forked from mirrors/linux
d38afeec26
Originally, inet6_sk(sk)->XXX were changed under lock_sock(), so we were able to clean them up by calling inet6_destroy_sock() during the IPv6 -> IPv4 conversion by IPV6_ADDRFORM. However, commit03485f2adc("udpv6: Add lockless sendmsg() support") added a lockless memory allocation path, which could cause a memory leak: setsockopt(IPV6_ADDRFORM) sendmsg() +-----------------------+ +-------+ - do_ipv6_setsockopt(sk, ...) - udpv6_sendmsg(sk, ...) - sockopt_lock_sock(sk) ^._ called via udpv6_prot - lock_sock(sk) before WRITE_ONCE() - WRITE_ONCE(sk->sk_prot, &tcp_prot) - inet6_destroy_sock() - if (!corkreq) - sockopt_release_sock(sk) - ip6_make_skb(sk, ...) - release_sock(sk) ^._ lockless fast path for the non-corking case - __ip6_append_data(sk, ...) - ipv6_local_rxpmtu(sk, ...) - xchg(&np->rxpmtu, skb) ^._ rxpmtu is never freed. - goto out_no_dst; - lock_sock(sk) For now, rxpmtu is only the case, but not to miss the future change and a similar bug fixed in commite27326009a("net: ping6: Fix memleak in ipv6_renew_options()."), let's set a new function to IPv6 sk->sk_destruct() and call inet6_cleanup_sock() there. Since the conversion does not change sk->sk_destruct(), we can guarantee that we can clean up IPv6 resources finally. We can now remove all inet6_destroy_sock() calls from IPv6 protocol specific ->destroy() functions, but such changes are invasive to backport. So they can be posted as a follow-up later for net-next. Fixes:03485f2adc("udpv6: Add lockless sendmsg() support") Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
31 lines
1.1 KiB
C
31 lines
1.1 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _UDP6_IMPL_H
|
|
#define _UDP6_IMPL_H
|
|
#include <net/udp.h>
|
|
#include <net/udplite.h>
|
|
#include <net/protocol.h>
|
|
#include <net/addrconf.h>
|
|
#include <net/inet_common.h>
|
|
#include <net/transp_v6.h>
|
|
|
|
int __udp6_lib_rcv(struct sk_buff *, struct udp_table *, int);
|
|
int __udp6_lib_err(struct sk_buff *, struct inet6_skb_parm *, u8, u8, int,
|
|
__be32, struct udp_table *);
|
|
|
|
int udpv6_init_sock(struct sock *sk);
|
|
int udp_v6_get_port(struct sock *sk, unsigned short snum);
|
|
void udp_v6_rehash(struct sock *sk);
|
|
|
|
int udpv6_getsockopt(struct sock *sk, int level, int optname,
|
|
char __user *optval, int __user *optlen);
|
|
int udpv6_setsockopt(struct sock *sk, int level, int optname, sockptr_t optval,
|
|
unsigned int optlen);
|
|
int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len);
|
|
int udpv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int flags,
|
|
int *addr_len);
|
|
void udpv6_destroy_sock(struct sock *sk);
|
|
|
|
#ifdef CONFIG_PROC_FS
|
|
int udp6_seq_show(struct seq_file *seq, void *v);
|
|
#endif
|
|
#endif /* _UDP6_IMPL_H */
|