[PATCH net-next] mptcp: pm: Fix undefined behavior in mptcp_remove_anno_list_by

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH net-next] mptcp: pm: Fix undefined behavior in mptcp_remove_anno_list_by_saddr()
@ 2025-03-25 11:06 Thorsten Blum
       [not found] ` <7F685866-E146-4E99-A750-47154BDE44C6@linux.dev>
  0 siblings, 1 reply; 4+ messages in thread
From: Thorsten Blum @ 2025-03-25 11:06 UTC (permalink / raw)
  To: Matthieu Baerts, Mat Martineau, Geliang Tang, David S. Miller,
	Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman
  Cc: Thorsten Blum, netdev, mptcp, linux-kernel

Commit e4c28e3d5c090 ("mptcp: pm: move generic PM helpers to pm.c")
removed a necessary if-check, leading to undefined behavior because
the freed pointer is subsequently returned from the function.

Reintroduce the if-check to fix this and add a local return variable to
prevent further checkpatch warnings, which originally led to the removal
of the if-check.

Fixes: e4c28e3d5c090 ("mptcp: pm: move generic PM helpers to pm.c")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
---
 net/mptcp/pm.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/mptcp/pm.c b/net/mptcp/pm.c
index 18b19dbccbba..5a6d5e4897dd 100644
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -151,10 +151,15 @@ bool mptcp_remove_anno_list_by_saddr(struct mptcp_sock *msk,
 				     const struct mptcp_addr_info *addr)
 {
 	struct mptcp_pm_add_entry *entry;
+	bool ret = false;
 
 	entry = mptcp_pm_del_add_timer(msk, addr, false);
-	kfree(entry);
-	return entry;
+	if (entry) {
+		ret = true;
+		kfree(entry);
+	}
+
+	return ret;
 }
 
 bool mptcp_pm_sport_in_anno_list(struct mptcp_sock *msk, const struct sock *sk)

^ permalink raw reply related	[flat|nested] 4+ messages in thread

[parent not found: <7F685866-E146-4E99-A750-47154BDE44C6@linux.dev>]

* Re: [PATCH net-next] mptcp: pm: Fix undefined behavior in mptcp_remove_anno_list_by_saddr()
       [not found] ` <7F685866-E146-4E99-A750-47154BDE44C6@linux.dev>
@ 2025-03-25 12:30   ` Jakub Kicinski
  2025-03-25 12:51     ` Thorsten Blum
  0 siblings, 1 reply; 4+ messages in thread
From: Jakub Kicinski @ 2025-03-25 12:30 UTC (permalink / raw)
  To: Thorsten Blum
  Cc: Matthieu Baerts, Mat Martineau, Geliang Tang, David S. Miller,
	Eric Dumazet, Paolo Abeni, Simon Horman, netdev

On Tue, 25 Mar 2025 12:33:11 +0100 Thorsten Blum wrote:
> On 25. Mar 2025, at 12:06, Thorsten Blum wrote:
> > 
> > Commit e4c28e3d5c090 ("mptcp: pm: move generic PM helpers to pm.c")
> > removed a necessary if-check, leading to undefined behavior because
> > the freed pointer is subsequently returned from the function.
> > 
> > Reintroduce the if-check to fix this and add a local return variable to
> > prevent further checkpatch warnings, which originally led to the removal
> > of the if-check.
> > 
> > Fixes: e4c28e3d5c090 ("mptcp: pm: move generic PM helpers to pm.c")
> > Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
> > ---  
> 
> Never mind, technically it's not actually undefined behavior because of
> the implicit bool conversion, but returning a freed pointer still seems
> confusing.

CCing the list back in.
-- 
pw-bot: cr

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net-next] mptcp: pm: Fix undefined behavior in mptcp_remove_anno_list_by_saddr()
  2025-03-25 12:30   ` Jakub Kicinski
@ 2025-03-25 12:51     ` Thorsten Blum
  2025-03-25 14:49       ` Matthieu Baerts
  0 siblings, 1 reply; 4+ messages in thread
From: Thorsten Blum @ 2025-03-25 12:51 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: Matthieu Baerts, Mat Martineau, Geliang Tang, David S. Miller,
	Eric Dumazet, Paolo Abeni, Simon Horman, netdev, mptcp,
	linux-kernel

On 25. Mar 2025, at 13:30, Jakub Kicinski wrote:
> On Tue, 25 Mar 2025 12:33:11 +0100 Thorsten Blum wrote:
>> On 25. Mar 2025, at 12:06, Thorsten Blum wrote:
>>> 
>>> Commit e4c28e3d5c090 ("mptcp: pm: move generic PM helpers to pm.c")
>>> removed a necessary if-check, leading to undefined behavior because
>>> the freed pointer is subsequently returned from the function.
>>> 
>>> Reintroduce the if-check to fix this and add a local return variable to
>>> prevent further checkpatch warnings, which originally led to the removal
>>> of the if-check.
>>> 
>>> Fixes: e4c28e3d5c090 ("mptcp: pm: move generic PM helpers to pm.c")
>>> Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
>>> ---  
>> 
>> Never mind, technically it's not actually undefined behavior because of
>> the implicit bool conversion, but returning a freed pointer still seems
>> confusing.
> 
> CCing the list back in.

Thanks!

The change imo still makes sense, but the commit message should be
updated. I'll submit a new patch for after the merge window.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net-next] mptcp: pm: Fix undefined behavior in mptcp_remove_anno_list_by_saddr()
  2025-03-25 12:51     ` Thorsten Blum
@ 2025-03-25 14:49       ` Matthieu Baerts
  0 siblings, 0 replies; 4+ messages in thread
From: Matthieu Baerts @ 2025-03-25 14:49 UTC (permalink / raw)
  To: Thorsten Blum
  Cc: Mat Martineau, Geliang Tang, David S. Miller, Eric Dumazet,
	Paolo Abeni, Simon Horman, netdev, mptcp, linux-kernel,
	Jakub Kicinski

Hi Thorsten,

On 25/03/2025 13:51, Thorsten Blum wrote:
> On 25. Mar 2025, at 13:30, Jakub Kicinski wrote:
>> On Tue, 25 Mar 2025 12:33:11 +0100 Thorsten Blum wrote:
>>> On 25. Mar 2025, at 12:06, Thorsten Blum wrote:
>>>>
>>>> Commit e4c28e3d5c090 ("mptcp: pm: move generic PM helpers to pm.c")
>>>> removed a necessary if-check, leading to undefined behavior because
>>>> the freed pointer is subsequently returned from the function.
>>>>
>>>> Reintroduce the if-check to fix this and add a local return variable to
>>>> prevent further checkpatch warnings, which originally led to the removal
>>>> of the if-check.
>>>>
>>>> Fixes: e4c28e3d5c090 ("mptcp: pm: move generic PM helpers to pm.c")
>>>> Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
>>>> ---  
>>>
>>> Never mind, technically it's not actually undefined behavior because of
>>> the implicit bool conversion, but returning a freed pointer still seems
>>> confusing.
>>
>> CCing the list back in.
> 
> Thanks!
> 
> The change imo still makes sense, but the commit message should be
> updated.

Yes, I think it still makes sense, and I understand the confusion.
Another reason to change that is to avoid future issues when kfree()
will be able to set variables to NULL [1].

Instead of re-introducing the if-statement, why not assigning 'ret' to
'entry'?

  entry = mptcp_pm_del_add_timer(...);
  ret = entry; // or assign it at the previous line? ret = entry = (...)
  kfree(entry);

[1] https://lore.kernel.org/20250321202620.work.175-kees@kernel.org

> I'll submit a new patch for after the merge window.
Thank you!

An alternative if you want to send it before is to rebase it on top of
the MPTCP "export" branch, and to send it only to the MPTCP ML. I can
apply the new version in our tree, and send it to Netdev later with
other patches.

Cheers,
Matt
-- 
Sponsored by the NGI0 Core fund.


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-03-25 14:49 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-03-25 11:06 [PATCH net-next] mptcp: pm: Fix undefined behavior in mptcp_remove_anno_list_by_saddr() Thorsten Blum
     [not found] ` <7F685866-E146-4E99-A750-47154BDE44C6@linux.dev>
2025-03-25 12:30   ` Jakub Kicinski
2025-03-25 12:51     ` Thorsten Blum
2025-03-25 14:49       ` Matthieu Baerts

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.