In the Linux kernel, the following vulnerability has been resolved:
net: ipv4: fix memory leak in ipmcadd1_src
BUG: memory leak unreferenced object 0xffff888101bc4c00 (size 32): comm "syz-executor527", pid 360, jiffies 4294807421 (age 19.329s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................ backtrace: [<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline] [<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline] [<00000000f17c5244>] ipmcadd1src net/ipv4/igmp.c:1971 [inline] [<00000000f17c5244>] ipmcaddsrc+0x95f/0xdb0 net/ipv4/igmp.c:2095 [<000000001cb99709>] ipmcsource+0x84c/0xea0 net/ipv4/igmp.c:2416 [<0000000052cf19ed>] doipsetsockopt net/ipv4/ipsockglue.c:1294 [inline] [<0000000052cf19ed>] ipsetsockopt+0x114b/0x30c0 net/ipv4/ipsockglue.c:1423 [<00000000477edfbc>] rawsetsockopt+0x13d/0x170 net/ipv4/raw.c:857 [<00000000e75ca9bb>] _syssetsockopt+0x158/0x270 net/socket.c:2117 [<00000000bdb993a8>] _dosyssetsockopt net/socket.c:2128 [inline] [<00000000bdb993a8>] _sesyssetsockopt net/socket.c:2125 [inline] [<00000000bdb993a8>] _x64syssetsockopt+0xba/0x150 net/socket.c:2125 [<000000006a1ffdbd>] dosyscall64+0x40/0x80 arch/x86/entry/common.c:47 [<00000000b11467c4>] entrySYSCALL64after_hwframe+0x44/0xae
In commit 24803f38a5c0 ("igmp: do not remove igmp souce list info when set link down"), the ipmcclearsrc() in ipmcdestroydev() was removed, because it was also called in igmpv3cleardelrec().
Rough callgraph:
inetdevdestroy -> ipmcdestroydev -> igmpv3cleardelrec -> ipmcclearsrc -> RCUINITPOINTER(dev->ipptr, NULL)
However, ipmcclearsrc() called in igmpv3cleardelrec() doesn't release indev->mclist->sources. And RCUINITPOINTER() assigns the NULL to dev->ipptr. As a result, indev cannot be obtained through inetdevbyindex() and then indev->mclist->sources cannot be released by ipmcdel1src() in the sock_close. Rough call sequence goes like:
sockclose -> _sockrelease -> inetrelease -> ipmcdropsocket -> inetdevbyindex -> ipmcleavesrc -> ipmcdelsrc -> ipmcdel1src
So we still need to call ipmcclearsrc() in ipmcdestroydev() to free indev->mclist->sources.