[PATCH net-next] ipv4: fix kfree static array pointer in ipv4_sysctl_exit

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net-next] ipv4: fix kfree static array pointer in ipv4_sysctl_exit_net
@ 2014-05-08  7:40 Wang Weidong
  2014-05-08 12:34 ` Eric Dumazet
  0 siblings, 1 reply; 5+ messages in thread
From: Wang Weidong @ 2014-05-08  7:40 UTC (permalink / raw)
  To: David Miller, kuznet, jmorris, yoshfuji, kaber; +Cc: netdev

In ipv4_sysctl_init_net, we don't kmemdup a sysctl_table for init_net,
so init_net->ipv4.ipv4_hdr->ctl_table_arg points to ipv4_net_table which
is a static array pointer. So when do ipv4_sysctl_exit_net, it will
free the ipv4_net_table for init_net.

So add a check net_namespace init_net before kfree the sysctl_table.

Signed-off-by: Wang Weidong <wangweidong1@huawei.com>
---
 net/ipv4/sysctl_net_ipv4.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 44eba05..2825577 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -891,7 +891,8 @@ static __net_exit void ipv4_sysctl_exit_net(struct net *net)
 
 	table = net->ipv4.ipv4_hdr->ctl_table_arg;
 	unregister_net_sysctl_table(net->ipv4.ipv4_hdr);
-	kfree(table);
+	if (!net_eq(net, &init_net))
+		kfree(table);
 }
 
 static __net_initdata struct pernet_operations ipv4_sysctl_ops = {
-- 
1.7.12

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH net-next] ipv4: fix kfree static array pointer in ipv4_sysctl_exit_net
  2014-05-08  7:40 [PATCH net-next] ipv4: fix kfree static array pointer in ipv4_sysctl_exit_net Wang Weidong
@ 2014-05-08 12:34 ` Eric Dumazet
  2014-05-08 12:48   ` Wang Weidong
  0 siblings, 1 reply; 5+ messages in thread
From: Eric Dumazet @ 2014-05-08 12:34 UTC (permalink / raw)
  To: Wang Weidong; +Cc: David Miller, kuznet, jmorris, yoshfuji, kaber, netdev

On Thu, 2014-05-08 at 15:40 +0800, Wang Weidong wrote:
> In ipv4_sysctl_init_net, we don't kmemdup a sysctl_table for init_net,
> so init_net->ipv4.ipv4_hdr->ctl_table_arg points to ipv4_net_table which
> is a static array pointer. So when do ipv4_sysctl_exit_net, it will
> free the ipv4_net_table for init_net.
> 
> So add a check net_namespace init_net before kfree the sysctl_table.
> 
> Signed-off-by: Wang Weidong <wangweidong1@huawei.com>
> ---
>  net/ipv4/sysctl_net_ipv4.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
> index 44eba05..2825577 100644
> --- a/net/ipv4/sysctl_net_ipv4.c
> +++ b/net/ipv4/sysctl_net_ipv4.c
> @@ -891,7 +891,8 @@ static __net_exit void ipv4_sysctl_exit_net(struct net *net)
>  
>  	table = net->ipv4.ipv4_hdr->ctl_table_arg;
>  	unregister_net_sysctl_table(net->ipv4.ipv4_hdr);
> -	kfree(table);
> +	if (!net_eq(net, &init_net))
> +		kfree(table);
>  }
>  
>  static __net_initdata struct pernet_operations ipv4_sysctl_ops = {

Could you explain how you can trigger this case, calling
ipv4_sysctl_exit_net() with net == &init_net ?

This would be a bug, your patch would try to hide it maybe ?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH net-next] ipv4: fix kfree static array pointer in ipv4_sysctl_exit_net
  2014-05-08 12:34 ` Eric Dumazet
@ 2014-05-08 12:48   ` Wang Weidong
  2014-05-08 18:20     ` Eric Dumazet
  0 siblings, 1 reply; 5+ messages in thread
From: Wang Weidong @ 2014-05-08 12:48 UTC (permalink / raw)
  To: Eric Dumazet; +Cc: David Miller, kuznet, jmorris, yoshfuji, kaber, netdev

On 2014/5/8 20:34, Eric Dumazet wrote:
> On Thu, 2014-05-08 at 15:40 +0800, Wang Weidong wrote:
>> In ipv4_sysctl_init_net, we don't kmemdup a sysctl_table for init_net,
>> so init_net->ipv4.ipv4_hdr->ctl_table_arg points to ipv4_net_table which
>> is a static array pointer. So when do ipv4_sysctl_exit_net, it will
>> free the ipv4_net_table for init_net.
>>
>> So add a check net_namespace init_net before kfree the sysctl_table.
>>
>> Signed-off-by: Wang Weidong <wangweidong1@huawei.com>
>> ---
>>  net/ipv4/sysctl_net_ipv4.c | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
>> index 44eba05..2825577 100644
>> --- a/net/ipv4/sysctl_net_ipv4.c
>> +++ b/net/ipv4/sysctl_net_ipv4.c
>> @@ -891,7 +891,8 @@ static __net_exit void ipv4_sysctl_exit_net(struct net *net)
>>  
>>  	table = net->ipv4.ipv4_hdr->ctl_table_arg;
>>  	unregister_net_sysctl_table(net->ipv4.ipv4_hdr);
>> -	kfree(table);
>> +	if (!net_eq(net, &init_net))
>> +		kfree(table);
>>  }
>>  
>>  static __net_initdata struct pernet_operations ipv4_sysctl_ops = {
> 
> Could you explain how you can trigger this case, calling
> ipv4_sysctl_exit_net() with net == &init_net ?
> 
> This would be a bug, your patch would try to hide it maybe ?
> 
No.
I just trigger the similar case on sctp when I do 'rmmod -f sctp'.
Here I add the init_net case for sctp register sysctl.

Is it better to add BUG_ON(net == &init_net) maybe?

Regards
Wang

> 
> 
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH net-next] ipv4: fix kfree static array pointer in ipv4_sysctl_exit_net
  2014-05-08 12:48   ` Wang Weidong
@ 2014-05-08 18:20     ` Eric Dumazet
  2014-05-09  4:16       ` Wang Weidong
  0 siblings, 1 reply; 5+ messages in thread
From: Eric Dumazet @ 2014-05-08 18:20 UTC (permalink / raw)
  To: Wang Weidong
  Cc: David Miller, Alexey Kuznetsov, James Morris, Hideaki YOSHIFUJI,
	Patrick McHardy, netdev

> No.
> I just trigger the similar case on sctp when I do 'rmmod -f sctp'.
> Here I add the init_net case for sctp register sysctl.
>
> Is it better to add BUG_ON(net == &init_net) maybe?
>

The point is : SCTP _can_ be a module, but IPV4 is not.

You cannot rmmod ipv4

Its not because there is a bug in SCTP that you can apply the same
recipe on another layer.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH net-next] ipv4: fix kfree static array pointer in ipv4_sysctl_exit_net
  2014-05-08 18:20     ` Eric Dumazet
@ 2014-05-09  4:16       ` Wang Weidong
  0 siblings, 0 replies; 5+ messages in thread
From: Wang Weidong @ 2014-05-09  4:16 UTC (permalink / raw)
  To: Eric Dumazet
  Cc: David Miller, Alexey Kuznetsov, James Morris, Hideaki YOSHIFUJI,
	Patrick McHardy, netdev

On 2014/5/9 2:20, Eric Dumazet wrote:
>> No.
>> I just trigger the similar case on sctp when I do 'rmmod -f sctp'.
>> Here I add the init_net case for sctp register sysctl.
>>
>> Is it better to add BUG_ON(net == &init_net) maybe?
>>
> 
> The point is : SCTP _can_ be a module, but IPV4 is not.
> 
> You cannot rmmod ipv4
> 
> Its not because there is a bug in SCTP that you can apply the same
> recipe on another layer.
> 

Well, You are right. So ignore it.

Regards
Wang

> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2014-05-09  4:17 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-05-08  7:40 [PATCH net-next] ipv4: fix kfree static array pointer in ipv4_sysctl_exit_net Wang Weidong
2014-05-08 12:34 ` Eric Dumazet
2014-05-08 12:48   ` Wang Weidong
2014-05-08 18:20     ` Eric Dumazet
2014-05-09  4:16       ` Wang Weidong

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).