From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 822F3C43381 for ; Thu, 14 Feb 2019 06:09:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4F55721934 for ; Thu, 14 Feb 2019 06:09:54 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="nHippDNI" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2405637AbfBNGJx (ORCPT ); Thu, 14 Feb 2019 01:09:53 -0500 Received: from mail-pl1-f201.google.com ([209.85.214.201]:36339 "EHLO mail-pl1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726407AbfBNGJw (ORCPT ); Thu, 14 Feb 2019 01:09:52 -0500 Received: by mail-pl1-f201.google.com with SMTP id e68so3561744plb.3 for ; Wed, 13 Feb 2019 22:09:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=QrLufo0COx5oLzSIXwYOIupIMPHsY5K2gz1SwRE9L7E=; b=nHippDNIrysSbixEloq92sH6NL1auxgGbqbXWRxo+/t/mx7nqJqX32enmSKY3ecpLR J5pc92qdr5fouAiRDXj0u6vyGzMbOJpNFisUcQfgYU/4wyGNTkoxYbftQhNteLzslvVx MNmzaufkjgzFJuv5sQt0KX86elVyBvl6Jv3sqRE2UNaHeKOrN2C74SKJIxMKUnqg6YkU xs06IBwWg7UrqbgS9yO+JAFXuD6zfvLzfwuUVBlREufw9+yh1XOE0O5HdW+pXOLtfDoU w9qrLWig/Jg9DT1AkP7/YqV+j0ZSj2hPD5vUiw3YvGuirMpi/1WTWq+IBJyNlAlvUSpz Kz4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=QrLufo0COx5oLzSIXwYOIupIMPHsY5K2gz1SwRE9L7E=; b=PFZhaa2RRp4UulfoXwKvfIEa/drLxozWZcB5zzJVxxWNx1KT7OvDfl4FD7hcVyKcnr 1NviFzCDD+4fNpqxuyODsMGl7Z3jofycbuedpoZYeSvMQlAfrW769t5Qkw+LqTtu+OGT XFI2Ardi3yk35eB2THf5YWhpPzmP6IoijKvNB3SI53enkMTURLcctuVqhPEJ1f59jMrf Gc0Oon40Rhai4h6qtwVkYQ84TVbp0RMmiJJ0uWp0/CsI2athAKrGULJhDC0xPb9fqq3X PKg4DVoxDqsAgSPNpV+kueemRYy0otgWwaHjaG4ABzBn0fY8OiQB3V+qL6uS9qEcO7wq LVeA== X-Gm-Message-State: AHQUAubObuF2o9Uzjjqth1oiTXaxmQ+GIL3eHaDJWckFTSyK3qxmKdH8 1OA/aqVU2GfnqrJW4JC4LZgzClCT X-Google-Smtp-Source: AHgI3IZfjlke/Y0fTvwWuRJI6ko7v8KOVfCiBsb6pksSdIyBjGBsX+QmMkmvgSiTtfShLx94q589sxlG X-Received: by 2002:a62:2643:: with SMTP id m64mr667310pfm.6.1550124592006; Wed, 13 Feb 2019 22:09:52 -0800 (PST) Date: Wed, 13 Feb 2019 22:09:39 -0800 Message-Id: <20190214060939.101851-1-posk@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.21.0.rc0.258.g878e2cd30e-goog Subject: [PATCH bpf-next] bpf: fix memory leak in bpf_lwt_xmit_reroute From: Peter Oskolkov To: Alexei Starovoitov , Daniel Borkmann , netdev@vger.kernel.org Cc: Peter Oskolkov , David Ahern , Willem de Bruijn , Peter Oskolkov Content-Type: text/plain; charset="UTF-8" Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On error the skb should be freed. Tested with diff/steps provided by David Ahern. Reported-by: David Ahern Fixes: 3bd0b15281af ("bpf: add handling of BPF_LWT_REROUTE to lwt_bpf.c") Signed-off-by: Peter Oskolkov --- net/core/lwt_bpf.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c index 32251f3fcda0..f3273cbb6b22 100644 --- a/net/core/lwt_bpf.c +++ b/net/core/lwt_bpf.c @@ -179,18 +179,19 @@ static int bpf_lwt_xmit_reroute(struct sk_buff *skb) struct net_device *l3mdev = l3mdev_master_dev_rcu(skb_dst(skb)->dev); int oif = l3mdev ? l3mdev->ifindex : 0; struct dst_entry *dst = NULL; + int err = -EAFNOSUPPORT; struct sock *sk; struct net *net; bool ipv4; - int err; if (skb->protocol == htons(ETH_P_IP)) ipv4 = true; else if (skb->protocol == htons(ETH_P_IPV6)) ipv4 = false; else - return -EAFNOSUPPORT; + goto err; + err = -EINVAL; sk = sk_to_full_sk(skb->sk); if (sk) { if (sk->sk_bound_dev_if) @@ -216,7 +217,7 @@ static int bpf_lwt_xmit_reroute(struct sk_buff *skb) rt = ip_route_output_key(net, &fl4); if (IS_ERR(rt)) - return -EINVAL; + goto err; dst = &rt->dst; } else { struct ipv6hdr *iph6 = ipv6_hdr(skb); @@ -231,12 +232,15 @@ static int bpf_lwt_xmit_reroute(struct sk_buff *skb) fl6.saddr = iph6->saddr; err = ipv6_stub->ipv6_dst_lookup(net, skb->sk, &dst, &fl6); - if (err || IS_ERR(dst)) - return -EINVAL; + if (err || IS_ERR(dst)) { + err = -EINVAL; + goto err; + } } if (unlikely(dst->error)) { dst_release(dst); - return -EINVAL; + err = -EINVAL; + goto err; } /* Although skb header was reserved in bpf_lwt_push_ip_encap(), it @@ -246,17 +250,21 @@ static int bpf_lwt_xmit_reroute(struct sk_buff *skb) */ err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev)); if (unlikely(err)) - return err; + goto err; skb_dst_drop(skb); skb_dst_set(skb, dst); err = dst_output(dev_net(skb_dst(skb)->dev), skb->sk, skb); if (unlikely(err)) - return err; + goto err; /* ip[6]_finish_output2 understand LWTUNNEL_XMIT_DONE */ return LWTUNNEL_XMIT_DONE; + +err: + kfree_skb(skb); + return err; } static int bpf_xmit(struct sk_buff *skb) -- 2.21.0.rc0.258.g878e2cd30e-goog