When rhashtable_init() fails, it returns -EINVAL.
However, since error return value of rhashtable_init is not checked,
it can cause use of uninitialized pointers.
So, fix unhandled errors of rhashtable_init.
The three patches are essentially the same logic.
v1->v2:
- change commit message
- fix possible memory leaks
v2->v3:
- split patch into mlx5e, ipv6, mac80211
v3->v4:
- fix newly created warnings due to patches in net/ipv6/seg6.c
MichelleJin (3):
net/mlx5e: check return value of rhashtable_init
net: ipv6: check return value of rhashtable_init
net: mac80211: check return value of rhashtable_init
drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 14 +++++++++++---
net/ipv6/ila/ila_xlat.c | 6 +++++-
net/ipv6/seg6.c | 8 ++++++--
net/ipv6/seg6_hmac.c | 4 +---
net/mac80211/mesh_pathtbl.c | 5 ++++-
5 files changed, 27 insertions(+), 10 deletions(-)
--
2.25.1
When rhashtable_init() fails, it returns -EINVAL.
However, since error return value of rhashtable_init is not checked,
it can cause use of uninitialized pointers.
So, fix unhandled errors of rhashtable_init.
Signed-off-by: MichelleJin <[email protected]>
---
v1->v2:
- change commit message
- fix unneeded destroying of ht
v2->v3:
- nothing changed
v3->v4:
- nothing changed
drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
index 6c949abcd2e1..225748a9e52a 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
@@ -2127,12 +2127,20 @@ mlx5_tc_ct_init(struct mlx5e_priv *priv, struct mlx5_fs_chains *chains,
ct_priv->post_act = post_act;
mutex_init(&ct_priv->control_lock);
- rhashtable_init(&ct_priv->zone_ht, &zone_params);
- rhashtable_init(&ct_priv->ct_tuples_ht, &tuples_ht_params);
- rhashtable_init(&ct_priv->ct_tuples_nat_ht, &tuples_nat_ht_params);
+ if (rhashtable_init(&ct_priv->zone_ht, &zone_params))
+ goto err_ct_zone_ht;
+ if (rhashtable_init(&ct_priv->ct_tuples_ht, &tuples_ht_params))
+ goto err_ct_tuples_ht;
+ if (rhashtable_init(&ct_priv->ct_tuples_nat_ht, &tuples_nat_ht_params))
+ goto err_ct_tuples_nat_ht;
return ct_priv;
+err_ct_tuples_nat_ht:
+ rhashtable_destroy(&ct_priv->ct_tuples_ht);
+err_ct_tuples_ht:
+ rhashtable_destroy(&ct_priv->zone_ht);
+err_ct_zone_ht:
err_ct_nat_tbl:
mlx5_chains_destroy_global_table(chains, ct_priv->ct);
err_ct_tbl:
--
2.25.1
When rhashtable_init() fails, it returns -EINVAL.
However, since error return value of rhashtable_init is not checked,
it can cause use of uninitialized pointers.
So, fix unhandled errors of rhashtable_init.
Signed-off-by: MichelleJin <[email protected]>
---
v1->v2:
- change commit message
- fix possible memory leaks
v2->v3:
- nothing changed
v3->v4:
- fix newly created warnings due to patches
net/ipv6/ila/ila_xlat.c | 6 +++++-
net/ipv6/seg6.c | 8 ++++++--
net/ipv6/seg6_hmac.c | 4 +---
3 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/net/ipv6/ila/ila_xlat.c b/net/ipv6/ila/ila_xlat.c
index a1ac0e3d8c60..47447f0241df 100644
--- a/net/ipv6/ila/ila_xlat.c
+++ b/net/ipv6/ila/ila_xlat.c
@@ -610,7 +610,11 @@ int ila_xlat_init_net(struct net *net)
if (err)
return err;
- rhashtable_init(&ilan->xlat.rhash_table, &rht_params);
+ err = rhashtable_init(&ilan->xlat.rhash_table, &rht_params);
+ if (err) {
+ free_bucket_spinlocks(ilan->xlat.locks);
+ return err;
+ }
return 0;
}
diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c
index e412817fba2f..65744f2d38da 100644
--- a/net/ipv6/seg6.c
+++ b/net/ipv6/seg6.c
@@ -374,7 +374,11 @@ static int __net_init seg6_net_init(struct net *net)
net->ipv6.seg6_data = sdata;
#ifdef CONFIG_IPV6_SEG6_HMAC
- seg6_hmac_net_init(net);
+ if (seg6_hmac_net_init(net)) {
+ kfree(sdata);
+ kfree(rcu_dereference_raw(sdata->tun_src));
+ return -ENOMEM;
+ };
#endif
return 0;
@@ -388,7 +392,7 @@ static void __net_exit seg6_net_exit(struct net *net)
seg6_hmac_net_exit(net);
#endif
- kfree(sdata->tun_src);
+ kfree(rcu_dereference_raw(sdata->tun_src));
kfree(sdata);
}
diff --git a/net/ipv6/seg6_hmac.c b/net/ipv6/seg6_hmac.c
index 687d95dce085..29bc4e7c3046 100644
--- a/net/ipv6/seg6_hmac.c
+++ b/net/ipv6/seg6_hmac.c
@@ -405,9 +405,7 @@ int __net_init seg6_hmac_net_init(struct net *net)
{
struct seg6_pernet_data *sdata = seg6_pernet(net);
- rhashtable_init(&sdata->hmac_infos, &rht_params);
-
- return 0;
+ return rhashtable_init(&sdata->hmac_infos, &rht_params);
}
EXPORT_SYMBOL(seg6_hmac_net_init);
--
2.25.1
When rhashtable_init() fails, it returns -EINVAL.
However, since error return value of rhashtable_init is not checked,
it can cause use of uninitialized pointers.
So, fix unhandled errors of rhashtable_init.
Signed-off-by: MichelleJin <[email protected]>
---
v1->v2:
- change commit message
- fix possible memory leaks
v2->v3:
- nothing changed
v3-> v4:
- nothing changed
net/mac80211/mesh_pathtbl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
index efbefcbac3ac..7cab1cf09bf1 100644
--- a/net/mac80211/mesh_pathtbl.c
+++ b/net/mac80211/mesh_pathtbl.c
@@ -60,7 +60,10 @@ static struct mesh_table *mesh_table_alloc(void)
atomic_set(&newtbl->entries, 0);
spin_lock_init(&newtbl->gates_lock);
spin_lock_init(&newtbl->walk_lock);
- rhashtable_init(&newtbl->rhead, &mesh_rht_params);
+ if (rhashtable_init(&newtbl->rhead, &mesh_rht_params)) {
+ kfree(newtbl);
+ return NULL;
+ }
return newtbl;
}
--
2.25.1
On 9/26/21 9:34 PM, MichelleJin wrote:
> When rhashtable_init() fails, it returns -EINVAL.
> However, since error return value of rhashtable_init is not checked,
> it can cause use of uninitialized pointers.
> So, fix unhandled errors of rhashtable_init.
>
> Signed-off-by: MichelleJin <[email protected]>
> ---
Reviewed-by: David Ahern <[email protected]>
Hello:
This series was applied to netdev/net-next.git (refs/heads/master):
On Mon, 27 Sep 2021 03:34:54 +0000 you wrote:
> When rhashtable_init() fails, it returns -EINVAL.
> However, since error return value of rhashtable_init is not checked,
> it can cause use of uninitialized pointers.
> So, fix unhandled errors of rhashtable_init.
> The three patches are essentially the same logic.
>
> v1->v2:
> - change commit message
> - fix possible memory leaks
> v2->v3:
> - split patch into mlx5e, ipv6, mac80211
> v3->v4:
> - fix newly created warnings due to patches in net/ipv6/seg6.c
>
> [...]
Here is the summary with links:
- [net-next,v4,1/3] net/mlx5e: check return value of rhashtable_init
https://git.kernel.org/netdev/net-next/c/d7cade513752
- [net-next,v4,2/3] net: ipv6: check return value of rhashtable_init
https://git.kernel.org/netdev/net-next/c/f04ed7d277e8
- [net-next,v4,3/3] net: mac80211: check return value of rhashtable_init
https://git.kernel.org/netdev/net-next/c/f43bed7193a3
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
On 2021-09-27 6:34 AM, MichelleJin wrote:
> When rhashtable_init() fails, it returns -EINVAL.
> However, since error return value of rhashtable_init is not checked,
> it can cause use of uninitialized pointers.
> So, fix unhandled errors of rhashtable_init.
>
> Signed-off-by: MichelleJin <[email protected]>
> ---
>
> v1->v2:
> - change commit message
> - fix unneeded destroying of ht
> v2->v3:
> - nothing changed
> v3->v4:
> - nothing changed
>
> drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 14 +++++++++++---
> 1 file changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
> index 6c949abcd2e1..225748a9e52a 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
> @@ -2127,12 +2127,20 @@ mlx5_tc_ct_init(struct mlx5e_priv *priv, struct mlx5_fs_chains *chains,
>
> ct_priv->post_act = post_act;
> mutex_init(&ct_priv->control_lock);
> - rhashtable_init(&ct_priv->zone_ht, &zone_params);
> - rhashtable_init(&ct_priv->ct_tuples_ht, &tuples_ht_params);
> - rhashtable_init(&ct_priv->ct_tuples_nat_ht, &tuples_nat_ht_params);
> + if (rhashtable_init(&ct_priv->zone_ht, &zone_params))
> + goto err_ct_zone_ht;
> + if (rhashtable_init(&ct_priv->ct_tuples_ht, &tuples_ht_params))
> + goto err_ct_tuples_ht;
> + if (rhashtable_init(&ct_priv->ct_tuples_nat_ht, &tuples_nat_ht_params))
> + goto err_ct_tuples_nat_ht;
>
> return ct_priv;
>
> +err_ct_tuples_nat_ht:
> + rhashtable_destroy(&ct_priv->ct_tuples_ht);
> +err_ct_tuples_ht:
> + rhashtable_destroy(&ct_priv->zone_ht);
> +err_ct_zone_ht:
> err_ct_nat_tbl:
> mlx5_chains_destroy_global_table(chains, ct_priv->ct);
> err_ct_tbl:
>
Reviewed-by: Roi Dayan <[email protected]>