If this memory allocation fails, some resources need to be freed.
Add the missing goto to the error handling path.
Fixes: b502b3185cd6 ("genetlink: use iterator in the op to policy map dumping")
Signed-off-by: Christophe JAILLET <[email protected]>
---
This patch is speculative.
This function is a callback and I don't know how the core works and handles
such situation, so review with care!
More-over, should this kmalloc() be a kzalloc()?
genl_op_iter_init() below does not initialize all fields, be they are maybe
set correctly before uses.
---
net/netlink/genetlink.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index 600993c80050..7b9f04bd85a2 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -1451,8 +1451,10 @@ static int ctrl_dumppolicy_start(struct netlink_callback *cb)
}
ctx->op_iter = kmalloc(sizeof(*ctx->op_iter), GFP_KERNEL);
- if (!ctx->op_iter)
- return -ENOMEM;
+ if (!ctx->op_iter) {
+ err = -ENOMEM;
+ goto err_free_state;
+ }
genl_op_iter_init(rt, ctx->op_iter);
ctx->dump_map = genl_op_iter_next(ctx->op_iter);
--
2.34.1
On Mon, 12 Dec 2022 22:03:06 +0100 Christophe JAILLET wrote:
> If this memory allocation fails, some resources need to be freed.
> Add the missing goto to the error handling path.
>
> Fixes: b502b3185cd6 ("genetlink: use iterator in the op to policy map dumping")
> Signed-off-by: Christophe JAILLET <[email protected]>
> ---
> This patch is speculative.
>
> This function is a callback and I don't know how the core works and handles
> such situation, so review with care!
It's fine, the function has pretty much two completely separate paths.
Dump all ops and dump a single op.
Anything that allocs state before this point is on the single op path,
while the iterator is only allocated for dump all.
This should be evident from the return 0; at the end of the
if (tb[CTRL_ATTR_OP])
> More-over, should this kmalloc() be a kzalloc()?
> genl_op_iter_init() below does not initialize all fields, be they are maybe
> set correctly before uses.
It's fine, op_iters are put on the stack without initializing, iter
init must (and currently does) work without depending on zeroed memory.
> -----Original Message-----
> From: Jakub Kicinski <[email protected]>
> Sent: Monday, December 12, 2022 1:10 PM
> To: Christophe JAILLET <[email protected]>
> Cc: David S. Miller <[email protected]>; Eric Dumazet
> <[email protected]>; Paolo Abeni <[email protected]>; Keller, Jacob E
> <[email protected]>; [email protected]; kernel-
> [email protected]; [email protected]
> Subject: Re: [PATCH net] genetlink: Fix an error handling path in
> ctrl_dumppolicy_start()
>
> On Mon, 12 Dec 2022 22:03:06 +0100 Christophe JAILLET wrote:
> > If this memory allocation fails, some resources need to be freed.
> > Add the missing goto to the error handling path.
> >
> > Fixes: b502b3185cd6 ("genetlink: use iterator in the op to policy map dumping")
> > Signed-off-by: Christophe JAILLET <[email protected]>
> > ---
> > This patch is speculative.
> >
> > This function is a callback and I don't know how the core works and handles
> > such situation, so review with care!
>
> It's fine, the function has pretty much two completely separate paths.
> Dump all ops and dump a single op.
> Anything that allocs state before this point is on the single op path,
> while the iterator is only allocated for dump all.
> This should be evident from the return 0; at the end of the
> if (tb[CTRL_ATTR_OP])
>
> > More-over, should this kmalloc() be a kzalloc()?
> > genl_op_iter_init() below does not initialize all fields, be they are maybe
> > set correctly before uses.
I personally prefer using kzalloc even if we know its not necessary, except in cases where performance of the allocation matters. It helps reduce the burden of review as one doesn't need to think "was this initialized?" at least for the problem of leaking kernel internals.
I know there are also some tools like UBSAN and others which might be able to detect access to uninitialized memory, but I am not sure if they're capable enough at present to handle memory returned by kmalloc or not. If they are, then there could be advantage in detecting cases where you did fully expect initialization to be done.
>
> It's fine, op_iters are put on the stack without initializing, iter
> init must (and currently does) work without depending on zeroed memory.
The above said, I think the analysis here is correct and that kmalloc is ok here.
Thanks,
Jake