| Message ID | 20210112162829.775079-1-sdf@google.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 4be34f3d0731b38a1b24566b37fbb39500aaf3a2 |
| Delegated to: | BPF |
| Headers | show |
| Series | [bpf,v2] bpf: don't leak memory in bpf getsockopt when optlen == 0 | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Link |
| netdev/fixes_present | success | Link |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Clearly marked for bpf |
| netdev/subject_prefix | success | Link |
| netdev/cc_maintainers | warning | 5 maintainers not CCed: yhs@fb.com kpsingh@kernel.org andrii@kernel.org songliubraving@fb.com john.fastabend@gmail.com |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Link |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 4 this patch: 4 |
| netdev/kdoc | success | Errors and warnings before: 3 this patch: 3 |
| netdev/verify_fixes | success | Link |
| netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 15 lines checked |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 4 this patch: 4 |
| netdev/header_inline | success | Link |
| netdev/stable | success | Stable not CCed |
On Tue, Jan 12, 2021 at 08:28:29AM -0800, Stanislav Fomichev wrote: > optlen == 0 indicates that the kernel should ignore BPF buffer > and use the original one from the user. We, however, forget > to free the temporary buffer that we've allocated for BPF. Acked-by: Martin KaFai Lau <kafai@fb.com>
Hello: This patch was applied to bpf/bpf.git (refs/heads/master): On Tue, 12 Jan 2021 08:28:29 -0800 you wrote: > optlen == 0 indicates that the kernel should ignore BPF buffer > and use the original one from the user. We, however, forget > to free the temporary buffer that we've allocated for BPF. > > Reported-by: Martin KaFai Lau <kafai@fb.com> > Fixes: d8fe449a9c51 ("bpf: Don't return EINVAL from {get,set}sockopt when optlen > PAGE_SIZE") > Signed-off-by: Stanislav Fomichev <sdf@google.com> > > [...] Here is the summary with links: - [bpf,v2] bpf: don't leak memory in bpf getsockopt when optlen == 0 https://git.kernel.org/bpf/bpf/c/4be34f3d0731 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c index 6ec088a96302..96555a8a2c54 100644 --- a/kernel/bpf/cgroup.c +++ b/kernel/bpf/cgroup.c @@ -1391,12 +1391,13 @@ int __cgroup_bpf_run_filter_setsockopt(struct sock *sk, int *level, if (ctx.optlen != 0) { *optlen = ctx.optlen; *kernel_optval = ctx.optval; + /* export and don't free sockopt buf */ + return 0; } } out: - if (ret) - sockopt_free_buf(&ctx); + sockopt_free_buf(&ctx); return ret; }
optlen == 0 indicates that the kernel should ignore BPF buffer and use the original one from the user. We, however, forget to free the temporary buffer that we've allocated for BPF. Reported-by: Martin KaFai Lau <kafai@fb.com> Fixes: d8fe449a9c51 ("bpf: Don't return EINVAL from {get,set}sockopt when optlen > PAGE_SIZE") Signed-off-by: Stanislav Fomichev <sdf@google.com> --- kernel/bpf/cgroup.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)