| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 Sep 2022 22:29:05 -0700
From: Kuniyuki Iwashima <kuniyu@...zon.com>
To: <edumazet@...gle.com>
CC: <davem@...emloft.net>, <dsahern@...nel.org>, <kuba@...nel.org>,
<kuni1840@...il.com>, <kuniyu@...zon.com>,
<linux-kernel@...r.kernel.org>, <netdev@...r.kernel.org>,
<pabeni@...hat.com>, <syzkaller-bugs@...glegroups.com>
Subject: Re: [PATCH v2 net 2/5] udp: Call inet6_destroy_sock() in setsockopt(IPV6_ADDRFORM).
From: Eric Dumazet <edumazet@...gle.com>
Date: Tue, 27 Sep 2022 22:05:09 -0700
> On Tue, Sep 27, 2022 at 5:28 PM Kuniyuki Iwashima <kuniyu@...zon.com> wrote:
> >
> > Commit 4b340ae20d0e ("IPv6: Complete IPV6_DONTFRAG support") forgot
> > to add a change to free inet6_sk(sk)->rxpmtu while converting an IPv6
> > socket into IPv4 with IPV6_ADDRFORM. After conversion, sk_prot is
> > changed to udp_prot and ->destroy() never cleans it up, resulting in
> > a memory leak.
> >
> > This is due to the discrepancy between inet6_destroy_sock() and
> > IPV6_ADDRFORM, so let's call inet6_destroy_sock() from IPV6_ADDRFORM
> > to remove the difference.
> >
> > However, this is not enough for now because rxpmtu can be changed
> > without lock_sock() after commit 03485f2adcde ("udpv6: Add lockless
> > sendmsg() support"). We will fix this case in the following patch.
> >
> > Fixes: 4b340ae20d0e ("IPv6: Complete IPV6_DONTFRAG support")
> > Signed-off-by: Kuniyuki Iwashima <kuniyu@...zon.com>
> > ---
> > net/ipv6/ipv6_sockglue.c | 15 +++------------
> > 1 file changed, 3 insertions(+), 12 deletions(-)
> >
> > diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
> > index b61066ac8648..030a4cf23ceb 100644
> > --- a/net/ipv6/ipv6_sockglue.c
> > +++ b/net/ipv6/ipv6_sockglue.c
> > @@ -431,9 +431,6 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
> > if (optlen < sizeof(int))
> > goto e_inval;
> > if (val == PF_INET) {
> > - struct ipv6_txoptions *opt;
> > - struct sk_buff *pktopt;
> > -
> > if (sk->sk_type == SOCK_RAW)
> > break;
> >
> > @@ -464,7 +461,6 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
> > break;
> > }
> >
> > - fl6_free_socklist(sk);
> > __ipv6_sock_mc_close(sk);
> > __ipv6_sock_ac_close(sk);
> >
> > @@ -501,14 +497,9 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
> > sk->sk_socket->ops = &inet_dgram_ops;
> > sk->sk_family = PF_INET;
> > }
> > - opt = xchg((__force struct ipv6_txoptions **)&np->opt,
> > - NULL);
> > - if (opt) {
> > - atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
> > - txopt_put(opt);
> > - }
> > - pktopt = xchg(&np->pktoptions, NULL);
> > - kfree_skb(pktopt);
> > +
>
> Why is this needed ? I think a comment could help.
> > + np->rxopt.all = 0;
I added it to reduce the possibility of lockless allocation in
ipv6_local_rxpmtu(), which checks np->rxopt.bits.rxpmtu first.
But, lockless sendmsg() even races with this, so it might not be
needed or should be added in the next patch?
>
> > + inet6_destroy_sock(sk);
>
> This name is unfortunate. This really is an inet6_cleanup_sock() in
> this context.
Ok, I'll add inet6_cleanup_sock() as a wrapper of inet6_destroy_sock()
in v3.
And, I'll post a cleanup patch later which renames inet6_destroy_sock()
to inet6_cleanup_sock() and removes all unnecessary inet6_destroy_sock()
calls in each sk->sk_prot->destroy().
>
> >
> > /*
> > * ... and add it to the refcnt debug socks count
> > --
> > 2.30.2
Powered by blists - more mailing lists