diff mbox series

[net] ipv6: sr: fix invalid unregister error path

Message ID 20240507081100.363677-1-liuhangbin@gmail.com (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series [net] ipv6: sr: fix invalid unregister error path | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 928 this patch: 928
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 6 of 6 maintainers
netdev/build_clang success Errors and warnings before: 937 this patch: 937
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 939 this patch: 939
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 20 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest fail net-next-2024-05-07--12-00 (tests: 667)

Commit Message

Hangbin Liu May 7, 2024, 8:11 a.m. UTC 
The error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL
is not defined. In that case if seg6_hmac_init() fails, the
genl_unregister_family() isn't called.

At the same time, add seg6_local_exit() and fix the genl unregister order
in seg6_exit().

Fixes: 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and null-ptr-deref")
Reported-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
---
 net/ipv6/seg6.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

Comments

Sabrina Dubroca May 7, 2024, 9:14 a.m. UTC | #1 
2024-05-07, 16:11:00 +0800, Hangbin Liu wrote:
> The error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL
> is not defined. In that case if seg6_hmac_init() fails, the
> genl_unregister_family() isn't called.
> 
> At the same time, add seg6_local_exit() and fix the genl unregister order
> in seg6_exit().
> 
> Fixes: 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and null-ptr-deref")
> Reported-by: Guillaume Nault <gnault@redhat.com>
> Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
> ---
>  net/ipv6/seg6.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
> 
> diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c
> index 35508abd76f4..3c5ccc52d0e1 100644
> --- a/net/ipv6/seg6.c
> +++ b/net/ipv6/seg6.c
> @@ -549,10 +549,8 @@ int __init seg6_init(void)
>  	seg6_iptunnel_exit();
>  #endif
>  #endif
> -#ifdef CONFIG_IPV6_SEG6_LWTUNNEL
>  out_unregister_genl:
>  	genl_unregister_family(&seg6_genl_family);

That label will be defined but unused for !CONFIG_IPV6_SEG6_LWTUNNEL.

> -#endif
>  out_unregister_pernet:
>  	unregister_pernet_subsys(&ip6_segments_ops);
>  	goto out;
> @@ -564,8 +562,9 @@ void seg6_exit(void)
>  	seg6_hmac_exit();
>  #endif
>  #ifdef CONFIG_IPV6_SEG6_LWTUNNEL
> +	seg6_local_exit();
>  	seg6_iptunnel_exit();
>  #endif
> -	unregister_pernet_subsys(&ip6_segments_ops);
>  	genl_unregister_family(&seg6_genl_family);
> +	unregister_pernet_subsys(&ip6_segments_ops);
>  }
> -- 
> 2.43.0
> 
>
Hangbin Liu May 7, 2024, 9:39 a.m. UTC | #2 
On Tue, May 07, 2024 at 11:14:45AM +0200, Sabrina Dubroca wrote:
> 2024-05-07, 16:11:00 +0800, Hangbin Liu wrote:
> > The error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL
> > is not defined. In that case if seg6_hmac_init() fails, the
> > genl_unregister_family() isn't called.
> > 
> > At the same time, add seg6_local_exit() and fix the genl unregister order
> > in seg6_exit().
> > 
> > Fixes: 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and null-ptr-deref")
> > Reported-by: Guillaume Nault <gnault@redhat.com>
> > Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
> > ---
> >  net/ipv6/seg6.c | 5 ++---
> >  1 file changed, 2 insertions(+), 3 deletions(-)
> > 
> > diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c
> > index 35508abd76f4..3c5ccc52d0e1 100644
> > --- a/net/ipv6/seg6.c
> > +++ b/net/ipv6/seg6.c
> > @@ -549,10 +549,8 @@ int __init seg6_init(void)
> >  	seg6_iptunnel_exit();
> >  #endif
> >  #endif
> > -#ifdef CONFIG_IPV6_SEG6_LWTUNNEL
> >  out_unregister_genl:
> >  	genl_unregister_family(&seg6_genl_family);
> 
> That label will be defined but unused for !CONFIG_IPV6_SEG6_LWTUNNEL.

Ah, yes, I will add the CONFIG_IPV6_SEG6_LWTUNNEL definition in v2.

diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c
index 3c5ccc52d0e1..6a80d93399ce 100644
--- a/net/ipv6/seg6.c
+++ b/net/ipv6/seg6.c
@@ -549,7 +549,9 @@ int __init seg6_init(void)
        seg6_iptunnel_exit();
 #endif
 #endif
+#ifdef CONFIG_IPV6_SEG6_LWTUNNEL
 out_unregister_genl:
+#endif
        genl_unregister_family(&seg6_genl_family);
 out_unregister_pernet:
        unregister_pernet_subsys(&ip6_segments_ops);

Thanks
Hangbin
diff mbox series

Patch

diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c
index 35508abd76f4..3c5ccc52d0e1 100644
--- a/net/ipv6/seg6.c
+++ b/net/ipv6/seg6.c
@@ -549,10 +549,8 @@  int __init seg6_init(void)
 	seg6_iptunnel_exit();
 #endif
 #endif
-#ifdef CONFIG_IPV6_SEG6_LWTUNNEL
 out_unregister_genl:
 	genl_unregister_family(&seg6_genl_family);
-#endif
 out_unregister_pernet:
 	unregister_pernet_subsys(&ip6_segments_ops);
 	goto out;
@@ -564,8 +562,9 @@  void seg6_exit(void)
 	seg6_hmac_exit();
 #endif
 #ifdef CONFIG_IPV6_SEG6_LWTUNNEL
+	seg6_local_exit();
 	seg6_iptunnel_exit();
 #endif
-	unregister_pernet_subsys(&ip6_segments_ops);
 	genl_unregister_family(&seg6_genl_family);
+	unregister_pernet_subsys(&ip6_segments_ops);
 }