Re: kernel: audit.c: is it a memleak of net in function audit_send_reply

On Mon, Apr 20, 2020 at 3:54 AM 亿一 <teroincn(a)gmail.com&gt; wrote: > > Hi, all: > > when reviewing code in function audit_send_reply, I notice that if > kthread_run return failure, the net reference would not be released > because reply has been kfree directly. Thanks for reporting this. Looking at the code, it's a little worse than that. If kthread_run() fails then audit_send_reply() will return early, holding both a reference to @net as well as leaking @reply.

Let me finish getting through my mail and I'll put together a quick patch to resolve this (I'm seeing a few other related things we should fix in audit_send_reply()). > static void audit_send_reply(struct sk_buff *request_skb, int seq, int > type, int done, > int multi, const void *payload, int size) > { > struct net *net = sock_net(NETLINK_CB(request_skb).sk); > struct sk_buff *skb; > struct task_struct *tsk; > struct audit_reply *reply = kmalloc(sizeof(struct audit_reply), > GFP_KERNEL); > > if (!reply) > return; > > skb = audit_make_reply(seq, type, done, multi, payload, size); > if (!skb) > goto out; > > reply->net = get_net(net); // hold a reference of net here > reply->portid = NETLINK_CB(request_skb).portid; > reply->skb = skb; > > tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply"); > if (!IS_ERR(tsk)) > return; > kfree_skb(skb); > > out: > kfree(reply); // kfree reply without release the net reference. > } -- paul moore www.paul-moore.com