From: Davide Caratti <dcaratti@redhat.com>
To: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>,
Jiri Pirko <jiri@resnulli.us>,
"David S. Miller" <davem@davemloft.net>,
Linux Kernel Network Developers <netdev@vger.kernel.org>
Subject: Re: [PATCH net] net/sched: act_simple: don't leak 'index' in the error path
Date: Wed, 14 Mar 2018 23:43:47 +0100 [thread overview]
Message-ID: <1521067427.2750.40.camel@redhat.com> (raw)
In-Reply-To: <CAM_iQpUg5sDfXk1i1aJh_28cV7VpR2PpggnoR3jOJNxqDJiNSw@mail.gmail.com>
hello Cong, thank you for reviewing this.
On Wed, 2018-03-14 at 11:41 -0700, Cong Wang wrote:
> On Tue, Mar 13, 2018 at 7:13 PM, Davide Caratti <dcaratti@redhat.com> wrote:
>
> Looks like we just need to replace the tcf_idr_cleanup() with
> tcf_idr_release()? Which is also simpler.
I just tried it on act_simple, and I can confirm: 'index' does not leak
anymore if alloc_defdata() fails to kzalloc(), and then tcf_idr_release()
is called in place of of tcf_idr_cleanup().
> Looks like all other callers of tcf_idr_cleanup() need to be replaced too,
> but I don't audit all of them...
no problem, I can try to do that, it's not going to be a big series
anyway.
while at it, I will also fix other spots where the same bug can be
reproduced, even if tcf_idr_cleanup() is not there: for example, when
tcf_vlan_init() fails allocating struct tcf_vlan_params *p,
ASSERT_RTNL();
p = kzalloc(sizeof(*p), GFP_KERNEL);
if (!p) {
if (ovr)
tcf_idr_release(*a, bind);
return -ENOMEM;
}
the followinng behavior can be observed:
# tc actions flush action vlan
# tc actions add action vlan pop index 5
RTNETLINK answers: Cannot allocate memory
We have an error talking to the kernel
# tc actions add action vlan pop index 5
RTNETLINK answers: No space left on device
We have an error talking to the kernel
# tc actions add action vlan pop index 5
RTNETLINK answers: No space left on device
We have an error talking to the kernel
Probably testing the value of 'ovr' here is wrong, or maybe it's
not enough: I will also verify what happens using 'replace'
keyword instead of 'add'.
>
> [...]
>
> > if (!exists) {
> > + defdata = nla_strdup(tb[TCA_DEF_DATA], GFP_KERNEL);
> > + if (unlikely(!defdata))
> > + return -ENOMEM;
> > +
> > ret = tcf_idr_create(tn, parm->index, est, a,
> > &act_simp_ops, bind, false);
> > if (ret)
> > return ret;
>
> You leak memory here on failure, BTW.
Ouch, you are right. I was wrongly convinced that act_simp_ops.cleanup()
was called also in case of failure of tcf_idr_create(), but it's not true.
Indeed, a call to act_simp_ops.cleanup() happens if we call
tcf_idr_release() after tcf_idr_create() returned 0.
regards,
--
davide
next prev parent reply other threads:[~2018-03-14 22:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-14 2:13 [PATCH net] net/sched: act_simple: don't leak 'index' in the error path Davide Caratti
2018-03-14 18:41 ` Cong Wang
2018-03-14 22:43 ` Davide Caratti [this message]
2018-03-16 0:43 ` Cong Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1521067427.2750.40.camel@redhat.com \
--to=dcaratti@redhat.com \
--cc=davem@davemloft.net \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=netdev@vger.kernel.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.