* ipv6: release dst in ping_v6_sendmsg
@ 2016-09-02 18:39 Dave Jones
2016-09-06 17:36 ` Martin KaFai Lau
2016-09-06 19:56 ` David Miller
0 siblings, 2 replies; 5+ messages in thread
From: Dave Jones @ 2016-09-02 18:39 UTC (permalink / raw)
To: netdev; +Cc: kafai
Neither the failure or success paths of ping_v6_sendmsg release
the dst it acquires. This leads to a flood of warnings from
"net/core/dst.c:288 dst_release" on older kernels that
don't have 8bf4ada2e21378816b28205427ee6b0e1ca4c5f1 backported.
That patch optimistically hoped this had been fixed post 3.10, but
it seems at least one case wasn't, where I've seen this triggered
a lot from machines doing unprivileged icmp sockets.
Cc: Martin Lau <kafai@fb.com>
Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c
index 0900352c924c..0e983b694ee8 100644
--- a/net/ipv6/ping.c
+++ b/net/ipv6/ping.c
@@ -126,8 +126,10 @@ static int ping_v6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
rt = (struct rt6_info *) dst;
np = inet6_sk(sk);
- if (!np)
- return -EBADF;
+ if (!np) {
+ err = -EBADF;
+ goto dst_err_out;
+ }
if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
fl6.flowi6_oif = np->mcast_oif;
@@ -163,6 +165,9 @@ static int ping_v6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
}
release_sock(sk);
+dst_err_out:
+ dst_release(dst);
+
if (err)
return err;
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: ipv6: release dst in ping_v6_sendmsg
2016-09-02 18:39 ipv6: release dst in ping_v6_sendmsg Dave Jones
@ 2016-09-06 17:36 ` Martin KaFai Lau
2016-09-06 17:52 ` Eric Dumazet
2016-09-06 19:56 ` David Miller
1 sibling, 1 reply; 5+ messages in thread
From: Martin KaFai Lau @ 2016-09-06 17:36 UTC (permalink / raw)
To: Dave Jones; +Cc: netdev
On Fri, Sep 02, 2016 at 02:39:50PM -0400, Dave Jones wrote:
> Neither the failure or success paths of ping_v6_sendmsg release
> the dst it acquires. This leads to a flood of warnings from
> "net/core/dst.c:288 dst_release" on older kernels that
> don't have 8bf4ada2e21378816b28205427ee6b0e1ca4c5f1 backported.
>
> That patch optimistically hoped this had been fixed post 3.10, but
> it seems at least one case wasn't, where I've seen this triggered
> a lot from machines doing unprivileged icmp sockets.
>
> Cc: Martin Lau <kafai@fb.com>
> Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
>
> diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c
> index 0900352c924c..0e983b694ee8 100644
> --- a/net/ipv6/ping.c
> +++ b/net/ipv6/ping.c
> @@ -126,8 +126,10 @@ static int ping_v6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
> rt = (struct rt6_info *) dst;
>
> np = inet6_sk(sk);
> - if (!np)
> - return -EBADF;
> + if (!np) {
> + err = -EBADF;
> + goto dst_err_out;
> + }
>
> if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
> fl6.flowi6_oif = np->mcast_oif;
> @@ -163,6 +165,9 @@ static int ping_v6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
> }
> release_sock(sk);
>
> +dst_err_out:
> + dst_release(dst);
> +
> if (err)
> return err;
>
Acked-by: Martin KaFai Lau <kafai@fb.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: ipv6: release dst in ping_v6_sendmsg
2016-09-06 17:36 ` Martin KaFai Lau
@ 2016-09-06 17:52 ` Eric Dumazet
2016-09-06 18:50 ` Dave Jones
0 siblings, 1 reply; 5+ messages in thread
From: Eric Dumazet @ 2016-09-06 17:52 UTC (permalink / raw)
To: Martin KaFai Lau; +Cc: Dave Jones, netdev
On Tue, 2016-09-06 at 10:36 -0700, Martin KaFai Lau wrote:
> On Fri, Sep 02, 2016 at 02:39:50PM -0400, Dave Jones wrote:
> > Neither the failure or success paths of ping_v6_sendmsg release
> > the dst it acquires. This leads to a flood of warnings from
> > "net/core/dst.c:288 dst_release" on older kernels that
> > don't have 8bf4ada2e21378816b28205427ee6b0e1ca4c5f1 backported.
> >
> > That patch optimistically hoped this had been fixed post 3.10, but
> > it seems at least one case wasn't, where I've seen this triggered
> > a lot from machines doing unprivileged icmp sockets.
> >
> > Cc: Martin Lau <kafai@fb.com>
> > Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
> >
> > diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c
> > index 0900352c924c..0e983b694ee8 100644
> > --- a/net/ipv6/ping.c
> > +++ b/net/ipv6/ping.c
> > @@ -126,8 +126,10 @@ static int ping_v6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
> > rt = (struct rt6_info *) dst;
> >
> > np = inet6_sk(sk);
> > - if (!np)
> > - return -EBADF;
> > + if (!np) {
> > + err = -EBADF;
> > + goto dst_err_out;
> > + }
> >
> > if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
> > fl6.flowi6_oif = np->mcast_oif;
> > @@ -163,6 +165,9 @@ static int ping_v6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
> > }
> > release_sock(sk);
> >
> > +dst_err_out:
> > + dst_release(dst);
> > +
> > if (err)
> > return err;
> >
>
> Acked-by: Martin KaFai Lau <kafai@fb.com>
This really does not make sense to me.
If np was NULL, we should have a crash before.
So we should remove this test, since it is absolutely useless.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: ipv6: release dst in ping_v6_sendmsg
2016-09-06 17:52 ` Eric Dumazet
@ 2016-09-06 18:50 ` Dave Jones
0 siblings, 0 replies; 5+ messages in thread
From: Dave Jones @ 2016-09-06 18:50 UTC (permalink / raw)
To: Eric Dumazet; +Cc: Martin KaFai Lau, netdev
On Tue, Sep 06, 2016 at 10:52:43AM -0700, Eric Dumazet wrote:
> > > @@ -126,8 +126,10 @@ static int ping_v6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
> > > rt = (struct rt6_info *) dst;
> > >
> > > np = inet6_sk(sk);
> > > - if (!np)
> > > - return -EBADF;
> > > + if (!np) {
> > > + err = -EBADF;
> > > + goto dst_err_out;
> > > + }
> > >
> > > if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
> > > fl6.flowi6_oif = np->mcast_oif;
> > > @@ -163,6 +165,9 @@ static int ping_v6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
> > > }
> > > release_sock(sk);
> > >
> > > +dst_err_out:
> > > + dst_release(dst);
> > > +
> > > if (err)
> > > return err;
> > >
> >
> > Acked-by: Martin KaFai Lau <kafai@fb.com>
>
> This really does not make sense to me.
>
> If np was NULL, we should have a crash before.
In the case where I was seeing the traces, we were taking the 'success'
path through the function, so sk was non-null.
> So we should remove this test, since it is absolutely useless.
Looking closer, it seems the assignment of np is duplicated also,
so that can also go. This is orthogonal to the dst leak though.
I'll submit a follow-up cleaning that up.
Dave
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: ipv6: release dst in ping_v6_sendmsg
2016-09-02 18:39 ipv6: release dst in ping_v6_sendmsg Dave Jones
2016-09-06 17:36 ` Martin KaFai Lau
@ 2016-09-06 19:56 ` David Miller
1 sibling, 0 replies; 5+ messages in thread
From: David Miller @ 2016-09-06 19:56 UTC (permalink / raw)
To: davej; +Cc: netdev, kafai
From: Dave Jones <davej@codemonkey.org.uk>
Date: Fri, 2 Sep 2016 14:39:50 -0400
> Neither the failure or success paths of ping_v6_sendmsg release
> the dst it acquires. This leads to a flood of warnings from
> "net/core/dst.c:288 dst_release" on older kernels that
> don't have 8bf4ada2e21378816b28205427ee6b0e1ca4c5f1 backported.
>
> That patch optimistically hoped this had been fixed post 3.10, but
> it seems at least one case wasn't, where I've seen this triggered
> a lot from machines doing unprivileged icmp sockets.
>
> Cc: Martin Lau <kafai@fb.com>
> Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
Applied and queued up for -stable, thanks Dave.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-09-06 19:56 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-02 18:39 ipv6: release dst in ping_v6_sendmsg Dave Jones
2016-09-06 17:36 ` Martin KaFai Lau
2016-09-06 17:52 ` Eric Dumazet
2016-09-06 18:50 ` Dave Jones
2016-09-06 19:56 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).