Message ID | 20141014.170311.2104285680542945400.davem@davemloft.net |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
On Tue, Oct 14, 2014 at 2:03 PM, David Miller <davem@davemloft.net> wrote: > From: Cong Wang <xiyou.wangcong@gmail.com> > Date: Tue, 14 Oct 2014 12:35:08 -0700 > >> From: Cong Wang <cwang@twopensource.com> >> >> It is okay to free a NULL pointer but not okay to mischarge the socket optmem >> accounting. Compile test only. >> >> Reported-by: rucsoftsec@gmail.com >> Cc: Chien Yen <chien.yen@oracle.com> >> Cc: Stephen Hemminger <stephen@networkplumber.org> >> Signed-off-by: Cong Wang <cwang@twopensource.com> >> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> > > Applied, and I'm going to add the following bug check to the tree too. > > ==================== > [PATCH] net: Trap attempts to call sock_kfree_s() with a NULL pointer. > > Unlike normal kfree() it is never right to call sock_kfree_s() with > a NULL pointer, because sock_kfree_s() also has the side effect of > discharging the memory from the sockets quota. > > Signed-off-by: David S. Miller <davem@davemloft.net> Acked-by: Cong Wang <cwang@twopensource.com> Sounds reasonable. It could catch more bugs similar to this one. Thanks! -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
==================== [PATCH] net: Trap attempts to call sock_kfree_s() with a NULL pointer. Unlike normal kfree() it is never right to call sock_kfree_s() with a NULL pointer, because sock_kfree_s() also has the side effect of discharging the memory from the sockets quota. Signed-off-by: David S. Miller <davem@davemloft.net> --- net/core/sock.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/core/sock.c b/net/core/sock.c index b4f3ea2..15e0c67 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -1718,6 +1718,8 @@ EXPORT_SYMBOL(sock_kmalloc); */ void sock_kfree_s(struct sock *sk, void *mem, int size) { + if (WARN_ON_ONCE(!mem)) + return; kfree(mem); atomic_sub(size, &sk->sk_omem_alloc); }