In the Linux kernel, the following vulnerability has been resolved: **net: sched**: Fixed a memory leak in `tcindex_set_parms`. Syzkaller reports a memory leak as follows: ==================================== **BUG: Memory leak** Unreferenced object: 0xffff88810c287f00 (size 256) Comm “syz-executor105”, pid 3600, jiffies 4294943292 (age 12.990s) Hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .................. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .................. Backtrace: [] kmallocTrace+0x20/0x90, mm/slab_common.c:1046 [] kmalloc, include/linux/slab.h:576 [inline] [] kmalloc_array, include/linux/slab.h:627 [inline] [] kcalloc, include/linux/slab.h:659 [inline] [] tcf_exts_init, include/net/pkt_cls.h:250 [inline] [] tcindex_set_parms+0xa7/0xbe0, net/sched/cls_tcindex.c:342 [] tcindex_change+0xdf/0x120, net/sched/cls_tcindex.c:553 [] tc_new_tfilter+0x4f2/0x1100, net/sched/cls_api.c:2147 [] rtnetlink_rcv_msg+0x4dc/0x5d0, net/core/rtnetlink.c:6082 [] netlink_rcv_skb+0x87/0x1d0, net/netlink/af_netlink.c:2540 [] netlink_unicast_kernel, net/netlink/af_netlink.c:1319 [inline] [] netlink_unicast+0x397/0x4c0, net/netlink/af_netlink.c:1345 [] netlink_sendmsg+0x396/0x710, net/netlink/af_netlink.c:1921 [] sock_sendmsg_nosec, net/socket.c:714 [inline] [] sock_sendmsg+0x56/0x80, net/socket.c:734 [] ____sys_sendmsg+0x178/0x410, net/socket.c:2482 [] ___sys_sendmsg+0xa8/0x110, net/socket.c:2536 [] __sys_sendmmsg+0x105/0x330, net/socket.c:2622 [] __do_sys_sendmmsg, net/socket.c:2651 [inline] [] __se_sys_sendmmsg, net/socket.c:2648 [inline] [] __x64_sys_sendmmsg+0x24/0x30 net/socket.c:2648 [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [] entry_SYSCALL_64_after_hwframe+0x63/0xcd ==================================== The kernel uses tcindex_change() to modify existing filter properties. However, during this process, if `old_r` is retrieved from `p->perfect`, then the kernel uses tcindex_alloc_perfect_hash() to allocate new filter results, and uses tcindex_filter_result_init() to clear the old filter result—without destroying its tcf_exts structure. This triggers the aforementioned memory leak. More specifically, there are only two sources of `old_r`: either it is retrieved from `p->perfect`, or from `p->h`. * If `old_r` is retrieved from `p->perfect`, the kernel uses tcindex_alloc_perfect_hash() to allocate new filter results. Then `r` is assigned the value of `cp->perfect + handle`, which is newly allocated. Thus, the condition `old_r && old_r != r` is true in this case. The kernel still uses tcindex_filter_result_init() to clear the old filter result without destroying its tcf_exts structure. * If `old_r` is retrieved from `p->h`, then `p->perfect` is NULL according to tcindex_lookup(). Since `cp->h` is copied directly from `p->h`, and `p->perfect` is NULL, `r` is assigned the value of `tcindex_lookup(cp, handle)`. This value should be the same as `old_r`. Therefore, the condition `old_r && old_r != r` is false in this case. The kernel ignores the use of tcindex_filter_result_init() to clear the old filter result. Thus, only when `old_r` is retrieved from `p->perfect` does the kernel use tcindex_filter_result_init() to clear the old filter result, thereby triggering the memory leak. It should be noted that there already exists a tc_filter_wq workqueue to destroy the old tcindex_d… (text truncated)

Query Builder