diff mbox series

[net,v2] ipvs: fix possible memory leak in ip_vs_control_net_init

Message ID 20201120082610.60917-1-wanghai38@huawei.com
State Changes Requested
Delegated to: Pablo Neira
Headers show
Series [net,v2] ipvs: fix possible memory leak in ip_vs_control_net_init | expand

Commit Message

Wang Hai Nov. 20, 2020, 8:26 a.m. UTC 
kmemleak report a memory leak as follows:

BUG: memory leak
unreferenced object 0xffff8880759ea000 (size 256):
comm "syz-executor.3", pid 6484, jiffies 4297476946 (age 48.546s)
hex dump (first 32 bytes):
00 00 00 00 01 00 00 00 08 a0 9e 75 80 88 ff ff ...........u....
08 a0 9e 75 80 88 ff ff 00 00 00 00 ad 4e ad de ...u.........N..
backtrace:
[<00000000c0bf2deb>] kmem_cache_zalloc include/linux/slab.h:656 [inline]
[<00000000c0bf2deb>] __proc_create+0x23d/0x7d0 fs/proc/generic.c:421
[<000000009d718d02>] proc_create_reg+0x8e/0x140 fs/proc/generic.c:535
[<0000000097bbfc4f>] proc_create_net_data+0x8c/0x1b0 fs/proc/proc_net.c:126
[<00000000652480fc>] ip_vs_control_net_init+0x308/0x13a0 net/netfilter/ipvs/ip_vs_ctl.c:4169
[<000000004c927ebe>] __ip_vs_init+0x211/0x400 net/netfilter/ipvs/ip_vs_core.c:2429
[<00000000aa6b72d9>] ops_init+0xa8/0x3c0 net/core/net_namespace.c:151
[<00000000153fd114>] setup_net+0x2de/0x7e0 net/core/net_namespace.c:341
[<00000000be4e4f07>] copy_net_ns+0x27d/0x530 net/core/net_namespace.c:482
[<00000000f1c23ec9>] create_new_namespaces+0x382/0xa30 kernel/nsproxy.c:110
[<00000000098a5757>] copy_namespaces+0x2e6/0x3b0 kernel/nsproxy.c:179
[<0000000026ce39e9>] copy_process+0x220a/0x5f00 kernel/fork.c:2072
[<00000000b71f4efe>] _do_fork+0xc7/0xda0 kernel/fork.c:2428
[<000000002974ee96>] __do_sys_clone3+0x18a/0x280 kernel/fork.c:2703
[<0000000062ac0a4d>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
[<0000000093f1ce2c>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

In the error path of ip_vs_control_net_init(), remove_proc_entry() needs
to be called to remove the added proc entry, otherwise a memory leak
will occur.

Also, add some '#ifdef CONFIG_PROC_FS' because proc_create_net* return NULL
when PROC is not used.

Fixes: b17fc9963f83 ("IPVS: netns, ip_vs_stats and its procfs")
Fixes: 61b1ab4583e2 ("IPVS: netns, add basic init per netns.")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wang Hai <wanghai38@huawei.com>
---
v1->v2: add some '#ifdef CONFIG_PROC_FS' and check the return value of proc_create_net*
 net/netfilter/ipvs/ip_vs_ctl.c | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

Comments

Julian Anastasov Nov. 22, 2020, 11:20 a.m. UTC | #1 
Hello,

On Fri, 20 Nov 2020, Wang Hai wrote:

> kmemleak report a memory leak as follows:
> 
> BUG: memory leak
> unreferenced object 0xffff8880759ea000 (size 256):
> comm "syz-executor.3", pid 6484, jiffies 4297476946 (age 48.546s)
> hex dump (first 32 bytes):
> 00 00 00 00 01 00 00 00 08 a0 9e 75 80 88 ff ff ...........u....
> 08 a0 9e 75 80 88 ff ff 00 00 00 00 ad 4e ad de ...u.........N..
> backtrace:
> [<00000000c0bf2deb>] kmem_cache_zalloc include/linux/slab.h:656 [inline]
> [<00000000c0bf2deb>] __proc_create+0x23d/0x7d0 fs/proc/generic.c:421
> [<000000009d718d02>] proc_create_reg+0x8e/0x140 fs/proc/generic.c:535
> [<0000000097bbfc4f>] proc_create_net_data+0x8c/0x1b0 fs/proc/proc_net.c:126
> [<00000000652480fc>] ip_vs_control_net_init+0x308/0x13a0 net/netfilter/ipvs/ip_vs_ctl.c:4169
> [<000000004c927ebe>] __ip_vs_init+0x211/0x400 net/netfilter/ipvs/ip_vs_core.c:2429
> [<00000000aa6b72d9>] ops_init+0xa8/0x3c0 net/core/net_namespace.c:151
> [<00000000153fd114>] setup_net+0x2de/0x7e0 net/core/net_namespace.c:341
> [<00000000be4e4f07>] copy_net_ns+0x27d/0x530 net/core/net_namespace.c:482
> [<00000000f1c23ec9>] create_new_namespaces+0x382/0xa30 kernel/nsproxy.c:110
> [<00000000098a5757>] copy_namespaces+0x2e6/0x3b0 kernel/nsproxy.c:179
> [<0000000026ce39e9>] copy_process+0x220a/0x5f00 kernel/fork.c:2072
> [<00000000b71f4efe>] _do_fork+0xc7/0xda0 kernel/fork.c:2428
> [<000000002974ee96>] __do_sys_clone3+0x18a/0x280 kernel/fork.c:2703
> [<0000000062ac0a4d>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
> [<0000000093f1ce2c>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> 
> In the error path of ip_vs_control_net_init(), remove_proc_entry() needs
> to be called to remove the added proc entry, otherwise a memory leak
> will occur.
> 
> Also, add some '#ifdef CONFIG_PROC_FS' because proc_create_net* return NULL
> when PROC is not used.
> 
> Fixes: b17fc9963f83 ("IPVS: netns, ip_vs_stats and its procfs")
> Fixes: 61b1ab4583e2 ("IPVS: netns, add basic init per netns.")
> Reported-by: Hulk Robot <hulkci@huawei.com>
> Signed-off-by: Wang Hai <wanghai38@huawei.com>
> ---
> v1->v2: add some '#ifdef CONFIG_PROC_FS' and check the return value of proc_create_net*
>  net/netfilter/ipvs/ip_vs_ctl.c | 27 +++++++++++++++++++++------
>  1 file changed, 21 insertions(+), 6 deletions(-)
> 
> diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
> index e279ded4e306..c00394ba20db 100644
> --- a/net/netfilter/ipvs/ip_vs_ctl.c
> +++ b/net/netfilter/ipvs/ip_vs_ctl.c
> @@ -4167,12 +4167,17 @@ int __net_init ip_vs_control_net_init(struct netns_ipvs *ipvs)
>  
>  	spin_lock_init(&ipvs->tot_stats.lock);
>  
> -	proc_create_net("ip_vs", 0, ipvs->net->proc_net, &ip_vs_info_seq_ops,
> -			sizeof(struct ip_vs_iter));
> -	proc_create_net_single("ip_vs_stats", 0, ipvs->net->proc_net,
> -			ip_vs_stats_show, NULL);
> -	proc_create_net_single("ip_vs_stats_percpu", 0, ipvs->net->proc_net,
> -			ip_vs_stats_percpu_show, NULL);
> +#ifdef CONFIG_PROC_FS
> +	if (!proc_create_net("ip_vs", 0, ipvs->net->proc_net, &ip_vs_info_seq_ops,
> +			sizeof(struct ip_vs_iter)))
> +		goto err_vs;
> +	if (!proc_create_net_single("ip_vs_stats", 0, ipvs->net->proc_net,
> +			ip_vs_stats_show, NULL))
> +		goto err_stats;
> +	if (!proc_create_net_single("ip_vs_stats_percpu", 0, ipvs->net->proc_net,
> +			ip_vs_stats_percpu_show, NULL))
> +		goto err_percpu;

	Make sure the parameters are properly aligned to function open 
parenthesis without exceeding 80 columns:

linux# scripts/checkpatch.pl --strict /tmp/file.patch

	It was true only for first call due to some
renames for the others two in commit 3617d9496cd9 :(

> +#endif
>  
>  	if (ip_vs_control_net_init_sysctl(ipvs))
>  		goto err;
> @@ -4180,6 +4185,14 @@ int __net_init ip_vs_control_net_init(struct netns_ipvs *ipvs)
>  	return 0;
>  
>  err:
> +#ifdef CONFIG_PROC_FS
> +	remove_proc_entry("ip_vs_stats_percpu", ipvs->net->proc_net);

	It should look better with an empty line before
the 3 new labels.

> +err_percpu:
> +	remove_proc_entry("ip_vs_stats", ipvs->net->proc_net);
> +err_stats:
> +	remove_proc_entry("ip_vs", ipvs->net->proc_net);
> +err_vs:
> +#endif
>  	free_percpu(ipvs->tot_stats.cpustats);
>  	return -ENOMEM;
>  }
> @@ -4188,9 +4201,11 @@ void __net_exit ip_vs_control_net_cleanup(struct netns_ipvs *ipvs)
>  {
>  	ip_vs_trash_cleanup(ipvs);
>  	ip_vs_control_net_cleanup_sysctl(ipvs);
> +#ifdef CONFIG_PROC_FS
>  	remove_proc_entry("ip_vs_stats_percpu", ipvs->net->proc_net);
>  	remove_proc_entry("ip_vs_stats", ipvs->net->proc_net);
>  	remove_proc_entry("ip_vs", ipvs->net->proc_net);
> +#endif
>  	free_percpu(ipvs->tot_stats.cpustats);
>  }
>  

Regards

--
Julian Anastasov <ja@ssi.bg>
Wang Hai Nov. 23, 2020, 2:49 p.m. UTC | #2 
在 2020/11/22 19:20, Julian Anastasov 写道:
> 	Hello,
>
> On Fri, 20 Nov 2020, Wang Hai wrote:
>
>> kmemleak report a memory leak as follows:
>>
>> BUG: memory leak
>> unreferenced object 0xffff8880759ea000 (size 256):
>> comm "syz-executor.3", pid 6484, jiffies 4297476946 (age 48.546s)
[...]
>>
>> Fixes: b17fc9963f83 ("IPVS: netns, ip_vs_stats and its procfs")
>> Fixes: 61b1ab4583e2 ("IPVS: netns, add basic init per netns.")
>> Reported-by: Hulk Robot <hulkci@huawei.com>
>> Signed-off-by: Wang Hai <wanghai38@huawei.com>
>> ---
[...]
>>   
>> -	proc_create_net("ip_vs", 0, ipvs->net->proc_net, &ip_vs_info_seq_ops,
>> -			sizeof(struct ip_vs_iter));
>> -	proc_create_net_single("ip_vs_stats", 0, ipvs->net->proc_net,
>> -			ip_vs_stats_show, NULL);
>> -	proc_create_net_single("ip_vs_stats_percpu", 0, ipvs->net->proc_net,
>> -			ip_vs_stats_percpu_show, NULL);
>> +#ifdef CONFIG_PROC_FS
>> +	if (!proc_create_net("ip_vs", 0, ipvs->net->proc_net, &ip_vs_info_seq_ops,
>> +			sizeof(struct ip_vs_iter)))
>> +		goto err_vs;
>> +	if (!proc_create_net_single("ip_vs_stats", 0, ipvs->net->proc_net,
>> +			ip_vs_stats_show, NULL))
>> +		goto err_stats;
>> +	if (!proc_create_net_single("ip_vs_stats_percpu", 0, ipvs->net->proc_net,
>> +			ip_vs_stats_percpu_show, NULL))
>> +		goto err_percpu;
> 	Make sure the parameters are properly aligned to function open
> parenthesis without exceeding 80 columns:
>
> linux# scripts/checkpatch.pl --strict /tmp/file.patch
Thanks, I'll perfect it.
> 	It was true only for first call due to some
> renames for the others two in commit 3617d9496cd9 :(
It does indeed rename in commit 3617d9496cd9.
But I don't understand what's wrong with my patch here.
>> +#endif
>>   
>>   	if (ip_vs_control_net_init_sysctl(ipvs))
>>   		goto err;
>> @@ -4180,6 +4185,14 @@ int __net_init ip_vs_control_net_init(struct netns_ipvs *ipvs)
>>   	return 0;
>>   
>>   err:
>> +#ifdef CONFIG_PROC_FS
>> +	remove_proc_entry("ip_vs_stats_percpu", ipvs->net->proc_net);
> 	It should look better with an empty line before
> the 3 new labels.
Thanks, I'll perfect it.
>> +err_percpu:
[...]
>>   	remove_proc_entry("ip_vs_stats", ipvs->net->proc_net);
>>   	remove_proc_entry("ip_vs", ipvs->net->proc_net);
>> +#endif
>>   	free_percpu(ipvs->tot_stats.cpustats);
>>   }
>>   
> Regards
>
> --
> Julian Anastasov <ja@ssi.bg>
>
> .
>
Julian Anastasov Nov. 23, 2020, 7:04 p.m. UTC | #3 
Hello,

On Mon, 23 Nov 2020, wanghai (M) wrote:

> 在 2020/11/22 19:20, Julian Anastasov 写道:
> >  Hello,
> >
> > On Fri, 20 Nov 2020, Wang Hai wrote:
> >
> >> +	if (!proc_create_net_single("ip_vs_stats_percpu", 0,
> >> ipvs->net->proc_net,
> >> +			ip_vs_stats_percpu_show, NULL))
> >> +		goto err_percpu;
> > 	Make sure the parameters are properly aligned to function open
> > parenthesis without exceeding 80 columns:
> >
> > linux# scripts/checkpatch.pl --strict /tmp/file.patch
> Thanks, I'll perfect it.
> > 	It was true only for first call due to some
> > renames for the others two in commit 3617d9496cd9 :(
> It does indeed rename in commit 3617d9496cd9.
> But I don't understand what's wrong with my patch here.

	Visually, they should look like this:

        if (!proc_create_net("ip_vs", 0, ipvs->net->proc_net,
                             &ip_vs_info_seq_ops, sizeof(struct ip_vs_iter)))
                goto err_vs;
        if (!proc_create_net_single("ip_vs_stats", 0, ipvs->net->proc_net,
                                    ip_vs_stats_show, NULL))
                goto err_stats;
        if (!proc_create_net_single("ip_vs_stats_percpu", 0,
                                    ipvs->net->proc_net,
                                    ip_vs_stats_percpu_show, NULL))
                goto err_percpu;

	The first one explained:

<1  TAB>if (!proc_create_net("ip_vs", 0, ipvs->net->proc_net,
<  open parenthesis is here  ^ and all next lines align to first parameter>
<1  TAB><1  TAB><1 TAB><5 SP>&ip_vs_info_seq_ops, sizeof(struct ip_vs_iter)))
<1  TAB><1  TAB>goto err_vs;

Regards

--
Julian Anastasov <ja@ssi.bg>
Wang Hai Nov. 24, 2020, 8:07 a.m. UTC | #4 
在 2020/11/24 3:04, Julian Anastasov 写道:
> 	Hello,
>
> On Mon, 23 Nov 2020, wanghai (M) wrote:
>
>> 在 2020/11/22 19:20, Julian Anastasov 写道:
>>>   Hello,
>>>
>>> On Fri, 20 Nov 2020, Wang Hai wrote:
>>>
>>>> +	if (!proc_create_net_single("ip_vs_stats_percpu", 0,
>>>> ipvs->net->proc_net,
>>>> +			ip_vs_stats_percpu_show, NULL))
>>>> +		goto err_percpu;
>>> 	Make sure the parameters are properly aligned to function open
>>> parenthesis without exceeding 80 columns:
>>>
>>> linux# scripts/checkpatch.pl --strict /tmp/file.patch
>> Thanks, I'll perfect it.
>>> 	It was true only for first call due to some
>>> renames for the others two in commit 3617d9496cd9 :(
>> It does indeed rename in commit 3617d9496cd9.
>> But I don't understand what's wrong with my patch here.
> 	Visually, they should look like this:
>
>          if (!proc_create_net("ip_vs", 0, ipvs->net->proc_net,
>                               &ip_vs_info_seq_ops, sizeof(struct ip_vs_iter)))
>                  goto err_vs;
>          if (!proc_create_net_single("ip_vs_stats", 0, ipvs->net->proc_net,
>                                      ip_vs_stats_show, NULL))
>                  goto err_stats;
>          if (!proc_create_net_single("ip_vs_stats_percpu", 0,
>                                      ipvs->net->proc_net,
>                                      ip_vs_stats_percpu_show, NULL))
>                  goto err_percpu;

Thank you for your patient explanation, I got it.

I just sent v3

"[PATCH net v3] ipvs: fix possible memory leak in ip_vs_control_net_init"

> 	The first one explained:
>
> <1  TAB>if (!proc_create_net("ip_vs", 0, ipvs->net->proc_net,
> <  open parenthesis is here  ^ and all next lines align to first parameter>
> <1  TAB><1  TAB><1 TAB><5 SP>&ip_vs_info_seq_ops, sizeof(struct ip_vs_iter)))
> <1  TAB><1  TAB>goto err_vs;
>
> Regards
>
> --
> Julian Anastasov <ja@ssi.bg>
diff mbox series

Patch

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index e279ded4e306..c00394ba20db 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -4167,12 +4167,17 @@  int __net_init ip_vs_control_net_init(struct netns_ipvs *ipvs)
 
 	spin_lock_init(&ipvs->tot_stats.lock);
 
-	proc_create_net("ip_vs", 0, ipvs->net->proc_net, &ip_vs_info_seq_ops,
-			sizeof(struct ip_vs_iter));
-	proc_create_net_single("ip_vs_stats", 0, ipvs->net->proc_net,
-			ip_vs_stats_show, NULL);
-	proc_create_net_single("ip_vs_stats_percpu", 0, ipvs->net->proc_net,
-			ip_vs_stats_percpu_show, NULL);
+#ifdef CONFIG_PROC_FS
+	if (!proc_create_net("ip_vs", 0, ipvs->net->proc_net, &ip_vs_info_seq_ops,
+			sizeof(struct ip_vs_iter)))
+		goto err_vs;
+	if (!proc_create_net_single("ip_vs_stats", 0, ipvs->net->proc_net,
+			ip_vs_stats_show, NULL))
+		goto err_stats;
+	if (!proc_create_net_single("ip_vs_stats_percpu", 0, ipvs->net->proc_net,
+			ip_vs_stats_percpu_show, NULL))
+		goto err_percpu;
+#endif
 
 	if (ip_vs_control_net_init_sysctl(ipvs))
 		goto err;
@@ -4180,6 +4185,14 @@  int __net_init ip_vs_control_net_init(struct netns_ipvs *ipvs)
 	return 0;
 
 err:
+#ifdef CONFIG_PROC_FS
+	remove_proc_entry("ip_vs_stats_percpu", ipvs->net->proc_net);
+err_percpu:
+	remove_proc_entry("ip_vs_stats", ipvs->net->proc_net);
+err_stats:
+	remove_proc_entry("ip_vs", ipvs->net->proc_net);
+err_vs:
+#endif
 	free_percpu(ipvs->tot_stats.cpustats);
 	return -ENOMEM;
 }
@@ -4188,9 +4201,11 @@  void __net_exit ip_vs_control_net_cleanup(struct netns_ipvs *ipvs)
 {
 	ip_vs_trash_cleanup(ipvs);
 	ip_vs_control_net_cleanup_sysctl(ipvs);
+#ifdef CONFIG_PROC_FS
 	remove_proc_entry("ip_vs_stats_percpu", ipvs->net->proc_net);
 	remove_proc_entry("ip_vs_stats", ipvs->net->proc_net);
 	remove_proc_entry("ip_vs", ipvs->net->proc_net);
+#endif
 	free_percpu(ipvs->tot_stats.cpustats);
 }