Message-ID: <4c6e6b8e-1d0c-2893-f4b9-ea40170cacd6@virtuozzo.com>
Date:   Wed, 22 Feb 2023 10:11:03 +0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.8.0
Subject: Re: [PATCH] netfilter: fix percpu counter block leak on error path
 when creating new netns
To:     Pablo Neira Ayuso <pablo@netfilter.org>
Cc:     Jozsef Kadlecsik <kadlec@netfilter.org>,
        Florian Westphal <fw@strlen.de>,
        netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        kernel@openvz.org
References: <20230213042505.334898-1-ptikhomirov@virtuozzo.com>
 <Y/VS7okXF1c6rN/I@salvia>
Content-Language: en-US
From:   Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
In-Reply-To: <Y/VS7okXF1c6rN/I@salvia>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?TW1yM2FQNWh1ZFNUV3hXVGlzdFRwWUllWnNUVFd6aXV5ODg1aUkwbG5LaE02?=
 =?utf-8?B?QUJ2ZmtSTXlFdmNiQVFWaDEzMDR5R1ZsQ29SendSYmtaM0d0dGVWWkRoblpv?=
 =?utf-8?B?YXdQeXFqVndJSTI2UWlVTjBOc3hray8yV2pKNFlNcnJQS2habkxBWHpFVzFi?=
 =?utf-8?B?QVB6OTlaZ0Mya3pPQlh4TXZWR1o3YnJtTjQwRWg2MWNlZE9YdVFackhlbHhq?=
 =?utf-8?B?QThiNXNKeW1sOTVKN1lQQXViSGtGbnRlaXBHVWJWem9DcEp4SVdxbEJ6cnly?=
 =?utf-8?B?bGlNODdBUHFyS1M0dEdheitmMy9iS3hQYTBhSmptYmNjbGxpQVJzSnZtbExs?=
 =?utf-8?B?NkVqaVlPb2pmTUlPVEtUMnBoK21wL2t4bXZRS2Q1Yi9TZkxVN3FKTkZ3L2Qz?=
 =?utf-8?B?QmJvVXc1UjhnbTNwZ0dRQjhhdWYvK2dxSDMrK0ExeUpTWTBLeEpUeXM0MTJN?=
 =?utf-8?B?N2Y1ajlCNWkwb2lNb3J2UDQzRmpsZHpOWTdDNTBWN0F2NW5pWU9uby9EODE2?=
 =?utf-8?B?YkJFMEFzcmZ6ckN0SWIrd2dTR1VnR2ZldThwZXN3TDhpc3c1OHQ5cEdyZHYx?=
 =?utf-8?B?S00wNWdDaEFNZ3dkT256TTBGclpmWGdMQlgvaFZQdmFNbkVlVUsyUVNqbU41?=
 =?utf-8?B?Vk5BVWh5VVlWME80UUlrOHJkM0Q1TU9ydmc3T3NOUnhlTUlPNkxvMUxLelhN?=
 =?utf-8?B?YmZ4anl4OUQrQ3g3dnNzQjdJZmRyZnlRRmNCK1JiOS92NGFDYjA3amF1V3pT?=
 =?utf-8?B?aUwvMys1Wm4yQWo3QWNORXdOeGhKWUEvbmFvbEdIVUUvTUdtQm5LeFBhVndq?=
 =?utf-8?B?RUFHOW5lOHZYZTlIK3ZwcU9mZGJBVkVPQkU0V0k4Q1BPSCtlMHNLdW83bDk0?=
 =?utf-8?B?VDNUT0ppWnpkUXlqa3pUN2hTR2JkUnpZeis5aU41S0JqZkJTd2JQUHo4ZTl2?=
 =?utf-8?B?NHFXcjN0Uy9wQkFNWDJjMTM3NUdFRjVGL2luM1R4K3lDRDFhSVh1TTkwKyta?=
 =?utf-8?B?ajVIQmtxUWUwUklFVDFUNGZjd2VZOWxFL3RWZ1d4bUZVK0NUblZkaS9oS0o3?=
 =?utf-8?B?RGxWSXI1dFNqcm5wQVNnajB1cktPQnBBUXNmbE1DRU1LSXo0anFoMWN3VUlP?=
 =?utf-8?B?anlMcnJQMlE2Qlh6TG5MR1Z0S1RJR1c0S3dGV0FYN1dSdU0wOUNEc2IyNi9D?=
 =?utf-8?B?cDRuN2tRdk5rUjFwNm9XUDV0ck0zaG1KNDk0R3R1Z0t2K3lEVGx4L2JPcEVr?=
 =?utf-8?B?M3VkNHZJdWs3dGw2eEhuSFpwTjMxWkwyNnZxSmo1RXE3MStPaFJVQkxpRWJT?=
 =?utf-8?B?ejhpS3liQmo1bi9BKzJtSTJFZW5jRm8wLzRTN2N5T2Y4YlhROGtBZlVYLzZ1?=
 =?utf-8?B?WnZob0ROQlhhQU1NRXRDSnJCQ1pidkxOR3RCNWZMeDhtVCtBc0xtTkJYdXRi?=
 =?utf-8?B?dzZqVTF3TGNFblJjRHUyakhwVnc3ZHFWTmd6QXhwMDFRbmFmZWtpb1JBQXBZ?=
 =?utf-8?B?TkU3S2d4aC9YTmJma1hJb2oxczlxL2hNUSs5aGExMWRZazNacE9jUEdhZm5T?=
 =?utf-8?B?TnNsMWhuUTE2QmVyS0tDSlhmb1AxTU80M0FNMG56YTNWOEFhMUEvK2dadXhJ?=
 =?utf-8?B?TVVrYmJIbHNaTk1Wclc1VGRXYnFvR2d5RW91K09SY1h3TmtOVnlPRWtVZEtq?=
 =?utf-8?B?M1BXdUlyN0krNmpOVWNYdTluVVdpN283QWpwWnVuOTZvanRuOW5QQW8wS2FE?=
 =?utf-8?B?c1hrNGJRMUQ5WWV5WHR3d1BRbndvbm1YdXNSdHdIOW9tZ2toOG1ZU1VlaTBk?=
 =?utf-8?B?WE5ZQ3htQ0Frb1N0ZTRsZ0pDOTY3SWErbE1RQ3hYNzYrbWo5dE4wVUJvNWlW?=
 =?utf-8?B?dnVnZGFUT3hxTzFiZHc1ZklGZGlHeFBxZ3pFcVVla2VwQXp1b2Nuc29Ybkp4?=
 =?utf-8?B?N3ZsSXdSbk02bGlVa2lOczBEOFlVZXRuZjdYNTluN010MEpLNHhROGJNcnNG?=
 =?utf-8?B?L3E2eGVNTSsxNHJaT0FNVkNEQVJ6YlcrTWJ3RENWZkRrNXVpQUJRZ3VFMGxt?=
 =?utf-8?B?NWNOOGxNSXVFWm9BRVZwRDlCTi91c0VUV2ZmL2F3WnRTN1Uya1IzMCtycElU?=
 =?utf-8?B?VHFNaUcyZjlkeHpuaFBWN2p0ZnBCYVFqeG9QNkNpdTlpQW5UVWNhM1J1Z0Q5?=
 =?utf-8?B?TFE9PQ==?=
X-OriginatorOrg: virtuozzo.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7ba3363e-8b88-4347-f432-08db147a11b2
X-MS-Exchange-CrossTenant-AuthSource: VE1PR08MB4989.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Feb 2023 02:11:12.2000
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 0bc7f26d-0264-416e-a6fc-8352af79c58f
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: MT0O0xn7Rb70Ayu+Hb0dMWVFbD+1OkKKV8BVBHvpBqxf1qGeW7uKz2nuH7lJ+bBsbyDsMJ2zbiCENUiWQDhtZF8KUKaf53U+fceSj+Nfzvg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR08MB6414
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 22.02.2023 07:25, Pablo Neira Ayuso wrote:
> Hi,
> 
> On Mon, Feb 13, 2023 at 12:25:05PM +0800, Pavel Tikhomirov wrote:
>> Here is the stack where we allocate percpu counter block:
>>
>>    +-< __alloc_percpu
>>      +-< xt_percpu_counter_alloc
>>        +-< find_check_entry # {arp,ip,ip6}_tables.c
>>          +-< translate_table
>>
>> And it can be leaked on this code path:
>>
>>    +-> ip6t_register_table
>>      +-> translate_table # allocates percpu counter block
>>      +-> xt_register_table # fails
>>
>> there is no freeing of the counter block on xt_register_table fail.
>> Note: xt_percpu_counter_free should be called to free it like we do in
>> do_replace through cleanup_entry helper (or in __ip6t_unregister_table).
>>
>> Probability of hitting this error path is low AFAICS (xt_register_table
>> can only return ENOMEM here, as it is not replacing anything, as we are
>> creating new netns, and it is hard to imagine that all previous
>> allocations succeeded and after that one in xt_register_table failed).
>> But it's worth fixing even the rare leak.
> 
> Any suggestion as Fixes: tag here? This issue seems to be rather old?


If I'm correct:

1) we have this exact percpu leak since commit 71ae0dff02d7 ("netfilter: 
xtables: use percpu rule counters") which introduced the percpu allocation.

2) but we don't call cleanup_entry on this path at least since commit 
1da177e4c3f4 ("Linux-2.6.12-rc2") which is really old.

3) I also see the same thing here 
https://github.com/mpe/linux-fullhistory/blame/1ab7e5ccf454483fb78998854dddd0bab398c3de/net/ipv4/netfilter/arp_tables.c#L1169 
which is probably the initiall commit which introduced 
net/ipv4/netfilter/arp_tables.c file.

So I'm not sure about Fixes: tag, probably one of those three commits.
-- 
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.