d38afeec26
Originally, inet6_sk(sk)->XXX were changed under lock_sock(), so we were
able to clean them up by calling inet6_destroy_sock() during the IPv6 ->
IPv4 conversion by IPV6_ADDRFORM. However, commit 03485f2adcde ("udpv6:
Add lockless sendmsg() support") added a lockless memory allocation path,
which could cause a memory leak:
setsockopt(IPV6_ADDRFORM) sendmsg()
+-----------------------+ +-------+
- do_ipv6_setsockopt(sk, ...) - udpv6_sendmsg(sk, ...)
- sockopt_lock_sock(sk) ^._ called via udpv6_prot
- lock_sock(sk) before WRITE_ONCE()
- WRITE_ONCE(sk->sk_prot, &tcp_prot)
- inet6_destroy_sock() - if (!corkreq)
- sockopt_release_sock(sk) - ip6_make_skb(sk, ...)
- release_sock(sk) ^._ lockless fast path for
the non-corking case
- __ip6_append_data(sk, ...)
- ipv6_local_rxpmtu(sk, ...)
- xchg(&np->rxpmtu, skb)
^._ rxpmtu is never freed.
- goto out_no_dst;
- lock_sock(sk)
For now, rxpmtu is only the case, but not to miss the future change
and a similar bug fixed in commit e27326009a3d ("net: ping6: Fix
memleak in ipv6_renew_options()."), let's set a new function to IPv6
sk->sk_destruct() and call inet6_cleanup_sock() there. Since the
conversion does not change sk->sk_destruct(), we can guarantee that
we can clean up IPv6 resources finally.
We can now remove all inet6_destroy_sock() calls from IPv6 protocol
specific ->destroy() functions, but such changes are invasive to
backport. So they can be posted as a follow-up later for net-next.
Fixes: 03485f2adcde ("udpv6: Add lockless sendmsg() support")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
32 lines
1.1 KiB
C
32 lines
1.1 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _UDP6_IMPL_H
|
|
#define _UDP6_IMPL_H
|
|
#include <net/udp.h>
|
|
#include <net/udplite.h>
|
|
#include <net/protocol.h>
|
|
#include <net/addrconf.h>
|
|
#include <net/inet_common.h>
|
|
#include <net/transp_v6.h>
|
|
|
|
int __udp6_lib_rcv(struct sk_buff *, struct udp_table *, int);
|
|
int __udp6_lib_err(struct sk_buff *, struct inet6_skb_parm *, u8, u8, int,
|
|
__be32, struct udp_table *);
|
|
|
|
int udpv6_init_sock(struct sock *sk);
|
|
int udp_v6_get_port(struct sock *sk, unsigned short snum);
|
|
void udp_v6_rehash(struct sock *sk);
|
|
|
|
int udpv6_getsockopt(struct sock *sk, int level, int optname,
|
|
char __user *optval, int __user *optlen);
|
|
int udpv6_setsockopt(struct sock *sk, int level, int optname, sockptr_t optval,
|
|
unsigned int optlen);
|
|
int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len);
|
|
int udpv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int flags,
|
|
int *addr_len);
|
|
void udpv6_destroy_sock(struct sock *sk);
|
|
|
|
#ifdef CONFIG_PROC_FS
|
|
int udp6_seq_show(struct seq_file *seq, void *v);
|
|
#endif
|
|
#endif /* _UDP6_IMPL_H */
|