Message ID | 20240509131812.1662197-4-liuhangbin@gmail.com (mailing list archive) |
---|---|
State | Accepted |
Commit | 160e9d2752181fcf18c662e74022d77d3164cd45 |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | ipv6: sr: fix errors during unregister | expand |
2024-05-09, 21:18:12 +0800, Hangbin Liu wrote: > The error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL > is not defined. In that case if seg6_hmac_init() fails, the > genl_unregister_family() isn't called. > > This issue exist since commit 46738b1317e1 ("ipv6: sr: add option to control > lwtunnel support"), and commit 5559cea2d5aa ("ipv6: sr: fix possible > use-after-free and null-ptr-deref") replaced unregister_pernet_subsys() > with genl_unregister_family() in this error path. > > Fixes: 46738b1317e1 ("ipv6: sr: add option to control lwtunnel support") > Reported-by: Guillaume Nault <gnault@redhat.com> > Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> seg6_hmac_init_algo also returns without cleaning up the previous allocations if one fails, so it's going to leak all that memory and the crypto tfms.
On 5/9/24 7:18 AM, Hangbin Liu wrote: > The error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL > is not defined. In that case if seg6_hmac_init() fails, the > genl_unregister_family() isn't called. > > This issue exist since commit 46738b1317e1 ("ipv6: sr: add option to control > lwtunnel support"), and commit 5559cea2d5aa ("ipv6: sr: fix possible > use-after-free and null-ptr-deref") replaced unregister_pernet_subsys() > with genl_unregister_family() in this error path. > > Fixes: 46738b1317e1 ("ipv6: sr: add option to control lwtunnel support") > Reported-by: Guillaume Nault <gnault@redhat.com> > Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> > --- > net/ipv6/seg6.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c > index c4ef96c8fdac..a31521e270f7 100644 > --- a/net/ipv6/seg6.c > +++ b/net/ipv6/seg6.c > @@ -551,6 +551,8 @@ int __init seg6_init(void) > #endif > #ifdef CONFIG_IPV6_SEG6_LWTUNNEL > out_unregister_genl: > +#endif > +#if IS_ENABLED(CONFIG_IPV6_SEG6_LWTUNNEL) || IS_ENABLED(CONFIG_IPV6_SEG6_HMAC) > genl_unregister_family(&seg6_genl_family); > #endif > out_unregister_pernet: a good example of why ifdef's create problems. It would have been simpler if all of those init functions were defined for both cases and this function does not need the '#if' spaghetti. Reviewed-by: David Ahern <dsahern@kernel.org>
On Fri, May 10, 2024 at 07:52:36PM -0600, David Ahern wrote: > a good example of why ifdef's create problems. It would have been > simpler if all of those init functions were defined for both cases and > this function does not need the '#if' spaghetti. Yes, I will post a restruct patch for net-next. Thanks Hangbin
diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c index c4ef96c8fdac..a31521e270f7 100644 --- a/net/ipv6/seg6.c +++ b/net/ipv6/seg6.c @@ -551,6 +551,8 @@ int __init seg6_init(void) #endif #ifdef CONFIG_IPV6_SEG6_LWTUNNEL out_unregister_genl: +#endif +#if IS_ENABLED(CONFIG_IPV6_SEG6_LWTUNNEL) || IS_ENABLED(CONFIG_IPV6_SEG6_HMAC) genl_unregister_family(&seg6_genl_family); #endif out_unregister_pernet:
The error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL is not defined. In that case if seg6_hmac_init() fails, the genl_unregister_family() isn't called. This issue exist since commit 46738b1317e1 ("ipv6: sr: add option to control lwtunnel support"), and commit 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and null-ptr-deref") replaced unregister_pernet_subsys() with genl_unregister_family() in this error path. Fixes: 46738b1317e1 ("ipv6: sr: add option to control lwtunnel support") Reported-by: Guillaume Nault <gnault@redhat.com> Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> --- net/ipv6/seg6.c | 2 ++ 1 file changed, 2 insertions(+)