diff options
| author | Daniel Borkmann <dborkman@redhat.com> | 2015-01-05 17:57:43 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-01-05 22:55:24 -0500 |
| commit | 0409c9a5a7546043d32e8c46df0dcaf65f97f659 (patch) | |
| tree | d928884ae43414093c2f870bfb8206b65cdc9a30 /net/ipv6 | |
| parent | 6cb69742daa1770fe1ce54cf45f8951376518176 (diff) | |
net: fib6: fib6_commit_metrics: fix potential NULL pointer dereference
When IPv6 host routes with metrics attached are being added, we fetch
the metrics store from the dst via COW through dst_metrics_write_ptr(),
added through commit e5fd387ad5b3.
One remaining problem here is that we actually call into inet_getpeer()
and may end up allocating/creating a new peer from the kmemcache, which
may fail.
Example trace from perf probe (inet_getpeer:41) where create is 1:
ip 6877 [002] 4221.391591: probe:inet_getpeer: (ffffffff8165e293)
85e294 inet_getpeer.part.7 (<- kmem_cache_alloc())
85e578 inet_getpeer
8eb333 ipv6_cow_metrics
8f10ff fib6_commit_metrics
Therefore, a check for NULL on the return of dst_metrics_write_ptr()
is necessary here.
Joint work with Florian Westphal.
Fixes: e5fd387ad5b3 ("ipv6: do not overwrite inetpeer metrics prematurely")
Cc: Michal Kubeček <mkubecek@suse.cz>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6')
| -rw-r--r-- | net/ipv6/ip6_fib.c | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index b2d1838897c9..db4984e13f2f 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c | |||
| @@ -633,18 +633,17 @@ static bool rt6_qualify_for_ecmp(struct rt6_info *rt) | |||
| 633 | static int fib6_commit_metrics(struct dst_entry *dst, | 633 | static int fib6_commit_metrics(struct dst_entry *dst, |
| 634 | struct nlattr *mx, int mx_len) | 634 | struct nlattr *mx, int mx_len) |
| 635 | { | 635 | { |
| 636 | bool dst_host = dst->flags & DST_HOST; | ||
| 636 | struct nlattr *nla; | 637 | struct nlattr *nla; |
| 637 | int remaining; | 638 | int remaining; |
| 638 | u32 *mp; | 639 | u32 *mp; |
| 639 | 640 | ||
| 640 | if (dst->flags & DST_HOST) { | 641 | mp = dst_host ? dst_metrics_write_ptr(dst) : |
| 641 | mp = dst_metrics_write_ptr(dst); | 642 | kzalloc(sizeof(u32) * RTAX_MAX, GFP_ATOMIC); |
| 642 | } else { | 643 | if (unlikely(!mp)) |
| 643 | mp = kzalloc(sizeof(u32) * RTAX_MAX, GFP_ATOMIC); | 644 | return -ENOMEM; |
| 644 | if (!mp) | 645 | if (!dst_host) |
| 645 | return -ENOMEM; | ||
| 646 | dst_init_metrics(dst, mp, 0); | 646 | dst_init_metrics(dst, mp, 0); |
| 647 | } | ||
| 648 | 647 | ||
| 649 | nla_for_each_attr(nla, mx, mx_len, remaining) { | 648 | nla_for_each_attr(nla, mx, mx_len, remaining) { |
| 650 | int type = nla_type(nla); | 649 | int type = nla_type(nla); |