Patch "net: macsec: fix potential resource leak in macsec_add_rxsa() and macsec_add_txsa()" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 30 Jul 2022 22:45:04 -0400

This is a note to let you know that I've just added the patch titled

    net: macsec: fix potential resource leak in macsec_add_rxsa() and macsec_add_txsa()

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-macsec-fix-potential-resource-leak-in-macsec_add.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit f1ecee4a3ddd64f73a30dc33bf38ec8ea0ecbd2a
Author: Jianglei Nie <niejianglei2021@xxxxxxx>
Date:   Fri Jul 22 17:29:02 2022 +0800

    net: macsec: fix potential resource leak in macsec_add_rxsa() and macsec_add_txsa()
    
    [ Upstream commit c7b205fbbf3cffa374721bb7623f7aa8c46074f1 ]
    
    init_rx_sa() allocates relevant resource for rx_sa->stats and rx_sa->
    key.tfm with alloc_percpu() and macsec_alloc_tfm(). When some error
    occurs after init_rx_sa() is called in macsec_add_rxsa(), the function
    released rx_sa with kfree() without releasing rx_sa->stats and rx_sa->
    key.tfm, which will lead to a resource leak.
    
    We should call macsec_rxsa_put() instead of kfree() to decrease the ref
    count of rx_sa and release the relevant resource if the refcount is 0.
    The same bug exists in macsec_add_txsa() for tx_sa as well. This patch
    fixes the above two bugs.
    
    Fixes: 3cf3227a21d1 ("net: macsec: hardware offloading infrastructure")
    Signed-off-by: Jianglei Nie <niejianglei2021@xxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index 3e74dcc1f875..354890948f8a 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -1842,7 +1842,7 @@ static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info)
 	return 0;
 
 cleanup:
-	kfree(rx_sa);
+	macsec_rxsa_put(rx_sa);
 	rtnl_unlock();
 	return err;
 }
@@ -2085,7 +2085,7 @@ static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info)
 
 cleanup:
 	secy->operational = was_operational;
-	kfree(tx_sa);
+	macsec_txsa_put(tx_sa);
 	rtnl_unlock();
 	return err;
 }






