diff mbox series

[net,1/2] net: ipv6: fix dst refleaks in rpl, seg6 and ioam6 lwtunnels

Message ID 20250129021346.2333089-1-kuba@kernel.org (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series [net,1/2] net: ipv6: fix dst refleaks in rpl, seg6 and ioam6 lwtunnels | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 7 of 7 maintainers
netdev/build_clang success Errors and warnings before: 4 this patch: 4
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 2 this patch: 2
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 75 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2025-01-29--12-00 (tests: 885)

Commit Message

Jakub Kicinski Jan. 29, 2025, 2:13 a.m. UTC 
dst_cache_get() gives us a reference, we need to release it.

Discovered by the ioam6.sh test, kmemleak was recently fixed
to catch per-cpu memory leaks.

Fixes: 985ec6f5e623 ("net: ipv6: rpl_iptunnel: mitigate 2-realloc issue")
Fixes: 40475b63761a ("net: ipv6: seg6_iptunnel: mitigate 2-realloc issue")
Fixes: dce525185bc9 ("net: ipv6: ioam6_iptunnel: mitigate 2-realloc issue")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---
CC: dsahern@kernel.org
CC: justin.iurman@uliege.be
---
 net/ipv6/ioam6_iptunnel.c | 5 +++--
 net/ipv6/rpl_iptunnel.c   | 6 ++++--
 net/ipv6/seg6_iptunnel.c  | 6 ++++--
 3 files changed, 11 insertions(+), 6 deletions(-)

Comments

Justin Iurman Jan. 29, 2025, 4:10 p.m. UTC | #1 
On 1/29/25 03:13, Jakub Kicinski wrote:
> dst_cache_get() gives us a reference, we need to release it.
> 
> Discovered by the ioam6.sh test, kmemleak was recently fixed
> to catch per-cpu memory leaks.
> 
> Fixes: 985ec6f5e623 ("net: ipv6: rpl_iptunnel: mitigate 2-realloc issue")
> Fixes: 40475b63761a ("net: ipv6: seg6_iptunnel: mitigate 2-realloc issue")
> Fixes: dce525185bc9 ("net: ipv6: ioam6_iptunnel: mitigate 2-realloc issue")
> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
> ---
> CC: dsahern@kernel.org
> CC: justin.iurman@uliege.be
> ---
>   net/ipv6/ioam6_iptunnel.c | 5 +++--
>   net/ipv6/rpl_iptunnel.c   | 6 ++++--
>   net/ipv6/seg6_iptunnel.c  | 6 ++++--
>   3 files changed, 11 insertions(+), 6 deletions(-)
> 
> diff --git a/net/ipv6/ioam6_iptunnel.c b/net/ipv6/ioam6_iptunnel.c
> index 28e5a89dc255..3936c137a572 100644
> --- a/net/ipv6/ioam6_iptunnel.c
> +++ b/net/ipv6/ioam6_iptunnel.c
> @@ -336,7 +336,7 @@ static int ioam6_do_encap(struct net *net, struct sk_buff *skb,
>   
>   static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
>   {
> -	struct dst_entry *dst = skb_dst(skb), *cache_dst;
> +	struct dst_entry *dst = skb_dst(skb), *cache_dst = NULL;
>   	struct in6_addr orig_daddr;
>   	struct ioam6_lwt *ilwt;
>   	int err = -EINVAL;
> @@ -407,7 +407,6 @@ static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
>   		cache_dst = ip6_route_output(net, NULL, &fl6);
>   		if (cache_dst->error) {
>   			err = cache_dst->error;
> -			dst_release(cache_dst);
>   			goto drop;
>   		}
>   
> @@ -426,8 +425,10 @@ static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
>   		return dst_output(net, sk, skb);
>   	}
>   out:
> +	dst_release(cache_dst);
>   	return dst->lwtstate->orig_output(net, sk, skb);
>   drop:
> +	dst_release(cache_dst);
>   	kfree_skb(skb);
>   	return err;
>   }
> diff --git a/net/ipv6/rpl_iptunnel.c b/net/ipv6/rpl_iptunnel.c
> index 7ba22d2f2bfe..9b7d03563115 100644
> --- a/net/ipv6/rpl_iptunnel.c
> +++ b/net/ipv6/rpl_iptunnel.c
> @@ -232,7 +232,6 @@ static int rpl_output(struct net *net, struct sock *sk, struct sk_buff *skb)
>   		dst = ip6_route_output(net, NULL, &fl6);
>   		if (dst->error) {
>   			err = dst->error;
> -			dst_release(dst);
>   			goto drop;
>   		}
>   
> @@ -251,6 +250,7 @@ static int rpl_output(struct net *net, struct sock *sk, struct sk_buff *skb)
>   	return dst_output(net, sk, skb);
>   
>   drop:
> +	dst_release(dst);
>   	kfree_skb(skb);
>   	return err;
>   }
> @@ -269,8 +269,10 @@ static int rpl_input(struct sk_buff *skb)
>   	local_bh_enable();
>   
>   	err = rpl_do_srh(skb, rlwt, dst);
> -	if (unlikely(err))
> +	if (unlikely(err)) {
> +		dst_release(dst);
>   		goto drop;
> +	}
>   
>   	if (!dst) {
>   		ip6_route_input(skb);
> diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c
> index 4bf937bfc263..eacc4e91b48e 100644
> --- a/net/ipv6/seg6_iptunnel.c
> +++ b/net/ipv6/seg6_iptunnel.c
> @@ -482,8 +482,10 @@ static int seg6_input_core(struct net *net, struct sock *sk,
>   	local_bh_enable();
>   
>   	err = seg6_do_srh(skb, dst);
> -	if (unlikely(err))
> +	if (unlikely(err)) {
> +		dst_release(dst);
>   		goto drop;
> +	}
>   
>   	if (!dst) {
>   		ip6_route_input(skb);
> @@ -571,7 +573,6 @@ static int seg6_output_core(struct net *net, struct sock *sk,
>   		dst = ip6_route_output(net, NULL, &fl6);
>   		if (dst->error) {
>   			err = dst->error;
> -			dst_release(dst);
>   			goto drop;
>   		}
>   
> @@ -593,6 +594,7 @@ static int seg6_output_core(struct net *net, struct sock *sk,
>   
>   	return dst_output(net, sk, skb);
>   drop:
> +	dst_release(dst);
>   	kfree_skb(skb);
>   	return err;
>   }

Reviewed-by: Justin Iurman <justin.iurman@uliege.be>

Thanks Jakub!
Justin Iurman Jan. 29, 2025, 4:17 p.m. UTC | #2 
On 1/29/25 03:13, Jakub Kicinski wrote:
> dst_cache_get() gives us a reference, we need to release it.
> 
> Discovered by the ioam6.sh test, kmemleak was recently fixed
> to catch per-cpu memory leaks.
> 
> Fixes: 985ec6f5e623 ("net: ipv6: rpl_iptunnel: mitigate 2-realloc issue")
> Fixes: 40475b63761a ("net: ipv6: seg6_iptunnel: mitigate 2-realloc issue")
> Fixes: dce525185bc9 ("net: ipv6: ioam6_iptunnel: mitigate 2-realloc issue")
> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
> ---
> CC: dsahern@kernel.org
> CC: justin.iurman@uliege.be
> ---
>   net/ipv6/ioam6_iptunnel.c | 5 +++--
>   net/ipv6/rpl_iptunnel.c   | 6 ++++--
>   net/ipv6/seg6_iptunnel.c  | 6 ++++--
>   3 files changed, 11 insertions(+), 6 deletions(-)

I think both ila_output() and tipc_udp_xmit() should also be patched 
accordingly. Other users seem fine.

> diff --git a/net/ipv6/ioam6_iptunnel.c b/net/ipv6/ioam6_iptunnel.c
> index 28e5a89dc255..3936c137a572 100644
> --- a/net/ipv6/ioam6_iptunnel.c
> +++ b/net/ipv6/ioam6_iptunnel.c
> @@ -336,7 +336,7 @@ static int ioam6_do_encap(struct net *net, struct sk_buff *skb,
>   
>   static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
>   {
> -	struct dst_entry *dst = skb_dst(skb), *cache_dst;
> +	struct dst_entry *dst = skb_dst(skb), *cache_dst = NULL;
>   	struct in6_addr orig_daddr;
>   	struct ioam6_lwt *ilwt;
>   	int err = -EINVAL;
> @@ -407,7 +407,6 @@ static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
>   		cache_dst = ip6_route_output(net, NULL, &fl6);
>   		if (cache_dst->error) {
>   			err = cache_dst->error;
> -			dst_release(cache_dst);
>   			goto drop;
>   		}
>   
> @@ -426,8 +425,10 @@ static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
>   		return dst_output(net, sk, skb);
>   	}
>   out:
> +	dst_release(cache_dst);
>   	return dst->lwtstate->orig_output(net, sk, skb);
>   drop:
> +	dst_release(cache_dst);
>   	kfree_skb(skb);
>   	return err;
>   }
> diff --git a/net/ipv6/rpl_iptunnel.c b/net/ipv6/rpl_iptunnel.c
> index 7ba22d2f2bfe..9b7d03563115 100644
> --- a/net/ipv6/rpl_iptunnel.c
> +++ b/net/ipv6/rpl_iptunnel.c
> @@ -232,7 +232,6 @@ static int rpl_output(struct net *net, struct sock *sk, struct sk_buff *skb)
>   		dst = ip6_route_output(net, NULL, &fl6);
>   		if (dst->error) {
>   			err = dst->error;
> -			dst_release(dst);
>   			goto drop;
>   		}
>   
> @@ -251,6 +250,7 @@ static int rpl_output(struct net *net, struct sock *sk, struct sk_buff *skb)
>   	return dst_output(net, sk, skb);
>   
>   drop:
> +	dst_release(dst);
>   	kfree_skb(skb);
>   	return err;
>   }
> @@ -269,8 +269,10 @@ static int rpl_input(struct sk_buff *skb)
>   	local_bh_enable();
>   
>   	err = rpl_do_srh(skb, rlwt, dst);
> -	if (unlikely(err))
> +	if (unlikely(err)) {
> +		dst_release(dst);
>   		goto drop;
> +	}
>   
>   	if (!dst) {
>   		ip6_route_input(skb);
> diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c
> index 4bf937bfc263..eacc4e91b48e 100644
> --- a/net/ipv6/seg6_iptunnel.c
> +++ b/net/ipv6/seg6_iptunnel.c
> @@ -482,8 +482,10 @@ static int seg6_input_core(struct net *net, struct sock *sk,
>   	local_bh_enable();
>   
>   	err = seg6_do_srh(skb, dst);
> -	if (unlikely(err))
> +	if (unlikely(err)) {
> +		dst_release(dst);
>   		goto drop;
> +	}
>   
>   	if (!dst) {
>   		ip6_route_input(skb);
> @@ -571,7 +573,6 @@ static int seg6_output_core(struct net *net, struct sock *sk,
>   		dst = ip6_route_output(net, NULL, &fl6);
>   		if (dst->error) {
>   			err = dst->error;
> -			dst_release(dst);
>   			goto drop;
>   		}
>   
> @@ -593,6 +594,7 @@ static int seg6_output_core(struct net *net, struct sock *sk,
>   
>   	return dst_output(net, sk, skb);
>   drop:
> +	dst_release(dst);
>   	kfree_skb(skb);
>   	return err;
>   }
Jakub Kicinski Jan. 29, 2025, 8:23 p.m. UTC | #3 
On Wed, 29 Jan 2025 17:17:28 +0100 Justin Iurman wrote:
> >   net/ipv6/ioam6_iptunnel.c | 5 +++--
> >   net/ipv6/rpl_iptunnel.c   | 6 ++++--
> >   net/ipv6/seg6_iptunnel.c  | 6 ++++--
> >   3 files changed, 11 insertions(+), 6 deletions(-)  
> 
> I think both ila_output() and tipc_udp_xmit() should also be patched 
> accordingly. Other users seem fine.

TIPC is not a lwt, the cache belongs to a socket not another dst,
AFAICT.

I think in ILA ilwt->connected will only be set if we re-routed
the traffic to the real address already? So the dst can't match.
CC: Tom, full patch:
https://lore.kernel.org/all/20250129021346.2333089-2-kuba@kernel.org/
Justin Iurman Jan. 30, 2025, 12:16 a.m. UTC | #4 
On 1/29/25 21:23, Jakub Kicinski wrote:
> On Wed, 29 Jan 2025 17:17:28 +0100 Justin Iurman wrote:
>>>    net/ipv6/ioam6_iptunnel.c | 5 +++--
>>>    net/ipv6/rpl_iptunnel.c   | 6 ++++--
>>>    net/ipv6/seg6_iptunnel.c  | 6 ++++--
>>>    3 files changed, 11 insertions(+), 6 deletions(-)
>>
>> I think both ila_output() and tipc_udp_xmit() should also be patched
>> accordingly. Other users seem fine.
> 
> TIPC is not a lwt, the cache belongs to a socket not another dst,
> AFAICT.

*sigh* You're right, my bad.

> I think in ILA ilwt->connected will only be set if we re-routed
> the traffic to the real address already? So the dst can't match.
> CC: Tom, full patch:
> https://lore.kernel.org/all/20250129021346.2333089-2-kuba@kernel.org/

Looks like I was in a hurry when I reported this one. On second reading, 
this is also how I understand it.
diff mbox series

Patch

diff --git a/net/ipv6/ioam6_iptunnel.c b/net/ipv6/ioam6_iptunnel.c
index 28e5a89dc255..3936c137a572 100644
--- a/net/ipv6/ioam6_iptunnel.c
+++ b/net/ipv6/ioam6_iptunnel.c
@@ -336,7 +336,7 @@  static int ioam6_do_encap(struct net *net, struct sk_buff *skb,
 
 static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
-	struct dst_entry *dst = skb_dst(skb), *cache_dst;
+	struct dst_entry *dst = skb_dst(skb), *cache_dst = NULL;
 	struct in6_addr orig_daddr;
 	struct ioam6_lwt *ilwt;
 	int err = -EINVAL;
@@ -407,7 +407,6 @@  static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 		cache_dst = ip6_route_output(net, NULL, &fl6);
 		if (cache_dst->error) {
 			err = cache_dst->error;
-			dst_release(cache_dst);
 			goto drop;
 		}
 
@@ -426,8 +425,10 @@  static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 		return dst_output(net, sk, skb);
 	}
 out:
+	dst_release(cache_dst);
 	return dst->lwtstate->orig_output(net, sk, skb);
 drop:
+	dst_release(cache_dst);
 	kfree_skb(skb);
 	return err;
 }
diff --git a/net/ipv6/rpl_iptunnel.c b/net/ipv6/rpl_iptunnel.c
index 7ba22d2f2bfe..9b7d03563115 100644
--- a/net/ipv6/rpl_iptunnel.c
+++ b/net/ipv6/rpl_iptunnel.c
@@ -232,7 +232,6 @@  static int rpl_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 		dst = ip6_route_output(net, NULL, &fl6);
 		if (dst->error) {
 			err = dst->error;
-			dst_release(dst);
 			goto drop;
 		}
 
@@ -251,6 +250,7 @@  static int rpl_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 	return dst_output(net, sk, skb);
 
 drop:
+	dst_release(dst);
 	kfree_skb(skb);
 	return err;
 }
@@ -269,8 +269,10 @@  static int rpl_input(struct sk_buff *skb)
 	local_bh_enable();
 
 	err = rpl_do_srh(skb, rlwt, dst);
-	if (unlikely(err))
+	if (unlikely(err)) {
+		dst_release(dst);
 		goto drop;
+	}
 
 	if (!dst) {
 		ip6_route_input(skb);
diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c
index 4bf937bfc263..eacc4e91b48e 100644
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -482,8 +482,10 @@  static int seg6_input_core(struct net *net, struct sock *sk,
 	local_bh_enable();
 
 	err = seg6_do_srh(skb, dst);
-	if (unlikely(err))
+	if (unlikely(err)) {
+		dst_release(dst);
 		goto drop;
+	}
 
 	if (!dst) {
 		ip6_route_input(skb);
@@ -571,7 +573,6 @@  static int seg6_output_core(struct net *net, struct sock *sk,
 		dst = ip6_route_output(net, NULL, &fl6);
 		if (dst->error) {
 			err = dst->error;
-			dst_release(dst);
 			goto drop;
 		}
 
@@ -593,6 +594,7 @@  static int seg6_output_core(struct net *net, struct sock *sk,
 
 	return dst_output(net, sk, skb);
 drop:
+	dst_release(dst);
 	kfree_skb(skb);
 	return err;
 }