[net/netlink] Question about potential memleak in netlink_proto

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [net/netlink] Question about potential memleak in netlink_proto_init()
@ 2024-03-15  0:47 Chenyuan Yang
  2024-03-15  0:53 ` Florian Westphal
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Chenyuan Yang @ 2024-03-15  0:47 UTC (permalink / raw)
  To: davem, edumazet, kuba, pabeni, horms, anjali.k.kulkarni,
	pctammela, andriy.shevchenko, dhowells, kuniyu
  Cc: netdev, zzjas98

Dear Netlink Developers,

We are curious whether the function `netlink_proto_init()` might have a memory leak.

The function is https://elixir.bootlin.com/linux/v6.8/source/net/netlink/af_netlink.c#L2908
and the relevant code is
```
static int __init netlink_proto_init(void)
{
	int i;
  ...

	for (i = 0; i < MAX_LINKS; i++) {
		if (rhashtable_init(&nl_table[i].hash,
				    &netlink_rhashtable_params) < 0) {
			while (--i > 0)
				rhashtable_destroy(&nl_table[i].hash);
			kfree(nl_table);
			goto panic;
		}
	}
  ...
}
```

In the for loop, when `rhashtable_init()` fails, the function will free the allocated memory for `nl_table[i].hash` by checking `while (--i > 0)`. However, the first element (`i=1`) of `nl_table` is not freed since `i` is decremented before the check.

Based on our understanding, a possible fix would be
```
-      while (--i > 0)
+      while (--i >= 0)
```

Please kindly correct us if we missed any key information. Looking forward to your response!

Best,
Chenyuan

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [net/netlink] Question about potential memleak in netlink_proto_init()
  2024-03-15  0:47 [net/netlink] Question about potential memleak in netlink_proto_init() Chenyuan Yang
@ 2024-03-15  0:53 ` Florian Westphal
  2024-03-15  0:54 ` Kuniyuki Iwashima
  2024-03-15 14:36 ` Andy Shevchenko
  2 siblings, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2024-03-15  0:53 UTC (permalink / raw)
  To: Chenyuan Yang
  Cc: davem, edumazet, kuba, pabeni, horms, anjali.k.kulkarni,
	pctammela, andriy.shevchenko, dhowells, kuniyu, netdev, zzjas98

Chenyuan Yang <chenyuan0y@gmail.com> wrote:
> Dear Netlink Developers,
> 
> We are curious whether the function `netlink_proto_init()` might have a memory leak.

Yes, but

> The function is https://elixir.bootlin.com/linux/v6.8/source/net/netlink/af_netlink.c#L2908
> and the relevant code is
> ```
> static int __init netlink_proto_init(void)
> {
> 	int i;
>   ...
> 
> 	for (i = 0; i < MAX_LINKS; i++) {
> 		if (rhashtable_init(&nl_table[i].hash,
> 				    &netlink_rhashtable_params) < 0) {
> 			while (--i > 0)
> 				rhashtable_destroy(&nl_table[i].hash);
> 			kfree(nl_table);
> 			goto panic;

... this calls panic(), kernel will crash intentionally.

Perhaps best patch would be to remove this error handling
and panic straight away, this is pretty much dead code.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [net/netlink] Question about potential memleak in netlink_proto_init()
  2024-03-15  0:47 [net/netlink] Question about potential memleak in netlink_proto_init() Chenyuan Yang
  2024-03-15  0:53 ` Florian Westphal
@ 2024-03-15  0:54 ` Kuniyuki Iwashima
  2024-03-15 14:36 ` Andy Shevchenko
  2 siblings, 0 replies; 5+ messages in thread
From: Kuniyuki Iwashima @ 2024-03-15  0:54 UTC (permalink / raw)
  To: chenyuan0y
  Cc: andriy.shevchenko, anjali.k.kulkarni, davem, dhowells, edumazet,
	horms, kuba, kuniyu, netdev, pabeni, pctammela, zzjas98

From: Chenyuan Yang <chenyuan0y@gmail.com>
Date: Thu, 14 Mar 2024 19:47:18 -0500
> Dear Netlink Developers,
> 
> We are curious whether the function `netlink_proto_init()` might have a memory leak.
> 
> The function is https://elixir.bootlin.com/linux/v6.8/source/net/netlink/af_netlink.c#L2908
> and the relevant code is
> ```
> static int __init netlink_proto_init(void)
> {
> 	int i;
>   ...
> 
> 	for (i = 0; i < MAX_LINKS; i++) {
> 		if (rhashtable_init(&nl_table[i].hash,
> 				    &netlink_rhashtable_params) < 0) {
> 			while (--i > 0)
> 				rhashtable_destroy(&nl_table[i].hash);
> 			kfree(nl_table);
> 			goto panic;

If rhashtable_init() fails, the kernel panic occurs, so there's
no real memleak issue.


> 		}
> 	}
>   ...
> }
> ```
> 
> In the for loop, when `rhashtable_init()` fails, the function will free
> the allocated memory for `nl_table[i].hash` by checking `while (--i > 0)`.
> However, the first element (`i=1`) of `nl_table` is not freed since `i` is
> decremented before the check.
> 
> Based on our understanding, a possible fix would be
> ```
> -      while (--i > 0)
> +      while (--i >= 0)
> ```

Change itself looks good, no need for cleanup in the first place though.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [net/netlink] Question about potential memleak in netlink_proto_init()
  2024-03-15  0:47 [net/netlink] Question about potential memleak in netlink_proto_init() Chenyuan Yang
  2024-03-15  0:53 ` Florian Westphal
  2024-03-15  0:54 ` Kuniyuki Iwashima
@ 2024-03-15 14:36 ` Andy Shevchenko
  2024-03-16 15:11   ` Chenyuan Yang
  2 siblings, 1 reply; 5+ messages in thread
From: Andy Shevchenko @ 2024-03-15 14:36 UTC (permalink / raw)
  To: Chenyuan Yang
  Cc: davem, edumazet, kuba, pabeni, horms, anjali.k.kulkarni,
	pctammela, dhowells, kuniyu, netdev, zzjas98

On Thu, Mar 14, 2024 at 07:47:18PM -0500, Chenyuan Yang wrote:
> Dear Netlink Developers,
> 
> We are curious whether the function `netlink_proto_init()` might have a
> memory leak.
> 
> The function is
> https://elixir.bootlin.com/linux/v6.8/source/net/netlink/af_netlink.c#L2908
> and the relevant code is
> ```
> static int __init netlink_proto_init(void)
> {
> 	int i;
>   ...
> 
> 	for (i = 0; i < MAX_LINKS; i++) {
> 		if (rhashtable_init(&nl_table[i].hash,
> 				    &netlink_rhashtable_params) < 0) {
> 			while (--i > 0)
> 				rhashtable_destroy(&nl_table[i].hash);
> 			kfree(nl_table);
> 			goto panic;
> 		}
> 	}
>   ...
> }
> ```
> 
> In the for loop, when `rhashtable_init()` fails, the function will free the
> allocated memory for `nl_table[i].hash` by checking `while (--i > 0)`.
> However, the first element (`i=1`) of `nl_table` is not freed since `i` is
> decremented before the check.
> 
> Based on our understanding, a possible fix would be
> ```
> -      while (--i > 0)
> +      while (--i >= 0)
> ```

The better pattern (and widely used in kernel) is

	while (i--)

> Please kindly correct us if we missed any key information. Looking forward to
> your response!

-- 
With Best Regards,
Andy Shevchenko



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [net/netlink] Question about potential memleak in netlink_proto_init()
  2024-03-15 14:36 ` Andy Shevchenko
@ 2024-03-16 15:11   ` Chenyuan Yang
  0 siblings, 0 replies; 5+ messages in thread
From: Chenyuan Yang @ 2024-03-16 15:11 UTC (permalink / raw)
  To: Andy Shevchenko, fw@strlen.de, kuniyu
  Cc: davem, edumazet, kuba, pabeni, horms, anjali.k.kulkarni,
	pctammela, dhowells, netdev, zzjas98

Thank you all for sharing your insights on this issue.

I'm pondering over the best solution: should we follow Kuniyuki's
suggestion to "eliminate the cleanup code," or would it be better to
adopt Florian's approach of "eschewing error handling in favor of
immediate panic"?

Best,
Chenyuan

On Fri, Mar 15, 2024 at 9:36 AM Andy Shevchenko
<andriy.shevchenko@linux.intel.com> wrote:
>
> On Thu, Mar 14, 2024 at 07:47:18PM -0500, Chenyuan Yang wrote:
> > Dear Netlink Developers,
> >
> > We are curious whether the function `netlink_proto_init()` might have a
> > memory leak.
> >
> > The function is
> > https://elixir.bootlin.com/linux/v6.8/source/net/netlink/af_netlink.c#L2908
> > and the relevant code is
> > ```
> > static int __init netlink_proto_init(void)
> > {
> >       int i;
> >   ...
> >
> >       for (i = 0; i < MAX_LINKS; i++) {
> >               if (rhashtable_init(&nl_table[i].hash,
> >                                   &netlink_rhashtable_params) < 0) {
> >                       while (--i > 0)
> >                               rhashtable_destroy(&nl_table[i].hash);
> >                       kfree(nl_table);
> >                       goto panic;
> >               }
> >       }
> >   ...
> > }
> > ```
> >
> > In the for loop, when `rhashtable_init()` fails, the function will free the
> > allocated memory for `nl_table[i].hash` by checking `while (--i > 0)`.
> > However, the first element (`i=1`) of `nl_table` is not freed since `i` is
> > decremented before the check.
> >
> > Based on our understanding, a possible fix would be
> > ```
> > -      while (--i > 0)
> > +      while (--i >= 0)
> > ```
>
> The better pattern (and widely used in kernel) is
>
>         while (i--)
>
> > Please kindly correct us if we missed any key information. Looking forward to
> > your response!
>
> --
> With Best Regards,
> Andy Shevchenko
>
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2024-03-16 15:11 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-15  0:47 [net/netlink] Question about potential memleak in netlink_proto_init() Chenyuan Yang
2024-03-15  0:53 ` Florian Westphal
2024-03-15  0:54 ` Kuniyuki Iwashima
2024-03-15 14:36 ` Andy Shevchenko
2024-03-16 15:11   ` Chenyuan Yang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).