| Message ID | 20190806100425.4356-1-ivan.khoronzhuk@linaro.org |
|---|---|
| State | New |
| Headers | show |
| Series | net: sched: sch_taprio: fix memleak in error path for sched list parse | expand |
From: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org> Date: Tue, 6 Aug 2019 13:04:25 +0300 > Based on net/master I wonder about that because: > --- a/net/sched/sch_taprio.c > +++ b/net/sched/sch_taprio.c > @@ -1451,7 +1451,8 @@ static int taprio_change(struct Qdisc *sch, struct nlattr *opt, > spin_unlock_bh(qdisc_lock(sch)); > > free_sched: > - kfree(new_admin); > + if (new_admin) > + call_rcu(&new_admin->rcu, taprio_free_sched_cb); > > return err; In my tree the context around line 1451 is: nla_nest_end(skb, sched_nest); done: rcu_read_unlock(); return nla_nest_end(skb, nest); which is part of function taprio_dump(). Please respin this properly against current 'net' sources.
diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c index b55a82c1e1bc..4f6333035841 100644 --- a/net/sched/sch_taprio.c +++ b/net/sched/sch_taprio.c @@ -1451,7 +1451,8 @@ static int taprio_change(struct Qdisc *sch, struct nlattr *opt, spin_unlock_bh(qdisc_lock(sch)); free_sched: - kfree(new_admin); + if (new_admin) + call_rcu(&new_admin->rcu, taprio_free_sched_cb); return err; }
In case off error, all entries should be freed from the sched list before deleting it. For simplicity use rcu way. Fixes: 5a781ccbd19e46 ("tc: Add support for configuring the taprio scheduler") Signed-off-by: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org> --- Based on net/master net/sched/sch_taprio.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- 2.17.1