From: Anant Thazhemadam Date: Sun, 4 Oct 2020 20:55:36 +0000 (+0530) Subject: net: team: fix memory leak in __team_options_register X-Git-Tag: v4.9.239~16 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=8dd5ea068f8df18399be9cd7f426797b37c9abde;p=platform%2Fkernel%2Flinux-amlogic.git net: team: fix memory leak in __team_options_register commit 9a9e77495958c7382b2438bc19746dd3aaaabb8e upstream. The variable "i" isn't initialized back correctly after the first loop under the label inst_rollback gets executed. The value of "i" is assigned to be option_count - 1, and the ensuing loop (under alloc_rollback) begins by initializing i--. Thus, the value of i when the loop begins execution will now become i = option_count - 2. Thus, when kfree(dst_opts[i]) is called in the second loop in this order, (i.e., inst_rollback followed by alloc_rollback), dst_optsp[option_count - 2] is the first element freed, and dst_opts[option_count - 1] does not get freed, and thus, a memory leak is caused. This memory leak can be fixed, by assigning i = option_count (instead of option_count - 1). Fixes: 80f7c6683fe0 ("team: add support for per-port options") Reported-by: syzbot+69b804437cfec30deac3@syzkaller.appspotmail.com Tested-by: syzbot+69b804437cfec30deac3@syzkaller.appspotmail.com Signed-off-by: Anant Thazhemadam Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c index 8ea3fffb9306..001dea7aaba3 100644 --- a/drivers/net/team/team.c +++ b/drivers/net/team/team.c @@ -299,7 +299,7 @@ inst_rollback: for (i--; i >= 0; i--) __team_option_inst_del_option(team, dst_opts[i]); - i = option_count - 1; + i = option_count; alloc_rollback: for (i--; i >= 0; i--) kfree(dst_opts[i]);