From: katrinzhou <[email protected]>
Fix an illegal copy_to_user() attempt when the system fails to
allocate memory for prl due to a lack of memory.
Addresses-Coverity: ("Unused value")
Fixes: 300aaeeaab5f ("[IPV6] SIT: Add SIOCGETPRL ioctl to get/dump PRL.")
Signed-off-by: katrinzhou <[email protected]>
---
Changes in v2:
- Move the position of label "out"
net/ipv6/sit.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index c0b138c20992..3330882c0f94 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -323,8 +323,6 @@ static int ipip6_tunnel_get_prl(struct net_device *dev, struct ip_tunnel_prl __u
kcalloc(cmax, sizeof(*kp), GFP_KERNEL_ACCOUNT | __GFP_NOWARN) :
NULL;
- rcu_read_lock();
-
ca = min(t->prl_count, cmax);
if (!kp) {
@@ -342,6 +340,7 @@ static int ipip6_tunnel_get_prl(struct net_device *dev, struct ip_tunnel_prl __u
}
c = 0;
+ rcu_read_lock();
for_each_prl_rcu(t->prl) {
if (c >= cmax)
break;
@@ -353,7 +352,7 @@ static int ipip6_tunnel_get_prl(struct net_device *dev, struct ip_tunnel_prl __u
if (kprl.addr != htonl(INADDR_ANY))
break;
}
-out:
+
rcu_read_unlock();
len = sizeof(*kp) * c;
@@ -362,7 +361,7 @@ static int ipip6_tunnel_get_prl(struct net_device *dev, struct ip_tunnel_prl __u
ret = -EFAULT;
kfree(kp);
-
+out:
return ret;
}
--
2.27.0
On 6/24/22 11:45 PM, [email protected] wrote:
> From: katrinzhou <[email protected]>
>
> Fix an illegal copy_to_user() attempt when the system fails to
> allocate memory for prl due to a lack of memory.
>
> Addresses-Coverity: ("Unused value")
> Fixes: 300aaeeaab5f ("[IPV6] SIT: Add SIOCGETPRL ioctl to get/dump PRL.")
> Signed-off-by: katrinzhou <[email protected]>
> ---
>
> Changes in v2:
> - Move the position of label "out"
>
> net/ipv6/sit.c | 7 +++----
> 1 file changed, 3 insertions(+), 4 deletions(-)
>
Reviewed-by: David Ahern <[email protected]>
On Sat, Jun 25, 2022 at 7:45 AM <[email protected]> wrote:
>
> From: katrinzhou <[email protected]>
>
> Fix an illegal copy_to_user() attempt when the system fails to
> allocate memory for prl due to a lack of memory.
I do not really see an illegal copy_to_user()
c = 0
-> len = 0
if ((len && copy_to_user(a + 1, kp, len)) || put_user(len, &a->datalen))
So the copy_to_user() should not be called ?
I think you should only mention that after this patch, correct error
code is returned (-ENOMEM)
>
> Addresses-Coverity: ("Unused value")
> Fixes: 300aaeeaab5f ("[IPV6] SIT: Add SIOCGETPRL ioctl to get/dump PRL.")
> Signed-off-by: katrinzhou <[email protected]>
> ---
>
> Changes in v2:
> - Move the position of label "out"
>
> net/ipv6/sit.c | 7 +++----
> 1 file changed, 3 insertions(+), 4 deletions(-)
>
> diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
> index c0b138c20992..3330882c0f94 100644
> --- a/net/ipv6/sit.c
> +++ b/net/ipv6/sit.c
> @@ -323,8 +323,6 @@ static int ipip6_tunnel_get_prl(struct net_device *dev, struct ip_tunnel_prl __u
> kcalloc(cmax, sizeof(*kp), GFP_KERNEL_ACCOUNT | __GFP_NOWARN) :
> NULL;
>
> - rcu_read_lock();
> -
> ca = min(t->prl_count, cmax);
>
> if (!kp) {
> @@ -342,6 +340,7 @@ static int ipip6_tunnel_get_prl(struct net_device *dev, struct ip_tunnel_prl __u
> }
>
> c = 0;
> + rcu_read_lock();
> for_each_prl_rcu(t->prl) {
> if (c >= cmax)
> break;
> @@ -353,7 +352,7 @@ static int ipip6_tunnel_get_prl(struct net_device *dev, struct ip_tunnel_prl __u
> if (kprl.addr != htonl(INADDR_ANY))
> break;
> }
> -out:
> +
> rcu_read_unlock();
>
> len = sizeof(*kp) * c;
> @@ -362,7 +361,7 @@ static int ipip6_tunnel_get_prl(struct net_device *dev, struct ip_tunnel_prl __u
> ret = -EFAULT;
>
> kfree(kp);
> -
> +out:
> return ret;
> }
>
> --
> 2.27.0
>
On Mon, Jun 27, 2022 at 5:01 PM Eric Dumazet <[email protected]> wrote:
>
> On Sat, Jun 25, 2022 at 7:45 AM <[email protected]> wrote:
> >
> > From: katrinzhou <[email protected]>
> >
> > Fix an illegal copy_to_user() attempt when the system fails to
> > allocate memory for prl due to a lack of memory.
>
> I do not really see an illegal copy_to_user()
>
> c = 0
> -> len = 0
>
> if ((len && copy_to_user(a + 1, kp, len)) || put_user(len, &a->datalen))
>
> So the copy_to_user() should not be called ?
>
> I think you should only mention that after this patch, correct error
> code is returned (-ENOMEM)
>
>
> >
> > Addresses-Coverity: ("Unused value")
> > Fixes: 300aaeeaab5f ("[IPV6] SIT: Add SIOCGETPRL ioctl to get/dump PRL.")
> > Signed-off-by: katrinzhou <[email protected]>
> > ---
> >
> > Changes in v2:
> > - Move the position of label "out"
> >
> > net/ipv6/sit.c | 7 +++----
> > 1 file changed, 3 insertions(+), 4 deletions(-)
> >
> > diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
> > index c0b138c20992..3330882c0f94 100644
> > --- a/net/ipv6/sit.c
> > +++ b/net/ipv6/sit.c
> > @@ -323,8 +323,6 @@ static int ipip6_tunnel_get_prl(struct net_device *dev, struct ip_tunnel_prl __u
> > kcalloc(cmax, sizeof(*kp), GFP_KERNEL_ACCOUNT | __GFP_NOWARN) :
> > NULL;
> >
> > - rcu_read_lock();
> > -
> > ca = min(t->prl_count, cmax);
> >
> > if (!kp) {
> > @@ -342,6 +340,7 @@ static int ipip6_tunnel_get_prl(struct net_device *dev, struct ip_tunnel_prl __u
> > }
> >
> > c = 0;
> > + rcu_read_lock();
> > for_each_prl_rcu(t->prl) {
> > if (c >= cmax)
> > break;
> > @@ -353,7 +352,7 @@ static int ipip6_tunnel_get_prl(struct net_device *dev, struct ip_tunnel_prl __u
> > if (kprl.addr != htonl(INADDR_ANY))
> > break;
> > }
> > -out:
> > +
> > rcu_read_unlock();
> >
> > len = sizeof(*kp) * c;
> > @@ -362,7 +361,7 @@ static int ipip6_tunnel_get_prl(struct net_device *dev, struct ip_tunnel_prl __u
> > ret = -EFAULT;
> >
> > kfree(kp);
> > -
> > +out:
> > return ret;
> > }
> >
> > --
> > 2.27.0
> >
Thanks for pointing that out. I will modify the message in the next
version of the patch.
And, could c = 0 (line 344) be removed? It is initialized at the beginning.
I think it is a cleanup work.
Best Regards,
Katrin