Message ID | 20240507081100.363677-1-liuhangbin@gmail.com (mailing list archive) |
---|---|
State | Superseded |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [net] ipv6: sr: fix invalid unregister error path | expand |
2024-05-07, 16:11:00 +0800, Hangbin Liu wrote: > The error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL > is not defined. In that case if seg6_hmac_init() fails, the > genl_unregister_family() isn't called. > > At the same time, add seg6_local_exit() and fix the genl unregister order > in seg6_exit(). > > Fixes: 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and null-ptr-deref") > Reported-by: Guillaume Nault <gnault@redhat.com> > Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> > --- > net/ipv6/seg6.c | 5 ++--- > 1 file changed, 2 insertions(+), 3 deletions(-) > > diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c > index 35508abd76f4..3c5ccc52d0e1 100644 > --- a/net/ipv6/seg6.c > +++ b/net/ipv6/seg6.c > @@ -549,10 +549,8 @@ int __init seg6_init(void) > seg6_iptunnel_exit(); > #endif > #endif > -#ifdef CONFIG_IPV6_SEG6_LWTUNNEL > out_unregister_genl: > genl_unregister_family(&seg6_genl_family); That label will be defined but unused for !CONFIG_IPV6_SEG6_LWTUNNEL. > -#endif > out_unregister_pernet: > unregister_pernet_subsys(&ip6_segments_ops); > goto out; > @@ -564,8 +562,9 @@ void seg6_exit(void) > seg6_hmac_exit(); > #endif > #ifdef CONFIG_IPV6_SEG6_LWTUNNEL > + seg6_local_exit(); > seg6_iptunnel_exit(); > #endif > - unregister_pernet_subsys(&ip6_segments_ops); > genl_unregister_family(&seg6_genl_family); > + unregister_pernet_subsys(&ip6_segments_ops); > } > -- > 2.43.0 > >
On Tue, May 07, 2024 at 11:14:45AM +0200, Sabrina Dubroca wrote: > 2024-05-07, 16:11:00 +0800, Hangbin Liu wrote: > > The error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL > > is not defined. In that case if seg6_hmac_init() fails, the > > genl_unregister_family() isn't called. > > > > At the same time, add seg6_local_exit() and fix the genl unregister order > > in seg6_exit(). > > > > Fixes: 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and null-ptr-deref") > > Reported-by: Guillaume Nault <gnault@redhat.com> > > Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> > > --- > > net/ipv6/seg6.c | 5 ++--- > > 1 file changed, 2 insertions(+), 3 deletions(-) > > > > diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c > > index 35508abd76f4..3c5ccc52d0e1 100644 > > --- a/net/ipv6/seg6.c > > +++ b/net/ipv6/seg6.c > > @@ -549,10 +549,8 @@ int __init seg6_init(void) > > seg6_iptunnel_exit(); > > #endif > > #endif > > -#ifdef CONFIG_IPV6_SEG6_LWTUNNEL > > out_unregister_genl: > > genl_unregister_family(&seg6_genl_family); > > That label will be defined but unused for !CONFIG_IPV6_SEG6_LWTUNNEL. Ah, yes, I will add the CONFIG_IPV6_SEG6_LWTUNNEL definition in v2. diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c index 3c5ccc52d0e1..6a80d93399ce 100644 --- a/net/ipv6/seg6.c +++ b/net/ipv6/seg6.c @@ -549,7 +549,9 @@ int __init seg6_init(void) seg6_iptunnel_exit(); #endif #endif +#ifdef CONFIG_IPV6_SEG6_LWTUNNEL out_unregister_genl: +#endif genl_unregister_family(&seg6_genl_family); out_unregister_pernet: unregister_pernet_subsys(&ip6_segments_ops); Thanks Hangbin
diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c index 35508abd76f4..3c5ccc52d0e1 100644 --- a/net/ipv6/seg6.c +++ b/net/ipv6/seg6.c @@ -549,10 +549,8 @@ int __init seg6_init(void) seg6_iptunnel_exit(); #endif #endif -#ifdef CONFIG_IPV6_SEG6_LWTUNNEL out_unregister_genl: genl_unregister_family(&seg6_genl_family); -#endif out_unregister_pernet: unregister_pernet_subsys(&ip6_segments_ops); goto out; @@ -564,8 +562,9 @@ void seg6_exit(void) seg6_hmac_exit(); #endif #ifdef CONFIG_IPV6_SEG6_LWTUNNEL + seg6_local_exit(); seg6_iptunnel_exit(); #endif - unregister_pernet_subsys(&ip6_segments_ops); genl_unregister_family(&seg6_genl_family); + unregister_pernet_subsys(&ip6_segments_ops); }
The error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL is not defined. In that case if seg6_hmac_init() fails, the genl_unregister_family() isn't called. At the same time, add seg6_local_exit() and fix the genl unregister order in seg6_exit(). Fixes: 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and null-ptr-deref") Reported-by: Guillaume Nault <gnault@redhat.com> Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> --- net/ipv6/seg6.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)