lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20220928052905.82271-1-kuniyu@amazon.com>
Date:   Tue, 27 Sep 2022 22:29:05 -0700
From:   Kuniyuki Iwashima <kuniyu@...zon.com>
To:     <edumazet@...gle.com>
CC:     <davem@...emloft.net>, <dsahern@...nel.org>, <kuba@...nel.org>,
        <kuni1840@...il.com>, <kuniyu@...zon.com>,
        <linux-kernel@...r.kernel.org>, <netdev@...r.kernel.org>,
        <pabeni@...hat.com>, <syzkaller-bugs@...glegroups.com>
Subject: Re: [PATCH v2 net 2/5] udp: Call inet6_destroy_sock() in setsockopt(IPV6_ADDRFORM).

From:   Eric Dumazet <edumazet@...gle.com>
Date:   Tue, 27 Sep 2022 22:05:09 -0700
> On Tue, Sep 27, 2022 at 5:28 PM Kuniyuki Iwashima <kuniyu@...zon.com> wrote:
> >
> > Commit 4b340ae20d0e ("IPv6: Complete IPV6_DONTFRAG support") forgot
> > to add a change to free inet6_sk(sk)->rxpmtu while converting an IPv6
> > socket into IPv4 with IPV6_ADDRFORM.  After conversion, sk_prot is
> > changed to udp_prot and ->destroy() never cleans it up, resulting in
> > a memory leak.
> >
> > This is due to the discrepancy between inet6_destroy_sock() and
> > IPV6_ADDRFORM, so let's call inet6_destroy_sock() from IPV6_ADDRFORM
> > to remove the difference.
> >
> > However, this is not enough for now because rxpmtu can be changed
> > without lock_sock() after commit 03485f2adcde ("udpv6: Add lockless
> > sendmsg() support").  We will fix this case in the following patch.
> >
> > Fixes: 4b340ae20d0e ("IPv6: Complete IPV6_DONTFRAG support")
> > Signed-off-by: Kuniyuki Iwashima <kuniyu@...zon.com>
> > ---
> >  net/ipv6/ipv6_sockglue.c | 15 +++------------
> >  1 file changed, 3 insertions(+), 12 deletions(-)
> >
> > diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
> > index b61066ac8648..030a4cf23ceb 100644
> > --- a/net/ipv6/ipv6_sockglue.c
> > +++ b/net/ipv6/ipv6_sockglue.c
> > @@ -431,9 +431,6 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
> >                 if (optlen < sizeof(int))
> >                         goto e_inval;
> >                 if (val == PF_INET) {
> > -                       struct ipv6_txoptions *opt;
> > -                       struct sk_buff *pktopt;
> > -
> >                         if (sk->sk_type == SOCK_RAW)
> >                                 break;
> >
> > @@ -464,7 +461,6 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
> >                                 break;
> >                         }
> >
> > -                       fl6_free_socklist(sk);
> >                         __ipv6_sock_mc_close(sk);
> >                         __ipv6_sock_ac_close(sk);
> >
> > @@ -501,14 +497,9 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
> >                                 sk->sk_socket->ops = &inet_dgram_ops;
> >                                 sk->sk_family = PF_INET;
> >                         }
> > -                       opt = xchg((__force struct ipv6_txoptions **)&np->opt,
> > -                                  NULL);
> > -                       if (opt) {
> > -                               atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
> > -                               txopt_put(opt);
> > -                       }
> > -                       pktopt = xchg(&np->pktoptions, NULL);
> > -                       kfree_skb(pktopt);
> > +
> 
>  Why is this needed ? I think a comment could help.
> > +                       np->rxopt.all = 0;

I added it to reduce the possibility of lockless allocation in
ipv6_local_rxpmtu(), which checks np->rxopt.bits.rxpmtu first.

But, lockless sendmsg() even races with this, so it might not be
needed or should be added in the next patch?


> 
> > +                       inet6_destroy_sock(sk);
> 
> This name is unfortunate. This really is an inet6_cleanup_sock() in
> this context.

Ok, I'll add inet6_cleanup_sock() as a wrapper of inet6_destroy_sock()
in v3.

And, I'll post a cleanup patch later which renames inet6_destroy_sock()
to inet6_cleanup_sock() and removes all unnecessary inet6_destroy_sock()
calls in each sk->sk_prot->destroy().


> 
> >
> >                         /*
> >                          * ... and add it to the refcnt debug socks count
> > --
> > 2.30.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ