[net] netlink: Fix off-by-one error in netlink_proto_init()

Message ID	20241028080515.3540779-1-ruanjinjie@huawei.com (mailing list archive)
State	Changes Requested
Delegated to:	Netdev Maintainers
Headers	show Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5C4791E517; Mon, 28 Oct 2024 08:05:51 +0000 (UTC) From: Jinjie Ruan <ruanjinjie@huawei.com> To: <davem@davemloft.net>, <edumazet@google.com>, <kuba@kernel.org>, <pabeni@redhat.com>, <horms@kernel.org>, <kuniyu@amazon.com>, <a.kovaleva@yadro.com>, <ruanjinjie@huawei.com>, <lirongqing@baidu.com>, <netdev@vger.kernel.org>, <linux-kernel@vger.kernel.org> Subject: [PATCH net] netlink: Fix off-by-one error in netlink_proto_init() Date: Mon, 28 Oct 2024 16:05:15 +0800 Message-ID: <20241028080515.3540779-1-ruanjinjie@huawei.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	[net] netlink: Fix off-by-one error in netlink_proto_init() \| expand [net] netlink: Fix off-by-one error in netlink_proto_init()

Message ID

20241028080515.3540779-1-ruanjinjie@huawei.com (mailing list archive)

State

Changes Requested

Delegated to:

Netdev Maintainers

Headers

From: Jinjie Ruan <ruanjinjie@huawei.com>
To: <davem@davemloft.net>, <edumazet@google.com>, <kuba@kernel.org>,
	<pabeni@redhat.com>, <horms@kernel.org>, <kuniyu@amazon.com>,
	<a.kovaleva@yadro.com>, <ruanjinjie@huawei.com>, <lirongqing@baidu.com>,
	<netdev@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Subject: [PATCH net] netlink: Fix off-by-one error in netlink_proto_init()
Date: Mon, 28 Oct 2024 16:05:15 +0800
Message-ID: <20241028080515.3540779-1-ruanjinjie@huawei.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

[net] netlink: Fix off-by-one error in netlink_proto_init() | expand

Context	Check	Description
netdev/series_format	success	Single patches do not need cover letters
netdev/tree_selection	success	Clearly marked for net
netdev/ynl	success	Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present	success	Fixes tag present in non-next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 5 this patch: 5
netdev/build_tools	success	No tools touched, skip
netdev/cc_maintainers	success	CCed 5 of 5 maintainers
netdev/build_clang	success	Errors and warnings before: 3 this patch: 3
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 7 this patch: 7
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 7 this patch: 7
netdev/source_inline	success	Was 0 now: 0
netdev/contest	success	net-next-2024-10-28--12-00 (tests: 777)

Context

Check

Description

netdev/series_format

success

Single patches do not need cover letters

netdev/tree_selection

success

Clearly marked for net

netdev/ynl

success

Generated files up to date; no warnings/errors; no diff in generated;

netdev/fixes_present

success

Fixes tag present in non-next series

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 5 this patch: 5

netdev/build_tools

success

No tools touched, skip

netdev/cc_maintainers

success

CCed 5 of 5 maintainers

netdev/build_clang

success

Errors and warnings before: 3 this patch: 3

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/deprecated_api

success

None detected

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

Fixes tag looks correct

netdev/build_allmodconfig_warn

success

Errors and warnings before: 7 this patch: 7

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 8 lines checked

netdev/build_clang_rust

success

No Rust files in patch. Skipping build

netdev/kdoc

success

Errors and warnings before: 7 this patch: 7

netdev/source_inline

success

Was 0 now: 0

netdev/contest

success

net-next-2024-10-28--12-00 (tests: 777)

Commit Message

Jinjie Ruan Oct. 28, 2024, 8:05 a.m. UTC

In the error path of netlink_proto_init(), frees the already allocated
bucket table for new hash tables in a loop, but the loop condition
terminates when the index reaches zero, which fails to free the first
bucket table at index zero.

Check for >= 0 so that nl_table[0].hash is freed as well.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
---
 net/netlink/af_netlink.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Eric Dumazet Oct. 28, 2024, 3:20 p.m. UTC | #1

On Mon, Oct 28, 2024 at 9:05 AM Jinjie Ruan <ruanjinjie@huawei.com> wrote:
>
> In the error path of netlink_proto_init(), frees the already allocated
> bucket table for new hash tables in a loop, but the loop condition
> terminates when the index reaches zero, which fails to free the first
> bucket table at index zero.
>
> Check for >= 0 so that nl_table[0].hash is freed as well.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> ---
>  net/netlink/af_netlink.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
> index 0a9287fadb47..9601b85dda95 100644
> --- a/net/netlink/af_netlink.c
> +++ b/net/netlink/af_netlink.c
> @@ -2936,7 +2936,7 @@ static int __init netlink_proto_init(void)
>         for (i = 0; i < MAX_LINKS; i++) {
>                 if (rhashtable_init(&nl_table[i].hash,
>                                     &netlink_rhashtable_params) < 0) {
> -                       while (--i > 0)
> +                       while (--i >= 0)
>                                 rhashtable_destroy(&nl_table[i].hash);
>                         kfree(nl_table);
>                         goto panic;
> --

Note that the host is going to panic, many other pieces of memory are
left behind.

A Fixes: tag seems unnecessary.

Kuniyuki Iwashima Oct. 28, 2024, 6:24 p.m. UTC | #2

From: Jinjie Ruan <ruanjinjie@huawei.com>
Date: Mon, 28 Oct 2024 16:05:15 +0800
> In the error path of netlink_proto_init(), frees the already allocated
> bucket table for new hash tables in a loop, but the loop condition
> terminates when the index reaches zero, which fails to free the first
> bucket table at index zero.
> 
> Check for >= 0 so that nl_table[0].hash is freed as well.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> ---
>  net/netlink/af_netlink.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
> index 0a9287fadb47..9601b85dda95 100644
> --- a/net/netlink/af_netlink.c
> +++ b/net/netlink/af_netlink.c
> @@ -2936,7 +2936,7 @@ static int __init netlink_proto_init(void)
>  	for (i = 0; i < MAX_LINKS; i++) {
>  		if (rhashtable_init(&nl_table[i].hash,
>  				    &netlink_rhashtable_params) < 0) {
> -			while (--i > 0)
> +			while (--i >= 0)
>  				rhashtable_destroy(&nl_table[i].hash);
>  			kfree(nl_table);
>  			goto panic;

I remember the same question was posted in the past.
https://lore.kernel.org/netdev/ZfOalln%2FmyRNOkH6@cy-server/

As Eric alreday pointed out (and as mentioned in the thread above too),
it's going to panic, and we need not clean up resources here, so let's
remove rhashtable_destroy() and kfree() instead of adjusting the loop
condition.

Jinjie Ruan Oct. 29, 2024, 1:30 a.m. UTC | #3

On 2024/10/29 2:24, Kuniyuki Iwashima wrote:
> From: Jinjie Ruan <ruanjinjie@huawei.com>
> Date: Mon, 28 Oct 2024 16:05:15 +0800
>> In the error path of netlink_proto_init(), frees the already allocated
>> bucket table for new hash tables in a loop, but the loop condition
>> terminates when the index reaches zero, which fails to free the first
>> bucket table at index zero.
>>
>> Check for >= 0 so that nl_table[0].hash is freed as well.
>>
>> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
>> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
>> ---
>>  net/netlink/af_netlink.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
>> index 0a9287fadb47..9601b85dda95 100644
>> --- a/net/netlink/af_netlink.c
>> +++ b/net/netlink/af_netlink.c
>> @@ -2936,7 +2936,7 @@ static int __init netlink_proto_init(void)
>>  	for (i = 0; i < MAX_LINKS; i++) {
>>  		if (rhashtable_init(&nl_table[i].hash,
>>  				    &netlink_rhashtable_params) < 0) {
>> -			while (--i > 0)
>> +			while (--i >= 0)
>>  				rhashtable_destroy(&nl_table[i].hash);
>>  			kfree(nl_table);
>>  			goto panic;
> 
> I remember the same question was posted in the past.
> https://lore.kernel.org/netdev/ZfOalln%2FmyRNOkH6@cy-server/
> 
> As Eric alreday pointed out (and as mentioned in the thread above too),
> it's going to panic, and we need not clean up resources here, so let's
> remove rhashtable_destroy() and kfree() instead of adjusting the loop
> condition.

Thank you very much, remove it is fine.

>

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 0a9287fadb47..9601b85dda95 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2936,7 +2936,7 @@  static int __init netlink_proto_init(void)
 	for (i = 0; i < MAX_LINKS; i++) {
 		if (rhashtable_init(&nl_table[i].hash,
 				    &netlink_rhashtable_params) < 0) {
-			while (--i > 0)
+			while (--i >= 0)
 				rhashtable_destroy(&nl_table[i].hash);
 			kfree(nl_table);
 			goto panic;

[net] netlink: Fix off-by-one error in netlink_proto_init()

Checks

Commit Message

Comments

Patch