[net,v2,2/2] ipmr: fix error path when ipmr_new_table fails

Message ID	572e1baf89c76fafb45a97a724c3e838e5dd4abf.1528194845.git.sd@queasysnail.net
State	Accepted, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> From: Sabrina Dubroca <sd@queasysnail.net> To: netdev@vger.kernel.org Cc: Eric Dumazet <edumazet@google.com>, Nikolay Aleksandrov <nikolay@cumulusnetworks.com>, Yuval Mintz <yuvalm@mellanox.com>, Ivan Vecera <ivecera@redhat.com>, Sabrina Dubroca <sd@queasysnail.net> Subject: [PATCH net v2 2/2] ipmr: fix error path when ipmr_new_table fails Date: Tue, 5 Jun 2018 15:02:00 +0200 Message-Id: <572e1baf89c76fafb45a97a724c3e838e5dd4abf.1528194845.git.sd@queasysnail.net> In-Reply-To: <604985fb55d51eef9130bff0640a62d5015f25bd.1528194845.git.sd@queasysnail.net> References: <604985fb55d51eef9130bff0640a62d5015f25bd.1528194845.git.sd@queasysnail.net> In-Reply-To: <604985fb55d51eef9130bff0640a62d5015f25bd.1528194845.git.sd@queasysnail.net> References: <604985fb55d51eef9130bff0640a62d5015f25bd.1528194845.git.sd@queasysnail.net> Sender: netdev-owner@vger.kernel.org Precedence: bulk
Series	[net,v2,1/2] ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds \| expand [net,v2,1/2] ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds [net,v2,2/2] ipmr: fix error path when ipmr_new_table fails

Message ID

572e1baf89c76fafb45a97a724c3e838e5dd4abf.1528194845.git.sd@queasysnail.net

State

Accepted, archived

Delegated to:

David Miller

Headers

From: Sabrina Dubroca <sd@queasysnail.net>
To: netdev@vger.kernel.org
Cc: Eric Dumazet <edumazet@google.com>,
	Nikolay Aleksandrov <nikolay@cumulusnetworks.com>,
	Yuval Mintz <yuvalm@mellanox.com>, Ivan Vecera <ivecera@redhat.com>,
	Sabrina Dubroca <sd@queasysnail.net>
Subject: [PATCH net v2 2/2] ipmr: fix error path when ipmr_new_table fails
Date: Tue,  5 Jun 2018 15:02:00 +0200
Message-Id: <572e1baf89c76fafb45a97a724c3e838e5dd4abf.1528194845.git.sd@queasysnail.net>
In-Reply-To: <604985fb55d51eef9130bff0640a62d5015f25bd.1528194845.git.sd@queasysnail.net>
References: <604985fb55d51eef9130bff0640a62d5015f25bd.1528194845.git.sd@queasysnail.net>
In-Reply-To: <604985fb55d51eef9130bff0640a62d5015f25bd.1528194845.git.sd@queasysnail.net>
References: <604985fb55d51eef9130bff0640a62d5015f25bd.1528194845.git.sd@queasysnail.net>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Series

[net,v2,1/2] ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds | expand

Commit Message

Sabrina Dubroca June 5, 2018, 1:02 p.m. UTC

commit 0bbbf0e7d0e7 ("ipmr, ip6mr: Unite creation of new mr_table")
refactored ipmr_new_table, so that it now returns NULL when
mr_table_alloc fails. Unfortunately, all callers of ipmr_new_table
expect an ERR_PTR.

This can result in NULL deref, for example when ipmr_rules_exit calls
ipmr_free_table with NULL net->ipv4.mrt in the
!CONFIG_IP_MROUTE_MULTIPLE_TABLES version.

This patch makes mr_table_alloc return errors, and changes
ip6mr_new_table and its callers to return/expect error pointers as
well. It also removes the version of mr_table_alloc defined under
!CONFIG_IP_MROUTE_COMMON, since it is never used.

Fixes: 0bbbf0e7d0e7 ("ipmr, ip6mr: Unite creation of new mr_table")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
v2: - fixed brainfart that shadowed mrt variable in ip6_mroute_setsockopt
    - rebased on top of ip6_mroute_setsockopt fix

 include/linux/mroute_base.h | 10 ----------
 net/ipv4/ipmr_base.c        |  8 +++++---
 net/ipv6/ip6mr.c            | 18 ++++++++++++------
 3 files changed, 17 insertions(+), 19 deletions(-)

Comments

David Miller June 5, 2018, 4:31 p.m. UTC | #1

From: Sabrina Dubroca <sd@queasysnail.net>
Date: Tue,  5 Jun 2018 15:02:00 +0200

> commit 0bbbf0e7d0e7 ("ipmr, ip6mr: Unite creation of new mr_table")
> refactored ipmr_new_table, so that it now returns NULL when
> mr_table_alloc fails. Unfortunately, all callers of ipmr_new_table
> expect an ERR_PTR.
> 
> This can result in NULL deref, for example when ipmr_rules_exit calls
> ipmr_free_table with NULL net->ipv4.mrt in the
> !CONFIG_IP_MROUTE_MULTIPLE_TABLES version.
> 
> This patch makes mr_table_alloc return errors, and changes
> ip6mr_new_table and its callers to return/expect error pointers as
> well. It also removes the version of mr_table_alloc defined under
> !CONFIG_IP_MROUTE_COMMON, since it is never used.
> 
> Fixes: 0bbbf0e7d0e7 ("ipmr, ip6mr: Unite creation of new mr_table")
> Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
> ---
> v2: - fixed brainfart that shadowed mrt variable in ip6_mroute_setsockopt
>     - rebased on top of ip6_mroute_setsockopt fix

Applied and queued up for -stable.

diff --git a/include/linux/mroute_base.h b/include/linux/mroute_base.h
index d617fe45543e..d633f737b3c6 100644
--- a/include/linux/mroute_base.h
+++ b/include/linux/mroute_base.h
@@ -307,16 +307,6 @@  static inline void vif_device_init(struct vif_device *v,
 {
 }
 
-static inline void *
-mr_table_alloc(struct net *net, u32 id,
-	       struct mr_table_ops *ops,
-	       void (*expire_func)(struct timer_list *t),
-	       void (*table_set)(struct mr_table *mrt,
-				 struct net *net))
-{
-	return NULL;
-}
-
 static inline void *mr_mfc_find_parent(struct mr_table *mrt,
 				       void *hasharg, int parent)
 {
diff --git a/net/ipv4/ipmr_base.c b/net/ipv4/ipmr_base.c
index 30221701614c..cafb0506c8c9 100644
--- a/net/ipv4/ipmr_base.c
+++ b/net/ipv4/ipmr_base.c
@@ -35,17 +35,19 @@  mr_table_alloc(struct net *net, u32 id,
 				 struct net *net))
 {
 	struct mr_table *mrt;
+	int err;
 
 	mrt = kzalloc(sizeof(*mrt), GFP_KERNEL);
 	if (!mrt)
-		return NULL;
+		return ERR_PTR(-ENOMEM);
 	mrt->id = id;
 	write_pnet(&mrt->net, net);
 
 	mrt->ops = *ops;
-	if (rhltable_init(&mrt->mfc_hash, mrt->ops.rht_params)) {
+	err = rhltable_init(&mrt->mfc_hash, mrt->ops.rht_params);
+	if (err) {
 		kfree(mrt);
-		return NULL;
+		return ERR_PTR(err);
 	}
 	INIT_LIST_HEAD(&mrt->mfc_cache_list);
 	INIT_LIST_HEAD(&mrt->mfc_unres_queue);
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 42eca2689c3b..37936671dcb3 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -227,8 +227,8 @@  static int __net_init ip6mr_rules_init(struct net *net)
 	INIT_LIST_HEAD(&net->ipv6.mr6_tables);
 
 	mrt = ip6mr_new_table(net, RT6_TABLE_DFLT);
-	if (!mrt) {
-		err = -ENOMEM;
+	if (IS_ERR(mrt)) {
+		err = PTR_ERR(mrt);
 		goto err1;
 	}
 
@@ -301,8 +301,13 @@  static int ip6mr_fib_lookup(struct net *net, struct flowi6 *flp6,
 
 static int __net_init ip6mr_rules_init(struct net *net)
 {
-	net->ipv6.mrt6 = ip6mr_new_table(net, RT6_TABLE_DFLT);
-	return net->ipv6.mrt6 ? 0 : -ENOMEM;
+	struct mr_table *mrt;
+
+	mrt = ip6mr_new_table(net, RT6_TABLE_DFLT);
+	if (IS_ERR(mrt))
+		return PTR_ERR(mrt);
+	net->ipv6.mrt6 = mrt;
+	return 0;
 }
 
 static void __net_exit ip6mr_rules_exit(struct net *net)
@@ -1757,8 +1762,9 @@  int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
 
 		rtnl_lock();
 		ret = 0;
-		if (!ip6mr_new_table(net, v))
-			ret = -ENOMEM;
+		mrt = ip6mr_new_table(net, v);
+		if (IS_ERR(mrt))
+			ret = PTR_ERR(mrt);
 		else
 			raw6_sk(sk)->ip6mr_table = v;
 		rtnl_unlock();

[net,v2,2/2] ipmr: fix error path when ipmr_new_table fails

Commit Message

Comments

Patch