for the headers */
	skb_reserve(skb, HEAD_SIZE);

	/* Add data to the skb */
	data_len = SKB_SIZE - (HEAD_SIZE + TAIL_SIZE);
	memset(__skb_put(skb, data_len), 0xf, data_len);

	/* Add protocol data */
	/* (Transport) UDP */
	uh = (struct udphdr *)skb_push(skb, sizeof(struct udphdr));
	skb_set_transport_header(skb, 0);
	uh->source = uh->dest = htons(UDP_PORT);
	uh->len = htons(data_len);
	uh->check = 0;
	/* (Network) IPv6 */
	ip6h = (struct ipv6hdr *)skb_push(skb, sizeof(struct ipv6hdr));
	skb_set_network_header(skb, 0);
	ip6h->hop_limit = 32;
	ip6h->payload_len = data_len + sizeof(struct udphdr);
	ip6h->nexthdr = IPPROTO_UDP;
	ip6h->saddr = in6addr_loopback;
	ip6h->daddr = in6addr_loopback;
	/* Ether */
	ethh = (struct ethhdr *)skb_push(skb, sizeof(struct ethhdr));
	skb_set_mac_header(skb, 0);

	skb->protocol = htons(ETH_P_IPV6);
	skb->pkt_type = PACKET_HOST;
	skb->dev = blackhole_netdev;

	/* Now attempt to send the packet */
	ret = dev_queue_xmit(skb);

	switch (ret) {
	case NET_XMIT_SUCCESS:
		pr_warn("dev_queue_xmit() returned NET_XMIT_SUCCESS\n");
		break;
	case NET_XMIT_DROP:
		pr_warn("dev_queue_xmit() returned NET_XMIT_DROP\n");
		break;
	case NET_XMIT_CN:
		pr_warn("dev_queue_xmit() returned NET_XMIT_CN\n");
		break;
	default:
		pr_err("dev_queue_xmit() returned UNKNOWN(%d)\n", ret);
	}

	return 0;
}

static void __exit test_blackholedev_exit(void)
{
	pr_warn("test_blackholedev module terminating.\n");
}

module_init(test_blackholedev_init);
module_exit(test_blackholedev_exit);

MODULE_AUTHOR("Mahesh Bandewar <maheshb@google.com>");
MODULE_LICENSE("GPL");
back to top