net: ipv4: fix a memleak in ip_setup_cork

Message ID	20240126075127.2825068-1-alexious@zju.edu.cn (mailing list archive)
State	Superseded
Delegated to:	Netdev Maintainers
Headers	show Received: from sgoci-sdnproxy-4.icoremail.net (sgoci-sdnproxy-4.icoremail.net [129.150.39.64]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4BF4F12E6F; Fri, 26 Jan 2024 07:51:47 +0000 (UTC) From: Zhipeng Lu <alexious@zju.edu.cn> To: alexious@zju.edu.cn Cc: "David S. Miller" <davem@davemloft.net>, David Ahern <dsahern@kernel.org>, Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] net: ipv4: fix a memleak in ip_setup_cork Date: Fri, 26 Jan 2024 15:51:27 +0800 Message-Id: <20240126075127.2825068-1-alexious@zju.edu.cn> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	net: ipv4: fix a memleak in ip_setup_cork \| expand net: ipv4: fix a memleak in ip_setup_cork

Message ID

20240126075127.2825068-1-alexious@zju.edu.cn (mailing list archive)

State

Superseded

Delegated to:

Netdev Maintainers

Headers

From: Zhipeng Lu <alexious@zju.edu.cn>
To: alexious@zju.edu.cn
Cc: "David S. Miller" <davem@davemloft.net>,
	David Ahern <dsahern@kernel.org>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH] net: ipv4: fix a memleak in ip_setup_cork
Date: Fri, 26 Jan 2024 15:51:27 +0800
Message-Id: <20240126075127.2825068-1-alexious@zju.edu.cn>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

net: ipv4: fix a memleak in ip_setup_cork | expand

Context	Check	Description
netdev/series_format	warning	Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection	success	Guessed tree name to be net-next
netdev/ynl	success	Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 1066 this patch: 1066
netdev/build_tools	success	No tools touched, skip
netdev/cc_maintainers	success	CCed 0 of 0 maintainers
netdev/build_clang	success	Errors and warnings before: 1082 this patch: 1082
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 1083 this patch: 1083
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 28 lines checked
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0
netdev/contest	pending	net-next-2024-01-26--18-00

Context

Check

Description

netdev/series_format

warning

Single patches do not need cover letters; Target tree name not specified in the subject

netdev/tree_selection

success

Guessed tree name to be net-next

netdev/ynl

success

Generated files up to date; no warnings/errors; no diff in generated;

netdev/fixes_present

success

Fixes tag not required for -next series

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 1066 this patch: 1066

netdev/build_tools

success

No tools touched, skip

netdev/cc_maintainers

success

CCed 0 of 0 maintainers

netdev/build_clang

success

Errors and warnings before: 1082 this patch: 1082

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/deprecated_api

success

None detected

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

Fixes tag looks correct

netdev/build_allmodconfig_warn

success

Errors and warnings before: 1083 this patch: 1083

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 28 lines checked

netdev/build_clang_rust

success

No Rust files in patch. Skipping build

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

netdev/contest

pending

net-next-2024-01-26--18-00

Commit Message

Zhipeng Lu Jan. 26, 2024, 7:51 a.m. UTC

When inetdev_valid_mtu fails, cork->opt should be freed if it is
allocated in ip_setup_cork. Otherwise there could be a memleak.

Fixes: 501a90c94510 ("inet: protect against too small mtu values.")
Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
---
 net/ipv4/ip_output.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

Comments

Eric Dumazet Jan. 26, 2024, 10:13 a.m. UTC | #1

On Fri, Jan 26, 2024 at 8:51 AM Zhipeng Lu <alexious@zju.edu.cn> wrote:
>
> When inetdev_valid_mtu fails, cork->opt should be freed if it is
> allocated in ip_setup_cork. Otherwise there could be a memleak.
>
> Fixes: 501a90c94510 ("inet: protect against too small mtu values.")
> Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
> ---
>  net/ipv4/ip_output.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> index b06f678b03a1..3215ea07d398 100644
> --- a/net/ipv4/ip_output.c
> +++ b/net/ipv4/ip_output.c
> @@ -1282,6 +1282,7 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork,
>  {
>         struct ip_options_rcu *opt;
>         struct rtable *rt;
> +       int free_opt = 0;
>
>         rt = *rtp;
>         if (unlikely(!rt))
> @@ -1297,6 +1298,7 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork,
>                                             sk->sk_allocation);
>                         if (unlikely(!cork->opt))
>                                 return -ENOBUFS;
> +                       free_opt = 1;
>                 }
>                 memcpy(cork->opt, &opt->opt, sizeof(struct ip_options) + opt->opt.optlen);
>                 cork->flags |= IPCORK_OPT;
> @@ -1306,8 +1308,13 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork,
>         cork->fragsize = ip_sk_use_pmtu(sk) ?
>                          dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu);
>
> -       if (!inetdev_valid_mtu(cork->fragsize))
> +       if (!inetdev_valid_mtu(cork->fragsize)) {
> +               if (opt && free_opt) {
> +                       kfree(cork->opt);
> +                       cork->opt = NULL;
> +               }
>                 return -ENETUNREACH;
> +       }
>
>         cork->gso_size = ipc->gso_size;
>
> --
> 2.34.1
>

What about something simpler like :

diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index b06f678b03a19b806fd14764a4caad60caf02919..41537d18eecfd6e1163aacc35e047c22468e04e6
100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1287,6 +1287,12 @@ static int ip_setup_cork(struct sock *sk,
struct inet_cork *cork,
        if (unlikely(!rt))
                return -EFAULT;

+       cork->fragsize = ip_sk_use_pmtu(sk) ?
+                        dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu);
+
+       if (!inetdev_valid_mtu(cork->fragsize))
+               return -ENETUNREACH;
+
        /*
         * setup for corking.
         */
@@ -1303,12 +1309,6 @@ static int ip_setup_cork(struct sock *sk,
struct inet_cork *cork,
                cork->addr = ipc->addr;
        }

-       cork->fragsize = ip_sk_use_pmtu(sk) ?
-                        dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu);
-
-       if (!inetdev_valid_mtu(cork->fragsize))
-               return -ENETUNREACH;
-
        cork->gso_size = ipc->gso_size;

        cork->dst = &rt->dst;

Eric Dumazet Jan. 27, 2024, 8:34 a.m. UTC | #2

On Fri, Jan 26, 2024 at 11:13 AM Eric Dumazet <edumazet@google.com> wrote:
>
> On Fri, Jan 26, 2024 at 8:51 AM Zhipeng Lu <alexious@zju.edu.cn> wrote:
> >
> > When inetdev_valid_mtu fails, cork->opt should be freed if it is
> > allocated in ip_setup_cork. Otherwise there could be a memleak.
> >
> > Fixes: 501a90c94510 ("inet: protect against too small mtu values.")
> > Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
> > ---
> >  net/ipv4/ip_output.c | 9 ++++++++-
> >  1 file changed, 8 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> > index b06f678b03a1..3215ea07d398 100644
> > --- a/net/ipv4/ip_output.c
> > +++ b/net/ipv4/ip_output.c
> > @@ -1282,6 +1282,7 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork,
> >  {
> >         struct ip_options_rcu *opt;
> >         struct rtable *rt;
> > +       int free_opt = 0;
> >
> >         rt = *rtp;
> >         if (unlikely(!rt))
> > @@ -1297,6 +1298,7 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork,
> >                                             sk->sk_allocation);
> >                         if (unlikely(!cork->opt))
> >                                 return -ENOBUFS;
> > +                       free_opt = 1;
> >                 }
> >                 memcpy(cork->opt, &opt->opt, sizeof(struct ip_options) + opt->opt.optlen);
> >                 cork->flags |= IPCORK_OPT;
> > @@ -1306,8 +1308,13 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork,
> >         cork->fragsize = ip_sk_use_pmtu(sk) ?
> >                          dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu);
> >
> > -       if (!inetdev_valid_mtu(cork->fragsize))
> > +       if (!inetdev_valid_mtu(cork->fragsize)) {
> > +               if (opt && free_opt) {
> > +                       kfree(cork->opt);
> > +                       cork->opt = NULL;
> > +               }
> >                 return -ENETUNREACH;
> > +       }
> >
> >         cork->gso_size = ipc->gso_size;
> >
> > --
> > 2.34.1
> >
>
> What about something simpler like :
>
> diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> index b06f678b03a19b806fd14764a4caad60caf02919..41537d18eecfd6e1163aacc35e047c22468e04e6
> 100644
> --- a/net/ipv4/ip_output.c
> +++ b/net/ipv4/ip_output.c
> @@ -1287,6 +1287,12 @@ static int ip_setup_cork(struct sock *sk,
> struct inet_cork *cork,
>         if (unlikely(!rt))
>                 return -EFAULT;
>
> +       cork->fragsize = ip_sk_use_pmtu(sk) ?
> +                        dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu);
> +
> +       if (!inetdev_valid_mtu(cork->fragsize))
> +               return -ENETUNREACH;
> +
>         /*
>          * setup for corking.
>          */
> @@ -1303,12 +1309,6 @@ static int ip_setup_cork(struct sock *sk,
> struct inet_cork *cork,
>                 cork->addr = ipc->addr;
>         }
>
> -       cork->fragsize = ip_sk_use_pmtu(sk) ?
> -                        dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu);
> -
> -       if (!inetdev_valid_mtu(cork->fragsize))
> -               return -ENETUNREACH;
> -
>         cork->gso_size = ipc->gso_size;
>
>         cork->dst = &rt->dst;

Hi Zhipeng Lu

Could you send a V2 off your patch ? I will then add a Reviewed-by:
tag, thanks !

Zhipeng Lu Jan. 29, 2024, 9:02 a.m. UTC | #3

> On Fri, Jan 26, 2024 at 11:13 AM Eric Dumazet <edumazet@google.com> wrote:
> >
> > On Fri, Jan 26, 2024 at 8:51 AM Zhipeng Lu <alexious@zju.edu.cn> wrote:
> > >
> > > When inetdev_valid_mtu fails, cork->opt should be freed if it is
> > > allocated in ip_setup_cork. Otherwise there could be a memleak.
> > >
> > > Fixes: 501a90c94510 ("inet: protect against too small mtu values.")
> > > Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
> > > ---
> > >  net/ipv4/ip_output.c | 9 ++++++++-
> > >  1 file changed, 8 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> > > index b06f678b03a1..3215ea07d398 100644
> > > --- a/net/ipv4/ip_output.c
> > > +++ b/net/ipv4/ip_output.c
> > > @@ -1282,6 +1282,7 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork,
> > >  {
> > >         struct ip_options_rcu *opt;
> > >         struct rtable *rt;
> > > +       int free_opt = 0;
> > >
> > >         rt = *rtp;
> > >         if (unlikely(!rt))
> > > @@ -1297,6 +1298,7 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork,
> > >                                             sk->sk_allocation);
> > >                         if (unlikely(!cork->opt))
> > >                                 return -ENOBUFS;
> > > +                       free_opt = 1;
> > >                 }
> > >                 memcpy(cork->opt, &opt->opt, sizeof(struct ip_options) + opt->opt.optlen);
> > >                 cork->flags |= IPCORK_OPT;
> > > @@ -1306,8 +1308,13 @@ static int ip_setup_cork(struct sock *sk, struct inet_cork *cork,
> > >         cork->fragsize = ip_sk_use_pmtu(sk) ?
> > >                          dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu);
> > >
> > > -       if (!inetdev_valid_mtu(cork->fragsize))
> > > +       if (!inetdev_valid_mtu(cork->fragsize)) {
> > > +               if (opt && free_opt) {
> > > +                       kfree(cork->opt);
> > > +                       cork->opt = NULL;
> > > +               }
> > >                 return -ENETUNREACH;
> > > +       }
> > >
> > >         cork->gso_size = ipc->gso_size;
> > >
> > > --
> > > 2.34.1
> > >
> >
> > What about something simpler like :
> >
> > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> > index b06f678b03a19b806fd14764a4caad60caf02919..41537d18eecfd6e1163aacc35e047c22468e04e6
> > 100644
> > --- a/net/ipv4/ip_output.c
> > +++ b/net/ipv4/ip_output.c
> > @@ -1287,6 +1287,12 @@ static int ip_setup_cork(struct sock *sk,
> > struct inet_cork *cork,
> >         if (unlikely(!rt))
> >                 return -EFAULT;
> >
> > +       cork->fragsize = ip_sk_use_pmtu(sk) ?
> > +                        dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu);
> > +
> > +       if (!inetdev_valid_mtu(cork->fragsize))
> > +               return -ENETUNREACH;
> > +
> >         /*
> >          * setup for corking.
> >          */
> > @@ -1303,12 +1309,6 @@ static int ip_setup_cork(struct sock *sk,
> > struct inet_cork *cork,
> >                 cork->addr = ipc->addr;
> >         }
> >
> > -       cork->fragsize = ip_sk_use_pmtu(sk) ?
> > -                        dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu);
> > -
> > -       if (!inetdev_valid_mtu(cork->fragsize))
> > -               return -ENETUNREACH;
> > -
> >         cork->gso_size = ipc->gso_size;
> >
> >         cork->dst = &rt->dst;
> 
> Hi Zhipeng Lu
> 
> Could you send a V2 off your patch ? I will then add a Reviewed-by:
> tag, thanks !

Hi Eric
Sure, I'll soon send a v2 version following your suggestion.

diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index b06f678b03a1..3215ea07d398 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1282,6 +1282,7 @@  static int ip_setup_cork(struct sock *sk, struct inet_cork *cork,
 {
 	struct ip_options_rcu *opt;
 	struct rtable *rt;
+	int free_opt = 0;
 
 	rt = *rtp;
 	if (unlikely(!rt))
@@ -1297,6 +1298,7 @@  static int ip_setup_cork(struct sock *sk, struct inet_cork *cork,
 					    sk->sk_allocation);
 			if (unlikely(!cork->opt))
 				return -ENOBUFS;
+			free_opt = 1;
 		}
 		memcpy(cork->opt, &opt->opt, sizeof(struct ip_options) + opt->opt.optlen);
 		cork->flags |= IPCORK_OPT;
@@ -1306,8 +1308,13 @@  static int ip_setup_cork(struct sock *sk, struct inet_cork *cork,
 	cork->fragsize = ip_sk_use_pmtu(sk) ?
 			 dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu);
 
-	if (!inetdev_valid_mtu(cork->fragsize))
+	if (!inetdev_valid_mtu(cork->fragsize)) {
+		if (opt && free_opt) {
+			kfree(cork->opt);
+			cork->opt = NULL;
+		}
 		return -ENETUNREACH;
+	}
 
 	cork->gso_size = ipc->gso_size;

net: ipv4: fix a memleak in ip_setup_cork

Checks

Commit Message

Comments

Patch