diff mbox series

[net] ipv6: sr: fix missing sk_buff release in seg6_input_core

Message ID 20240517164541.17733-1-andrea.mayer@uniroma2.it (mailing list archive)
State Accepted
Commit 5447f9708d9e4c17a647b16a9cb29e9e02820bd9
Delegated to: Netdev Maintainers
Headers show
Series [net] ipv6: sr: fix missing sk_buff release in seg6_input_core | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 922 this patch: 922
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 6 of 6 maintainers
netdev/build_clang success Errors and warnings before: 925 this patch: 925
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 927 this patch: 927
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 29 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-05-19--03-00 (tests: 1039)

Commit Message

Andrea Mayer May 17, 2024, 4:45 p.m. UTC 
The seg6_input() function is responsible for adding the SRH into a
packet, delegating the operation to the seg6_input_core(). This function
uses the skb_cow_head() to ensure that there is sufficient headroom in
the sk_buff for accommodating the link-layer header.
In the event that the skb_cow_header() function fails, the
seg6_input_core() catches the error but it does not release the sk_buff,
which will result in a memory leak.

This issue was introduced in commit af3b5158b89d ("ipv6: sr: fix BUG due
to headroom too small after SRH push") and persists even after commit
7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane"),
where the entire seg6_input() code was refactored to deal with netfilter
hooks.

The proposed patch addresses the identified memory leak by requiring the
seg6_input_core() function to release the sk_buff in the event that
skb_cow_head() fails.

Fixes: af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push")
Signed-off-by: Andrea Mayer <andrea.mayer@uniroma2.it>
---
 net/ipv6/seg6_iptunnel.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

Comments

Simon Horman May 17, 2024, 7:23 p.m. UTC | #1 
On Fri, May 17, 2024 at 06:45:41PM +0200, Andrea Mayer wrote:
> The seg6_input() function is responsible for adding the SRH into a
> packet, delegating the operation to the seg6_input_core(). This function
> uses the skb_cow_head() to ensure that there is sufficient headroom in
> the sk_buff for accommodating the link-layer header.
> In the event that the skb_cow_header() function fails, the
> seg6_input_core() catches the error but it does not release the sk_buff,
> which will result in a memory leak.
> 
> This issue was introduced in commit af3b5158b89d ("ipv6: sr: fix BUG due
> to headroom too small after SRH push") and persists even after commit
> 7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane"),
> where the entire seg6_input() code was refactored to deal with netfilter
> hooks.
> 
> The proposed patch addresses the identified memory leak by requiring the
> seg6_input_core() function to release the sk_buff in the event that
> skb_cow_head() fails.
> 
> Fixes: af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push")
> Signed-off-by: Andrea Mayer <andrea.mayer@uniroma2.it>

Reviewed-by: Simon Horman <horms@kernel.org>
David Ahern May 17, 2024, 10:04 p.m. UTC | #2 
On 5/17/24 10:45 AM, Andrea Mayer wrote:
> The seg6_input() function is responsible for adding the SRH into a
> packet, delegating the operation to the seg6_input_core(). This function
> uses the skb_cow_head() to ensure that there is sufficient headroom in
> the sk_buff for accommodating the link-layer header.
> In the event that the skb_cow_header() function fails, the
> seg6_input_core() catches the error but it does not release the sk_buff,
> which will result in a memory leak.
> 
> This issue was introduced in commit af3b5158b89d ("ipv6: sr: fix BUG due
> to headroom too small after SRH push") and persists even after commit
> 7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane"),
> where the entire seg6_input() code was refactored to deal with netfilter
> hooks.
> 
> The proposed patch addresses the identified memory leak by requiring the
> seg6_input_core() function to release the sk_buff in the event that
> skb_cow_head() fails.
> 
> Fixes: af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push")
> Signed-off-by: Andrea Mayer <andrea.mayer@uniroma2.it>
> ---
>  net/ipv6/seg6_iptunnel.c | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)
> 

Reviewed-by: David Ahern <dsahern@kernel.org>
Markus Elfring May 18, 2024, 3:47 p.m. UTC | #3 
* The message subject would have been a bit nicer with the key word “PATCH”.

* How do you think about to append parentheses to the function name?


…
> The proposed patch addresses the identified memory leak by …

Will a corresponding imperative wording be more desirable for
an improved change description?
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.9#n94

Regards,
Markus
patchwork-bot+netdevbpf@kernel.org May 20, 2024, 10:40 a.m. UTC | #4 
Hello:

This patch was applied to netdev/net.git (main)
by David S. Miller <davem@davemloft.net>:

On Fri, 17 May 2024 18:45:41 +0200 you wrote:
> The seg6_input() function is responsible for adding the SRH into a
> packet, delegating the operation to the seg6_input_core(). This function
> uses the skb_cow_head() to ensure that there is sufficient headroom in
> the sk_buff for accommodating the link-layer header.
> In the event that the skb_cow_header() function fails, the
> seg6_input_core() catches the error but it does not release the sk_buff,
> which will result in a memory leak.
> 
> [...]

Here is the summary with links:
  - [net] ipv6: sr: fix missing sk_buff release in seg6_input_core
    https://git.kernel.org/netdev/net/c/5447f9708d9e

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c
index 03b877ff4558..a75df2ec8db0 100644
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -459,10 +459,8 @@  static int seg6_input_core(struct net *net, struct sock *sk,
 	int err;
 
 	err = seg6_do_srh(skb);
-	if (unlikely(err)) {
-		kfree_skb(skb);
-		return err;
-	}
+	if (unlikely(err))
+		goto drop;
 
 	slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate);
 
@@ -486,7 +484,7 @@  static int seg6_input_core(struct net *net, struct sock *sk,
 
 	err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
 	if (unlikely(err))
-		return err;
+		goto drop;
 
 	if (static_branch_unlikely(&nf_hooks_lwtunnel_enabled))
 		return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT,
@@ -494,6 +492,9 @@  static int seg6_input_core(struct net *net, struct sock *sk,
 			       skb_dst(skb)->dev, seg6_input_finish);
 
 	return seg6_input_finish(dev_net(skb->dev), NULL, skb);
+drop:
+	kfree_skb(skb);
+	return err;
 }
 
 static int seg6_input_nf(struct sk_buff *skb)