linux/net
Kuniyuki Iwashima d38afeec26 tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct().
Originally, inet6_sk(sk)->XXX were changed under lock_sock(), so we were
able to clean them up by calling inet6_destroy_sock() during the IPv6 ->
IPv4 conversion by IPV6_ADDRFORM.  However, commit 03485f2adc ("udpv6:
Add lockless sendmsg() support") added a lockless memory allocation path,
which could cause a memory leak:

setsockopt(IPV6_ADDRFORM)                 sendmsg()
+-----------------------+                 +-------+
- do_ipv6_setsockopt(sk, ...)             - udpv6_sendmsg(sk, ...)
  - sockopt_lock_sock(sk)                   ^._ called via udpv6_prot
    - lock_sock(sk)                             before WRITE_ONCE()
  - WRITE_ONCE(sk->sk_prot, &tcp_prot)
  - inet6_destroy_sock()                    - if (!corkreq)
  - sockopt_release_sock(sk)                  - ip6_make_skb(sk, ...)
    - release_sock(sk)                          ^._ lockless fast path for
                                                    the non-corking case

                                                - __ip6_append_data(sk, ...)
                                                  - ipv6_local_rxpmtu(sk, ...)
                                                    - xchg(&np->rxpmtu, skb)
                                                      ^._ rxpmtu is never freed.

                                                - goto out_no_dst;

                                            - lock_sock(sk)

For now, rxpmtu is only the case, but not to miss the future change
and a similar bug fixed in commit e27326009a ("net: ping6: Fix
memleak in ipv6_renew_options()."), let's set a new function to IPv6
sk->sk_destruct() and call inet6_cleanup_sock() there.  Since the
conversion does not change sk->sk_destruct(), we can guarantee that
we can clean up IPv6 resources finally.

We can now remove all inet6_destroy_sock() calls from IPv6 protocol
specific ->destroy() functions, but such changes are invasive to
backport.  So they can be posted as a follow-up later for net-next.

Fixes: 03485f2adc ("udpv6: Add lockless sendmsg() support")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2022-10-12 17:50:37 -07:00
..
6lowpan
9p iov_iter stuff, part 2, rebased 2022-08-08 20:04:35 -07:00
802
8021q net: gro: skb_gro_header helper function 2022-08-25 10:33:21 +02:00
appletalk
atm
ax25 ax25: move from strlcpy with unused retval to strscpy 2022-08-22 17:55:50 -07:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-09-22 13:02:10 -07:00
bluetooth Bluetooth: hci_sync: Fix not indicating power state 2022-09-30 17:32:12 -07:00
bpf selftests/bpf: Add tests for kfunc returning a memory pointer 2022-09-07 11:05:17 -07:00
bpfilter
bridge net: bridge: assign path_cost for 2.5G and 5G link speed 2022-09-30 12:35:29 +01:00
caif caif: move from strlcpy with unused retval to strscpy 2022-08-22 17:57:35 -07:00
can can: bcm: check the result of can_send() in bcm_can_tx() 2022-09-23 13:53:10 +02:00
ceph libceph: clean up ceph_osdc_start_request prototype 2022-08-03 14:05:39 +02:00
core Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2022-10-03 13:02:49 -07:00
dcb
dccp tcp: Introduce optional per-netns ehash. 2022-09-20 10:21:50 -07:00
dns_resolver
dsa net: dsa: fix wrong pointer passed to PTR_ERR() in dsa_port_phylink_create() 2022-10-09 20:01:32 +01:00
ethernet net: gro: skb_gro_header helper function 2022-08-25 10:33:21 +02:00
ethtool ethtool: add interface to interact with Ethernet Power Equipment 2022-10-03 17:33:57 -07:00
hsr genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
ieee802154 net/ieee802154: don't warn zero-sized raw_sendmsg() 2022-10-05 12:37:10 +02:00
ife
ipv4 tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct(). 2022-10-12 17:50:37 -07:00
ipv6 tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct(). 2022-10-12 17:50:37 -07:00
iucv
kcm kcm: fix strp_init() order and cleanup 2022-08-31 12:16:44 -07:00
key Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2022-08-24 12:51:50 +01:00
l2tp genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
l3mdev
lapb
llc
mac80211 wifi: mac80211: netdev compatible TX stop for iTXQ drivers 2022-10-07 14:48:14 +02:00
mac802154 net: mac802154: Fix a condition in the receive path 2022-08-29 11:10:22 +02:00
mctp mctp: prevent double key removal and unref 2022-10-12 13:30:50 +01:00
mpls net: Use u64_stats_fetch_begin_irq() for stats fetch. 2022-08-29 13:02:27 +01:00
mptcp mptcp: update misleading comments. 2022-10-03 11:18:53 +01:00
ncsi genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
netfilter Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2022-10-03 13:02:49 -07:00
netlabel genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
netlink genetlink: reject use of nlmsg_flags for new commands 2022-09-30 17:43:09 -07:00
netrom
nfc NFC: hci: Split memcpy() of struct hcp_message flexible array 2022-09-27 07:45:18 -07:00
nsh
openvswitch net: openvswitch: allow conntrack in non-initial user namespace 2022-09-27 11:31:36 +02:00
packet net/af_packet: registration process optimization in packet_init() 2022-09-21 12:59:22 +01:00
phonet
psample genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
qrtr net: qrtr: start MHI channel after endpoit creation 2022-08-15 11:21:42 +01:00
rds Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-10-03 17:44:18 -07:00
rfkill
rose rose: check NULL rose_loopback_neigh->loopback 2022-08-22 14:24:54 +01:00
rxrpc rxrpc: remove rxrpc_max_call_lifetime declaration 2022-09-19 17:58:47 -07:00
sched Revert "net/sched: taprio: make qdisc_leaf() see the per-netdev-queue pfifo child qdiscs" 2022-10-05 20:32:15 -07:00
sctp sctp: handle the error returned from sctp_auth_asoc_init_active_key 2022-09-30 12:36:40 +01:00
smc net/smc: Support SO_REUSEPORT 2022-09-27 10:26:17 +02:00
strparser
sunrpc SUNRPC: Fix typo in xdr_buf_subsegment's kdoc comment 2022-09-26 14:02:47 -04:00
switchdev
tipc net/tipc: Remove unused struct distr_queue_item 2022-09-29 18:48:32 -07:00
tls net: tls: Add ARIA-GCM algorithm 2022-09-27 17:29:09 -07:00
unix Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-10-03 17:44:18 -07:00
vmw_vsock Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-10-03 17:44:18 -07:00
wireless wifi: nl80211: Split memcpy() of struct nl80211_wowlan_tcp_data_token flexible array 2022-10-07 15:19:06 +02:00
x25 net/x25: fix call timeouts in blocking connects 2022-08-08 20:48:51 -07:00
xdp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-10-03 17:44:18 -07:00
xfrm Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-10-03 17:44:18 -07:00
compat.c net: clear msg_get_inq in __get_compat_msghdr() 2022-09-20 08:23:20 -07:00
devres.c
Kconfig Remove DECnet support from kernel 2022-08-22 14:26:30 +01:00
Kconfig.debug net: make NET_(DEV|NS)_REFCNT_TRACKER depend on NET 2022-09-20 14:23:56 -07:00
Makefile Remove DECnet support from kernel 2022-08-22 14:26:30 +01:00
socket.c net: Fix a data-race around sysctl_somaxconn. 2022-08-24 13:46:58 +01:00
sysctl_net.c