net: fix percpu memory leaks
authorEric Dumazet <edumazet@google.com>
Mon, 2 Nov 2015 17:03:11 +0000 (09:03 -0800)
committerDavid S. Miller <davem@davemloft.net>
Tue, 3 Nov 2015 03:47:14 +0000 (22:47 -0500)
commit1d6119baf0610f813eb9d9580eb4fd16de5b4ceb
tree0ea51e8f1fc3135c901acce5f49469b5e37f61b9
parentc451113291c193d3bfbd0682011d2979d649010c
net: fix percpu memory leaks

This patch fixes following problems :

1) percpu_counter_init() can return an error, therefore
  init_frag_mem_limit() must propagate this error so that
  inet_frags_init_net() can do the same up to its callers.

2) If ip[46]_frags_ns_ctl_register() fail, we must unwind
   properly and free the percpu_counter.

Without this fix, we leave freed object in percpu_counters
global list (if CONFIG_HOTPLUG_CPU) leading to crashes.

This bug was detected by KASAN and syzkaller tool
(http://github.com/google/syzkaller)

Fixes: 6d7b857d541e ("net: use lib/percpu_counter API for fragmentation mem accounting")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Jesper Dangaard Brouer <brouer@redhat.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/net/inet_frag.h
net/ieee802154/6lowpan/reassembly.c
net/ipv4/inet_fragment.c
net/ipv4/ip_fragment.c
net/ipv6/netfilter/nf_conntrack_reasm.c
net/ipv6/reassembly.c