| Message ID | 20180520130857.1278-1-m.xhonneux@gmail.com |
|---|---|
| State | Changes Requested, archived |
| Delegated to: | BPF Maintainers |
| Headers | show |
| Series | bpf: fix mem leak in error path of lwt bpf setup | expand |
On Sun, May 20, 2018 at 02:08:57PM +0100, Mathieu Xhonneux wrote: > In bpf_parse_prog, if bpf_prog_get_type fails, the function is > immediately terminated without freeing the previously allocated > prog->name. > This patch adds a kfree before the return. > > Signed-off-by: Mathieu Xhonneux <m.xhonneux@gmail.com> > --- > net/core/lwt_bpf.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c > index e7e626fb87bb..e142a7a32e46 100644 > --- a/net/core/lwt_bpf.c > +++ b/net/core/lwt_bpf.c > @@ -223,8 +223,10 @@ static int bpf_parse_prog(struct nlattr *attr, struct bpf_lwt_prog *prog, > > fd = nla_get_u32(tb[LWT_BPF_PROG_FD]); > p = bpf_prog_get_type(fd, type); > - if (IS_ERR(p)) > + if (IS_ERR(p)) { > + kfree(prog->name); I don't think it is needed. The caller, "bpf_build_state()", does bpf_destroy_state() during error out and it will eventually free up "name". > return PTR_ERR(p); > + } > > prog->prog = p; > > -- > 2.16.1 >
On 05/21/2018 07:44 PM, Martin KaFai Lau wrote: > On Sun, May 20, 2018 at 02:08:57PM +0100, Mathieu Xhonneux wrote: >> In bpf_parse_prog, if bpf_prog_get_type fails, the function is >> immediately terminated without freeing the previously allocated >> prog->name. >> This patch adds a kfree before the return. >> >> Signed-off-by: Mathieu Xhonneux <m.xhonneux@gmail.com> >> --- >> net/core/lwt_bpf.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c >> index e7e626fb87bb..e142a7a32e46 100644 >> --- a/net/core/lwt_bpf.c >> +++ b/net/core/lwt_bpf.c >> @@ -223,8 +223,10 @@ static int bpf_parse_prog(struct nlattr *attr, struct bpf_lwt_prog *prog, >> >> fd = nla_get_u32(tb[LWT_BPF_PROG_FD]); >> p = bpf_prog_get_type(fd, type); >> - if (IS_ERR(p)) >> + if (IS_ERR(p)) { >> + kfree(prog->name); > I don't think it is needed. > The caller, "bpf_build_state()", does bpf_destroy_state() during error > out and it will eventually free up "name". Agree, it's not needed in lwt/bpf due to call to destructor in error path. >> return PTR_ERR(p); >> + } >> >> prog->prog = p; >> >> -- >> 2.16.1 >>
diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c index e7e626fb87bb..e142a7a32e46 100644 --- a/net/core/lwt_bpf.c +++ b/net/core/lwt_bpf.c @@ -223,8 +223,10 @@ static int bpf_parse_prog(struct nlattr *attr, struct bpf_lwt_prog *prog, fd = nla_get_u32(tb[LWT_BPF_PROG_FD]); p = bpf_prog_get_type(fd, type); - if (IS_ERR(p)) + if (IS_ERR(p)) { + kfree(prog->name); return PTR_ERR(p); + } prog->prog = p;
In bpf_parse_prog, if bpf_prog_get_type fails, the function is immediately terminated without freeing the previously allocated prog->name. This patch adds a kfree before the return. Signed-off-by: Mathieu Xhonneux <m.xhonneux@gmail.com> --- net/core/lwt_bpf.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)