| Message ID | 20240126075127.2825068-1-alexious@zju.edu.cn |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-39721-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:e09d:b0:103:945f:af90 with SMTP id
gm29csp532877dyb;
Fri, 26 Jan 2024 01:05:05 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IF+XbllP6aMp1MzDQmFH7vMmCO39byen5EjbswkvnZGqD2yJbKnHGfTvqmwX2Yw0KFcKsqe
X-Received: by 2002:a05:6358:5482:b0:176:25b:7af8 with SMTP id
v2-20020a056358548200b00176025b7af8mr860103rwe.52.1706259905203;
Fri, 26 Jan 2024 01:05:05 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1706259905; cv=pass;
d=google.com; s=arc-20160816;
b=YrheSOldMfCDXL08hzSo7UBoa53PEe2L7h4EKAl03zeHrSsTCK75KQY/umPujrBkS7
W8RTNbzNjqbskUKZbmaWik6FTy5EGTZlVxzOsSuxJ7sCLUB0m5x3+zs46ldOQDOlvWTd
0oYVi5UElGyLKenHU6v/Gl7rm5Vdui/2HlVyVI2wrUyxPWBqeu0TQM56BjE+ENys+i3r
bnO2q8+pEjUEQ6IDOYjPEt0HU3iDtCaDyVzKr159l133oJtWeJYlR8zuVh4edWnPUovp
AHA1e8YYMfDl1wLBMeFZWAPql6H+MLNyDsko/fvKY3gktV4tgA1NBw05arRt0qbJ1JGV
aAsw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=content-transfer-encoding:mime-version:list-unsubscribe
:list-subscribe:list-id:precedence:message-id:date:subject:cc:to
:from;
bh=HxlwwpRXHumFbIaBTHHkq2d42LrBNJY+HXPMaoU/NTo=;
fh=++EV/XaLBRQbJmgBnchITiPM16doYgW6Dtb9zabNbSc=;
b=X1fMx+5UXKivgi7S+eDgLmCBRsqm8XfgpMGyGUSku0wP0bgVJzYzOUgRocW3W+YrT/
kuO1Qh9q2uTsTKsgH4I2znyLterFvn1z5DGxVnukY5TJJG6MoCIYA4AiToHZxkaRhNlw
DPQimLoX8AWqgVA9b1FFosO8cUNUWpJBvlcxnroYp/VyemfZzgvoNGmcxX2x5fGl0UaV
lZkQl58d+bdJkaf85uGxmYVDIabQrh31mCko+c9anQ1ZzRTKHExTfbh9OulJqTjcri52
fMaqTfXUhgR7ygkCQg7DW91dbxliIW73+z7e6TFCfPyMPjwfAPcMv86WRAKjCl0iU50/
+wwQ==
ARC-Authentication-Results: i=2; mx.google.com;
arc=pass (i=1 spf=pass spfdomain=zju.edu.cn);
spf=pass (google.com: domain of
linux-kernel+bounces-39721-ouuuleilei=gmail.com@vger.kernel.org designates
139.178.88.99 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-39721-ouuuleilei=gmail.com@vger.kernel.org"
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
by mx.google.com with ESMTPS id
l64-20020a638843000000b005c660a37af2si800267pgd.255.2024.01.26.01.05.05
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 26 Jan 2024 01:05:05 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-39721-ouuuleilei=gmail.com@vger.kernel.org designates
139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
arc=pass (i=1 spf=pass spfdomain=zju.edu.cn);
spf=pass (google.com: domain of
linux-kernel+bounces-39721-ouuuleilei=gmail.com@vger.kernel.org designates
139.178.88.99 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-39721-ouuuleilei=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by sv.mirrors.kernel.org (Postfix) with ESMTPS id 6A41A282B48
for <ouuuleilei@gmail.com>; Fri, 26 Jan 2024 09:05:04 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id A50E860883;
Fri, 26 Jan 2024 07:51:56 +0000 (UTC)
Received: from sgoci-sdnproxy-4.icoremail.net (sgoci-sdnproxy-4.icoremail.net
[129.150.39.64])
by smtp.subspace.kernel.org (Postfix) with ESMTP id 4BF4F12E6F;
Fri, 26 Jan 2024 07:51:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=129.150.39.64
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1706255515; cv=none;
b=o1COZYTElVuKZO4cNJWbUklt4k6b3e0hyOTw4kUXjxCvAY7tLcK++NXKNffd5Z5vrvdj6ZaKuG/+fVzplmrNqFQuJ5BteL5hN9PKvzNx4ous0XsRmGUsQ+zXXPKWLE4HZss4YdoD0NGqbwR5nqR6qlIcUzN7iC4Obgcez2DYdIU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1706255515; c=relaxed/simple;
bh=9DBU9Gswb97RBzmM1XvhxENDBjdiwrvxJeYFm2Gdu+Y=;
h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
b=C5NE/G96H6CaLbLHR7dkOFTu6w54OsrQ4ow5ff3a6XzmRx0rpIjU0GJ3f1XjqIeSaZO2zbeO53AuNPXWIUYdTMP27hdVVMDAYQMhLSnEbTtm5DxFjMima57dJfg5pIYMuYyJmxjvRdTxvnhM+7GMVyNKhVlcqZ3cm50QAlwWaR8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dmarc=none (p=none dis=none) header.from=zju.edu.cn;
spf=pass smtp.mailfrom=zju.edu.cn; arc=none smtp.client-ip=129.150.39.64
Authentication-Results: smtp.subspace.kernel.org;
dmarc=none (p=none dis=none) header.from=zju.edu.cn
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=zju.edu.cn
Received: from luzhipeng.223.5.5.5 (unknown [115.200.227.226])
by mail-app2 (Coremail) with SMTP id by_KCgDnKKiGZLNlK1TZAA--.20140S2;
Fri, 26 Jan 2024 15:51:35 +0800 (CST)
From: Zhipeng Lu <alexious@zju.edu.cn>
To: alexious@zju.edu.cn
Cc: "David S. Miller" <davem@davemloft.net>,
David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH] net: ipv4: fix a memleak in ip_setup_cork
Date: Fri, 26 Jan 2024 15:51:27 +0800
Message-Id: <20240126075127.2825068-1-alexious@zju.edu.cn>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CM-TRANSID: by_KCgDnKKiGZLNlK1TZAA--.20140S2
X-Coremail-Antispam: 1UD129KBjvJXoW7Ww1fGF1xJr13Zw4DCw1DGFg_yoW8GFW7pF
n0ga45JrW8Xr12gFnrtFWrZF1fKw1vyFy8urWaya4ay3Wktry5tF18KrWa9Fya9Fs7Cw1f
Aa4ft345ur48ZFJanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
9KBjDU0xBIdaVrnRJUUUkl14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0
rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02
1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26rxl
6s0DM28EF7xvwVC2z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s
0DM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj6xII
jxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr
1lF7xvr2IYc2Ij64vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7MxkF7I0En4kS14v26r12
6r1DMxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI
0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUtVW8ZwCIc40Y
0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxV
WUJVW8JwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr0_Gr1l
IxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7VUbSfO7UUUU
U==
X-CM-SenderInfo: qrsrjiarszq6lmxovvfxof0/
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1789143186188325981
X-GMAIL-MSGID: 1789143186188325981
|
| Series |
net: ipv4: fix a memleak in ip_setup_cork
|
|
Commit Message
Zhipeng Lu
Jan. 26, 2024, 7:51 a.m. UTC
When inetdev_valid_mtu fails, cork->opt should be freed if it is
allocated in ip_setup_cork. Otherwise there could be a memleak.
Fixes: 501a90c94510 ("inet: protect against too small mtu values.")
Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
---
net/ipv4/ip_output.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
Comments
On Fri, Jan 26, 2024 at 8:51 AM Zhipeng Lu <alexious@zju.edu.cn> wrote: > > When inetdev_valid_mtu fails, cork->opt should be freed if it is > allocated in ip_setup_cork. Otherwise there could be a memleak. > > Fixes: 501a90c94510 ("inet: protect against too small mtu values.") > Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn> > --- > net/ipv4/ip_output.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c > index b06f678b03a1..3215ea07d398 100644 > --- a/net/ipv4/ip_output.c > +++ b/net/ipv4/ip_output.c > @@ -1282,6 +1282,7 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork, > { > struct ip_options_rcu *opt; > struct rtable *rt; > + int free_opt = 0; > > rt = *rtp; > if (unlikely(!rt)) > @@ -1297,6 +1298,7 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork, > sk->sk_allocation); > if (unlikely(!cork->opt)) > return -ENOBUFS; > + free_opt = 1; > } > memcpy(cork->opt, &opt->opt, sizeof(struct ip_options) + opt->opt.optlen); > cork->flags |= IPCORK_OPT; > @@ -1306,8 +1308,13 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork, > cork->fragsize = ip_sk_use_pmtu(sk) ? > dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu); > > - if (!inetdev_valid_mtu(cork->fragsize)) > + if (!inetdev_valid_mtu(cork->fragsize)) { > + if (opt && free_opt) { > + kfree(cork->opt); > + cork->opt = NULL; > + } > return -ENETUNREACH; > + } > > cork->gso_size = ipc->gso_size; > > -- > 2.34.1 > What about something simpler like : diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index b06f678b03a19b806fd14764a4caad60caf02919..41537d18eecfd6e1163aacc35e047c22468e04e6 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c @@ -1287,6 +1287,12 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork, if (unlikely(!rt)) return -EFAULT; + cork->fragsize = ip_sk_use_pmtu(sk) ? + dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu); + + if (!inetdev_valid_mtu(cork->fragsize)) + return -ENETUNREACH; + /* * setup for corking. */ @@ -1303,12 +1309,6 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork, cork->addr = ipc->addr; } - cork->fragsize = ip_sk_use_pmtu(sk) ? - dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu); - - if (!inetdev_valid_mtu(cork->fragsize)) - return -ENETUNREACH; - cork->gso_size = ipc->gso_size; cork->dst = &rt->dst;
On Fri, Jan 26, 2024 at 11:13 AM Eric Dumazet <edumazet@google.com> wrote: > > On Fri, Jan 26, 2024 at 8:51 AM Zhipeng Lu <alexious@zju.edu.cn> wrote: > > > > When inetdev_valid_mtu fails, cork->opt should be freed if it is > > allocated in ip_setup_cork. Otherwise there could be a memleak. > > > > Fixes: 501a90c94510 ("inet: protect against too small mtu values.") > > Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn> > > --- > > net/ipv4/ip_output.c | 9 ++++++++- > > 1 file changed, 8 insertions(+), 1 deletion(-) > > > > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c > > index b06f678b03a1..3215ea07d398 100644 > > --- a/net/ipv4/ip_output.c > > +++ b/net/ipv4/ip_output.c > > @@ -1282,6 +1282,7 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork, > > { > > struct ip_options_rcu *opt; > > struct rtable *rt; > > + int free_opt = 0; > > > > rt = *rtp; > > if (unlikely(!rt)) > > @@ -1297,6 +1298,7 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork, > > sk->sk_allocation); > > if (unlikely(!cork->opt)) > > return -ENOBUFS; > > + free_opt = 1; > > } > > memcpy(cork->opt, &opt->opt, sizeof(struct ip_options) + opt->opt.optlen); > > cork->flags |= IPCORK_OPT; > > @@ -1306,8 +1308,13 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork, > > cork->fragsize = ip_sk_use_pmtu(sk) ? > > dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu); > > > > - if (!inetdev_valid_mtu(cork->fragsize)) > > + if (!inetdev_valid_mtu(cork->fragsize)) { > > + if (opt && free_opt) { > > + kfree(cork->opt); > > + cork->opt = NULL; > > + } > > return -ENETUNREACH; > > + } > > > > cork->gso_size = ipc->gso_size; > > > > -- > > 2.34.1 > > > > What about something simpler like : > > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c > index b06f678b03a19b806fd14764a4caad60caf02919..41537d18eecfd6e1163aacc35e047c22468e04e6 > 100644 > --- a/net/ipv4/ip_output.c > +++ b/net/ipv4/ip_output.c > @@ -1287,6 +1287,12 @@ static int ip_setup_cork(struct sock *sk, > struct inet_cork *cork, > if (unlikely(!rt)) > return -EFAULT; > > + cork->fragsize = ip_sk_use_pmtu(sk) ? > + dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu); > + > + if (!inetdev_valid_mtu(cork->fragsize)) > + return -ENETUNREACH; > + > /* > * setup for corking. > */ > @@ -1303,12 +1309,6 @@ static int ip_setup_cork(struct sock *sk, > struct inet_cork *cork, > cork->addr = ipc->addr; > } > > - cork->fragsize = ip_sk_use_pmtu(sk) ? > - dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu); > - > - if (!inetdev_valid_mtu(cork->fragsize)) > - return -ENETUNREACH; > - > cork->gso_size = ipc->gso_size; > > cork->dst = &rt->dst; Hi Zhipeng Lu Could you send a V2 off your patch ? I will then add a Reviewed-by: tag, thanks !
> On Fri, Jan 26, 2024 at 11:13 AM Eric Dumazet <edumazet@google.com> wrote: > > > > On Fri, Jan 26, 2024 at 8:51 AM Zhipeng Lu <alexious@zju.edu.cn> wrote: > > > > > > When inetdev_valid_mtu fails, cork->opt should be freed if it is > > > allocated in ip_setup_cork. Otherwise there could be a memleak. > > > > > > Fixes: 501a90c94510 ("inet: protect against too small mtu values.") > > > Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn> > > > --- > > > net/ipv4/ip_output.c | 9 ++++++++- > > > 1 file changed, 8 insertions(+), 1 deletion(-) > > > > > > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c > > > index b06f678b03a1..3215ea07d398 100644 > > > --- a/net/ipv4/ip_output.c > > > +++ b/net/ipv4/ip_output.c > > > @@ -1282,6 +1282,7 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork, > > > { > > > struct ip_options_rcu *opt; > > > struct rtable *rt; > > > + int free_opt = 0; > > > > > > rt = *rtp; > > > if (unlikely(!rt)) > > > @@ -1297,6 +1298,7 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork, > > > sk->sk_allocation); > > > if (unlikely(!cork->opt)) > > > return -ENOBUFS; > > > + free_opt = 1; > > > } > > > memcpy(cork->opt, &opt->opt, sizeof(struct ip_options) + opt->opt.optlen); > > > cork->flags |= IPCORK_OPT; > > > @@ -1306,8 +1308,13 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork, > > > cork->fragsize = ip_sk_use_pmtu(sk) ? > > > dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu); > > > > > > - if (!inetdev_valid_mtu(cork->fragsize)) > > > + if (!inetdev_valid_mtu(cork->fragsize)) { > > > + if (opt && free_opt) { > > > + kfree(cork->opt); > > > + cork->opt = NULL; > > > + } > > > return -ENETUNREACH; > > > + } > > > > > > cork->gso_size = ipc->gso_size; > > > > > > -- > > > 2.34.1 > > > > > > > What about something simpler like : > > > > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c > > index b06f678b03a19b806fd14764a4caad60caf02919..41537d18eecfd6e1163aacc35e047c22468e04e6 > > 100644 > > --- a/net/ipv4/ip_output.c > > +++ b/net/ipv4/ip_output.c > > @@ -1287,6 +1287,12 @@ static int ip_setup_cork(struct sock *sk, > > struct inet_cork *cork, > > if (unlikely(!rt)) > > return -EFAULT; > > > > + cork->fragsize = ip_sk_use_pmtu(sk) ? > > + dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu); > > + > > + if (!inetdev_valid_mtu(cork->fragsize)) > > + return -ENETUNREACH; > > + > > /* > > * setup for corking. > > */ > > @@ -1303,12 +1309,6 @@ static int ip_setup_cork(struct sock *sk, > > struct inet_cork *cork, > > cork->addr = ipc->addr; > > } > > > > - cork->fragsize = ip_sk_use_pmtu(sk) ? > > - dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu); > > - > > - if (!inetdev_valid_mtu(cork->fragsize)) > > - return -ENETUNREACH; > > - > > cork->gso_size = ipc->gso_size; > > > > cork->dst = &rt->dst; > > Hi Zhipeng Lu > > Could you send a V2 off your patch ? I will then add a Reviewed-by: > tag, thanks ! Hi Eric Sure, I'll soon send a v2 version following your suggestion.
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index b06f678b03a1..3215ea07d398 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c @@ -1282,6 +1282,7 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork, { struct ip_options_rcu *opt; struct rtable *rt; + int free_opt = 0; rt = *rtp; if (unlikely(!rt)) @@ -1297,6 +1298,7 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork, sk->sk_allocation); if (unlikely(!cork->opt)) return -ENOBUFS; + free_opt = 1; } memcpy(cork->opt, &opt->opt, sizeof(struct ip_options) + opt->opt.optlen); cork->flags |= IPCORK_OPT; @@ -1306,8 +1308,13 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork, cork->fragsize = ip_sk_use_pmtu(sk) ? dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu); - if (!inetdev_valid_mtu(cork->fragsize)) + if (!inetdev_valid_mtu(cork->fragsize)) { + if (opt && free_opt) { + kfree(cork->opt); + cork->opt = NULL; + } return -ENETUNREACH; + } cork->gso_size = ipc->gso_size;