From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Cc: Jozsef Kadlecsik <kadlec@netfilter.org>,
Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel@openvz.org
Subject: Re: [PATCH] netfilter: fix percpu counter block leak on error path when creating new netns
Date: Wed, 22 Feb 2023 10:02:07 +0100 [thread overview]
Message-ID: <Y/XaD3Dt0tiO2yuT@salvia> (raw)
In-Reply-To: <4c6e6b8e-1d0c-2893-f4b9-ea40170cacd6@virtuozzo.com>
On Wed, Feb 22, 2023 at 10:11:03AM +0800, Pavel Tikhomirov wrote:
> On 22.02.2023 07:25, Pablo Neira Ayuso wrote:
> > Hi,
> >
> > On Mon, Feb 13, 2023 at 12:25:05PM +0800, Pavel Tikhomirov wrote:
> > > Here is the stack where we allocate percpu counter block:
> > >
> > > +-< __alloc_percpu
> > > +-< xt_percpu_counter_alloc
> > > +-< find_check_entry # {arp,ip,ip6}_tables.c
> > > +-< translate_table
> > >
> > > And it can be leaked on this code path:
> > >
> > > +-> ip6t_register_table
> > > +-> translate_table # allocates percpu counter block
> > > +-> xt_register_table # fails
> > >
> > > there is no freeing of the counter block on xt_register_table fail.
> > > Note: xt_percpu_counter_free should be called to free it like we do in
> > > do_replace through cleanup_entry helper (or in __ip6t_unregister_table).
> > >
> > > Probability of hitting this error path is low AFAICS (xt_register_table
> > > can only return ENOMEM here, as it is not replacing anything, as we are
> > > creating new netns, and it is hard to imagine that all previous
> > > allocations succeeded and after that one in xt_register_table failed).
> > > But it's worth fixing even the rare leak.
> >
> > Any suggestion as Fixes: tag here? This issue seems to be rather old?
>
>
> If I'm correct:
>
> 1) we have this exact percpu leak since commit 71ae0dff02d7
> ("netfilter: xtables: use percpu rule counters") which introduced
> the percpu allocation.
>
> 2) but we don't call cleanup_entry on this path at least since
> commit 1da177e4c3f4 ("Linux-2.6.12-rc2") which is really old.
>
> 3) I also see the same thing here https://github.com/mpe/linux-fullhistory/blame/1ab7e5ccf454483fb78998854dddd0bab398c3de/net/ipv4/netfilter/arp_tables.c#L1169
> which is probably the initiall commit which introduced
> net/ipv4/netfilter/arp_tables.c file.
>
> So I'm not sure about Fixes: tag, probably one of those three commits.
Thanks, I will pick #1 as Fixes: tag.
prev parent reply other threads:[~2023-02-22 9:02 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-13 4:25 [PATCH] netfilter: fix percpu counter block leak on error path when creating new netns Pavel Tikhomirov
2023-02-21 23:25 ` Pablo Neira Ayuso
2023-02-22 2:11 ` Pavel Tikhomirov
2023-02-22 9:02 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y/XaD3Dt0tiO2yuT@salvia \
--to=pablo@netfilter.org \
--cc=coreteam@netfilter.org \
--cc=fw@strlen.de \
--cc=kadlec@netfilter.org \
--cc=kernel@openvz.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=ptikhomirov@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.