lapb: fixed leak of control-blocks. [Linux 4.14.129]

lapb: fixed leak of control-blocks. [Linux 4.14.129]

This Linux kernel change "lapb: fixed leak of control-blocks" is included in the Linux 4.14.129 release. This change is authored by Jeremy Sowden <jeremy [at] azazel.net> on Sun Jun 16 16:54:37 2019 +0100. The commit for this change in Linux stable tree is f0662be (patch) which is from upstream commit 6be8e29. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream 6be8e29.

lapb: fixed leak of control-blocks.

[ Upstream commit 6be8e297f9bcea666ea85ac7a6cd9d52d6deaf92 ]

lapb_register calls lapb_create_cb, which initializes the control-
block's ref-count to one, and __lapb_insert_cb, which increments it when
adding the new block to the list of blocks.

lapb_unregister calls __lapb_remove_cb, which decrements the ref-count
when removing control-block from the list of blocks, and calls lapb_put
itself to decrement the ref-count before returning.

However, lapb_unregister also calls __lapb_devtostruct to look up the
right control-block for the given net_device, and __lapb_devtostruct
also bumps the ref-count, which means that when lapb_unregister returns
the ref-count is still 1 and the control-block is leaked.

Call lapb_put after __lapb_devtostruct to fix leak.

Reported-by: [email protected]
Signed-off-by: Jeremy Sowden <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

There is one line of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 net/lapb/lapb_iface.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/lapb/lapb_iface.c b/net/lapb/lapb_iface.c
index e15314e..299de0c 100644
--- a/net/lapb/lapb_iface.c
+++ b/net/lapb/lapb_iface.c
@@ -182,6 +182,7 @@ int lapb_unregister(struct net_device *dev)
    lapb = __lapb_devtostruct(dev);
    if (!lapb)
        goto out;
+   lapb_put(lapb);

    lapb_stop_t1timer(lapb);
    lapb_stop_t2timer(lapb);

Leave a Reply

Your email address will not be published. Required fields are marked *