Message ID | 1631161930-77772-1-git-send-email-xiyuyang19@fudan.edu.cn (mailing list archive) |
---|---|
State | Accepted |
Commit | 9b6ff7eb666415e1558f1ba8a742f5db6a9954de |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | net/l2tp: Fix reference count leak in l2tp_udp_recv_core | expand |
Context | Check | Description |
---|---|---|
netdev/cover_letter | success | Link |
netdev/fixes_present | success | Link |
netdev/patch_count | success | Link |
netdev/tree_selection | success | Guessed tree name to be net-next |
netdev/subject_prefix | warning | Target tree name not specified in the subject |
netdev/cc_maintainers | success | CCed 10 of 10 maintainers |
netdev/source_inline | success | Was 0 now: 0 |
netdev/verify_signedoff | success | Link |
netdev/module_param | success | Was 0 now: 0 |
netdev/build_32bit | success | Errors and warnings before: 0 this patch: 0 |
netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
netdev/verify_fixes | success | Link |
netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 11 lines checked |
netdev/build_allmodconfig_warn | success | Errors and warnings before: 0 this patch: 0 |
netdev/header_inline | success | Link |
On Thu, Sep 09, 2021 at 12:32:00 +0800, Xiyu Yang wrote: > The reference count leak issue may take place in an error handling > path. If both conditions of tunnel->version == L2TP_HDR_VER_3 and the > return value of l2tp_v3_ensure_opt_in_linear is nonzero, the function > would directly jump to label invalid, without decrementing the reference > count of the l2tp_session object session increased earlier by > l2tp_tunnel_get_session(). This may result in refcount leaks. I agree with your analysis. Thanks for catching this! > > Fix this issue by decrease the reference count before jumping to the > label invalid. > > Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn> > Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn> > Signed-off-by: Xin Tan <tanxin.ctf@gmail.com> > --- > net/l2tp/l2tp_core.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c > index 53486b162f01..93271a2632b8 100644 > --- a/net/l2tp/l2tp_core.c > +++ b/net/l2tp/l2tp_core.c > @@ -869,8 +869,10 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb) > } > > if (tunnel->version == L2TP_HDR_VER_3 && > - l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) > + l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) { > + l2tp_session_dec_refcount(session); > goto invalid; > + } The error paths in l2tp_udp_recv_core are a bit convoluted because of the check (!session || !session->recv_skb) which may or may not need to drop a session reference if triggered. I think it could be simplified since session->recv_skb is always set for all the current session types in the tree, but doing that is probably a little patch series on its own. > > l2tp_recv_common(session, skb, ptr, optr, hdrflags, length); > l2tp_session_dec_refcount(session); > -- > 2.7.4 >
On Thu, Sep 09, 2021 at 10:01:56 +0100, Tom Parkin wrote: > On Thu, Sep 09, 2021 at 12:32:00 +0800, Xiyu Yang wrote: > > The reference count leak issue may take place in an error handling > > path. If both conditions of tunnel->version == L2TP_HDR_VER_3 and the > > return value of l2tp_v3_ensure_opt_in_linear is nonzero, the function > > would directly jump to label invalid, without decrementing the reference > > count of the l2tp_session object session increased earlier by > > l2tp_tunnel_get_session(). This may result in refcount leaks. > > I agree with your analysis. Thanks for catching this! > Also: I forgot to mention I think this fixes: 4522a70db7aa ("l2tp: fix reading optional fields of L2TPv3") > > > > Fix this issue by decrease the reference count before jumping to the > > label invalid. > > > > Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn> > > Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn> > > Signed-off-by: Xin Tan <tanxin.ctf@gmail.com> > > --- > > net/l2tp/l2tp_core.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c > > index 53486b162f01..93271a2632b8 100644 > > --- a/net/l2tp/l2tp_core.c > > +++ b/net/l2tp/l2tp_core.c > > @@ -869,8 +869,10 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb) > > } > > > > if (tunnel->version == L2TP_HDR_VER_3 && > > - l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) > > + l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) { > > + l2tp_session_dec_refcount(session); > > goto invalid; > > + } > > The error paths in l2tp_udp_recv_core are a bit convoluted because of > the check (!session || !session->recv_skb) which may or may not need > to drop a session reference if triggered. > > I think it could be simplified since session->recv_skb is always set > for all the current session types in the tree, but doing that is probably > a little patch series on its own. > > > > > l2tp_recv_common(session, skb, ptr, optr, hdrflags, length); > > l2tp_session_dec_refcount(session); > > -- > > 2.7.4 > > > > -- > Tom Parkin > Katalix Systems Ltd > https://katalix.com > Catalysts for your Embedded Linux software development
Hello: This patch was applied to netdev/net.git (refs/heads/master): On Thu, 9 Sep 2021 12:32:00 +0800 you wrote: > The reference count leak issue may take place in an error handling > path. If both conditions of tunnel->version == L2TP_HDR_VER_3 and the > return value of l2tp_v3_ensure_opt_in_linear is nonzero, the function > would directly jump to label invalid, without decrementing the reference > count of the l2tp_session object session increased earlier by > l2tp_tunnel_get_session(). This may result in refcount leaks. > > [...] Here is the summary with links: - net/l2tp: Fix reference count leak in l2tp_udp_recv_core https://git.kernel.org/netdev/net/c/9b6ff7eb6664 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c index 53486b162f01..93271a2632b8 100644 --- a/net/l2tp/l2tp_core.c +++ b/net/l2tp/l2tp_core.c @@ -869,8 +869,10 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb) } if (tunnel->version == L2TP_HDR_VER_3 && - l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) + l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) { + l2tp_session_dec_refcount(session); goto invalid; + } l2tp_recv_common(session, skb, ptr, optr, hdrflags, length); l2tp_session_dec_refcount(session);