The seg6_input() function is responsible for adding the SRH into a
packet, delegating the operation to the seg6_input_core(). This function
uses the skb_cow_head() to ensure that there is sufficient headroom in
the sk_buff for accommodating the link-layer header.
In the event that the skb_cow_header() function fails, the
seg6_input_core() catches the error but it does not release the sk_buff,
which will result in a memory leak.
This issue was introduced in commit af3b5158b89d ("ipv6: sr: fix BUG due
to headroom too small after SRH push") and persists even after commit
7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane"),
where the entire seg6_input() code was refactored to deal with netfilter
hooks.
The proposed patch addresses the identified memory leak by requiring the
seg6_input_core() function to release the sk_buff in the event that
skb_cow_head() fails.
Fixes: af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push")
Signed-off-by: Andrea Mayer <[email protected]>
---
net/ipv6/seg6_iptunnel.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c
index 03b877ff4558..a75df2ec8db0 100644
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -459,10 +459,8 @@ static int seg6_input_core(struct net *net, struct sock *sk,
int err;
err = seg6_do_srh(skb);
- if (unlikely(err)) {
- kfree_skb(skb);
- return err;
- }
+ if (unlikely(err))
+ goto drop;
slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate);
@@ -486,7 +484,7 @@ static int seg6_input_core(struct net *net, struct sock *sk,
err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
if (unlikely(err))
- return err;
+ goto drop;
if (static_branch_unlikely(&nf_hooks_lwtunnel_enabled))
return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT,
@@ -494,6 +492,9 @@ static int seg6_input_core(struct net *net, struct sock *sk,
skb_dst(skb)->dev, seg6_input_finish);
return seg6_input_finish(dev_net(skb->dev), NULL, skb);
+drop:
+ kfree_skb(skb);
+ return err;
}
static int seg6_input_nf(struct sk_buff *skb)
--
2.20.1
On Fri, May 17, 2024 at 06:45:41PM +0200, Andrea Mayer wrote:
> The seg6_input() function is responsible for adding the SRH into a
> packet, delegating the operation to the seg6_input_core(). This function
> uses the skb_cow_head() to ensure that there is sufficient headroom in
> the sk_buff for accommodating the link-layer header.
> In the event that the skb_cow_header() function fails, the
> seg6_input_core() catches the error but it does not release the sk_buff,
> which will result in a memory leak.
>
> This issue was introduced in commit af3b5158b89d ("ipv6: sr: fix BUG due
> to headroom too small after SRH push") and persists even after commit
> 7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane"),
> where the entire seg6_input() code was refactored to deal with netfilter
> hooks.
>
> The proposed patch addresses the identified memory leak by requiring the
> seg6_input_core() function to release the sk_buff in the event that
> skb_cow_head() fails.
>
> Fixes: af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push")
> Signed-off-by: Andrea Mayer <[email protected]>
Reviewed-by: Simon Horman <[email protected]>
On 5/17/24 10:45 AM, Andrea Mayer wrote:
> The seg6_input() function is responsible for adding the SRH into a
> packet, delegating the operation to the seg6_input_core(). This function
> uses the skb_cow_head() to ensure that there is sufficient headroom in
> the sk_buff for accommodating the link-layer header.
> In the event that the skb_cow_header() function fails, the
> seg6_input_core() catches the error but it does not release the sk_buff,
> which will result in a memory leak.
>
> This issue was introduced in commit af3b5158b89d ("ipv6: sr: fix BUG due
> to headroom too small after SRH push") and persists even after commit
> 7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane"),
> where the entire seg6_input() code was refactored to deal with netfilter
> hooks.
>
> The proposed patch addresses the identified memory leak by requiring the
> seg6_input_core() function to release the sk_buff in the event that
> skb_cow_head() fails.
>
> Fixes: af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push")
> Signed-off-by: Andrea Mayer <[email protected]>
> ---
> net/ipv6/seg6_iptunnel.c | 11 ++++++-----
> 1 file changed, 6 insertions(+), 5 deletions(-)
>
Reviewed-by: David Ahern <[email protected]>
* The message subject would have been a bit nicer with the key word “PATCH”.
* How do you think about to append parentheses to the function name?
…
> The proposed patch addresses the identified memory leak by …
Will a corresponding imperative wording be more desirable for
an improved change description?
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.9#n94
Regards,
Markus
Hello:
This patch was applied to netdev/net.git (main)
by David S. Miller <[email protected]>:
On Fri, 17 May 2024 18:45:41 +0200 you wrote:
> The seg6_input() function is responsible for adding the SRH into a
> packet, delegating the operation to the seg6_input_core(). This function
> uses the skb_cow_head() to ensure that there is sufficient headroom in
> the sk_buff for accommodating the link-layer header.
> In the event that the skb_cow_header() function fails, the
> seg6_input_core() catches the error but it does not release the sk_buff,
> which will result in a memory leak.
>
> [...]
Here is the summary with links:
- [net] ipv6: sr: fix missing sk_buff release in seg6_input_core
https://git.kernel.org/netdev/net/c/5447f9708d9e
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html