netns: fix double free at netns creation

This patch fix a double free when a network namespace fails. The previous code does a kfree of the net_generic structure when one of the init subsystem initialization fails. The 'setup_net' function does kfree(ng) and returns an error. The caller, 'copy_net_ns', call net_free on error, and this one calls kfree(net->gen), making this pointer freed twice. This patch make the code symetric, the net_alloc does the net_generic allocation and the net_free frees the net_generic. Signed-off-by: Daniel Lezcano <daniel.lezcano@free.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Daniel Lezcano <daniel.lezcano@free.fr> 2009-02-22 03:07:53 -0500
committer: David S. Miller <davem@davemloft.net> 2009-02-22 03:07:53 -0500
commit: 486a87f1e5624096bd1c09e9e716239597d48dca (patch)
tree: bdcb9749acfa351d0e53a9b0b243b0de3ce0d02c /net
parent: ee923623177249cf22c43419ad0e8ff926dd1f58 (diff)
1 files changed, 55 insertions, 31 deletions
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index 55151faaf90c..b0767abf23e5 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -32,24 +32,14 @@ static __net_init int setup_net(struct net *net)
 {
        /* Must be called with net_mutex held */
        struct pernet_operations *ops;
-        int error;
+        int error = 0;
-        struct net_generic *ng;
        atomic_set(&net->count, 1);
 #ifdef NETNS_REFCNT_DEBUG
        atomic_set(&net->use_count, 0);
 #endif
-        error = -ENOMEM;
-        ng = kzalloc(sizeof(struct net_generic) +
-                        INITIAL_NET_GEN_PTRS * sizeof(void *), GFP_KERNEL);
-        if (ng == NULL)
-                goto out;
-        ng->len = INITIAL_NET_GEN_PTRS;
-        rcu_assign_pointer(net->gen, ng);
-        error = 0;
        list_for_each_entry(ops, &pernet_list, list) {
                if (ops->init) {
                        error = ops->init(net);
@@ -70,7 +60,6 @@ out_undo:
        }
        rcu_barrier();
-        kfree(ng);
        goto out;
 }
@@ -78,16 +67,43 @@ out_undo:
 static struct kmem_cache *net_cachep;
 static struct workqueue_struct *netns_wq;
-static struct net *net_alloc(void)
+static struct net_generic *net_alloc_generic(void)
 {
-        return kmem_cache_zalloc(net_cachep, GFP_KERNEL);
+        struct net_generic *ng;
+        size_t generic_size = sizeof(struct net_generic) +
+                INITIAL_NET_GEN_PTRS * sizeof(void *);
+        ng = kzalloc(generic_size, GFP_KERNEL);
+        if (ng)
+                ng->len = INITIAL_NET_GEN_PTRS;
+        return ng;
 }
-static void net_free(struct net *net)
+static struct net *net_alloc(void)
 {
+        struct net *net = NULL;
+        struct net_generic *ng;
+        ng = net_alloc_generic();
+        if (!ng)
+                goto out;
+        net = kmem_cache_zalloc(net_cachep, GFP_KERNEL);
        if (!net)
-                return;
+                goto out_free;
+        rcu_assign_pointer(net->gen, ng);
+out:
+        return net;
+out_free:
+        kfree(ng);
+        goto out;
+}
+static void net_free(struct net *net)
+{
 #ifdef NETNS_REFCNT_DEBUG
        if (unlikely(atomic_read(&net->use_count) != 0)) {
                printk(KERN_EMERG "network namespace not free! Usage: %d\n",
@@ -112,27 +128,28 @@ struct net *copy_net_ns(unsigned long flags, struct net *old_net)
        err = -ENOMEM;
        new_net = net_alloc();
        if (!new_net)
-                goto out;
+                goto out_err;
        mutex_lock(&net_mutex);
        err = setup_net(new_net);
-        if (err)
+        if (!err) {
-                goto out_unlock;
+                rtnl_lock();
+                list_add_tail(&new_net->list, &net_namespace_list);
-        rtnl_lock();
+                rtnl_unlock();
-        list_add_tail(&new_net->list, &net_namespace_list);
+        }
-        rtnl_unlock();
-out_unlock:
        mutex_unlock(&net_mutex);
+        if (err)
+                goto out_free;
 out:
        put_net(old_net);
-        if (err) {
-                net_free(new_net);
-                new_net = ERR_PTR(err);
-        }
        return new_net;
+out_free:
+        net_free(new_net);
+out_err:
+        new_net = ERR_PTR(err);
+        goto out;
 }
 static void cleanup_net(struct work_struct *work)
@@ -188,6 +205,7 @@ struct net *copy_net_ns(unsigned long flags, struct net *old_net)
 static int __init net_ns_init(void)
 {
+        struct net_generic *ng;
        int err;
        printk(KERN_INFO "net_namespace: %zd bytes\n", sizeof(struct net));
@@ -202,6 +220,12 @@ static int __init net_ns_init(void)
                panic("Could not create netns workq");
 #endif
+        ng = net_alloc_generic();
+        if (!ng)
+                panic("Could not allocate generic netns");
+        rcu_assign_pointer(init_net.gen, ng);
        mutex_lock(&net_mutex);
        err = setup_net(&init_net);
author	Daniel Lezcano <daniel.lezcano@free.fr>	2009-02-22 03:07:53 -0500
committer	David S. Miller <davem@davemloft.net>	2009-02-22 03:07:53 -0500
commit	486a87f1e5624096bd1c09e9e716239597d48dca (patch)
tree	bdcb9749acfa351d0e53a9b0b243b0de3ce0d02c /net
parent	ee923623177249cf22c43419ad0e8ff926dd1f58 (diff)

diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c index 55151faaf90c..b0767abf23e5 100644 --- a/net/core/net_namespace.c +++ b/net/core/net_namespace.c
@@ -32,24 +32,14 @@ static __net_init int setup_net(struct net *net)
32	{	32	{
33	/* Must be called with net_mutex held */	33	/* Must be called with net_mutex held */
34	struct pernet_operations *ops;	34	struct pernet_operations *ops;
35	int error;	35	int error = 0;
36	struct net_generic *ng;
37		36
38	atomic_set(&net->count, 1);	37	atomic_set(&net->count, 1);
		38
39	#ifdef NETNS_REFCNT_DEBUG	39	#ifdef NETNS_REFCNT_DEBUG
40	atomic_set(&net->use_count, 0);	40	atomic_set(&net->use_count, 0);
41	#endif	41	#endif
42		42
43	error = -ENOMEM;
44	ng = kzalloc(sizeof(struct net_generic) +
45	INITIAL_NET_GEN_PTRS * sizeof(void *), GFP_KERNEL);
46	if (ng == NULL)
47	goto out;
48
49	ng->len = INITIAL_NET_GEN_PTRS;
50	rcu_assign_pointer(net->gen, ng);
51
52	error = 0;
53	list_for_each_entry(ops, &pernet_list, list) {	43	list_for_each_entry(ops, &pernet_list, list) {
54	if (ops->init) {	44	if (ops->init) {
55	error = ops->init(net);	45	error = ops->init(net);
@@ -70,7 +60,6 @@ out_undo:
70	}	60	}
71		61
72	rcu_barrier();	62	rcu_barrier();
73	kfree(ng);
74	goto out;	63	goto out;
75	}	64	}
76		65
@@ -78,16 +67,43 @@ out_undo:
78	static struct kmem_cache *net_cachep;	67	static struct kmem_cache *net_cachep;
79	static struct workqueue_struct *netns_wq;	68	static struct workqueue_struct *netns_wq;
80		69
81	static struct net *net_alloc(void)	70	static struct net_generic *net_alloc_generic(void)
82	{	71	{
83	return kmem_cache_zalloc(net_cachep, GFP_KERNEL);	72	struct net_generic *ng;
		73	size_t generic_size = sizeof(struct net_generic) +
		74	INITIAL_NET_GEN_PTRS * sizeof(void *);
		75
		76	ng = kzalloc(generic_size, GFP_KERNEL);
		77	if (ng)
		78	ng->len = INITIAL_NET_GEN_PTRS;
		79
		80	return ng;
84	}	81	}
85		82
86	static void net_free(struct net *net)	83	static struct net *net_alloc(void)
87	{	84	{
		85	struct net *net = NULL;
		86	struct net_generic *ng;
		87
		88	ng = net_alloc_generic();
		89	if (!ng)
		90	goto out;
		91
		92	net = kmem_cache_zalloc(net_cachep, GFP_KERNEL);
88	if (!net)	93	if (!net)
89	return;	94	goto out_free;
		95
		96	rcu_assign_pointer(net->gen, ng);
		97	out:
		98	return net;
		99
		100	out_free:
		101	kfree(ng);
		102	goto out;
		103	}
90		104
		105	static void net_free(struct net *net)
		106	{
91	#ifdef NETNS_REFCNT_DEBUG	107	#ifdef NETNS_REFCNT_DEBUG
92	if (unlikely(atomic_read(&net->use_count) != 0)) {	108	if (unlikely(atomic_read(&net->use_count) != 0)) {
93	printk(KERN_EMERG "network namespace not free! Usage: %d\n",	109	printk(KERN_EMERG "network namespace not free! Usage: %d\n",
@@ -112,27 +128,28 @@ struct net copy_net_ns(unsigned long flags, struct net old_net)
112	err = -ENOMEM;	128	err = -ENOMEM;
113	new_net = net_alloc();	129	new_net = net_alloc();
114	if (!new_net)	130	if (!new_net)
115	goto out;	131	goto out_err;
116		132
117	mutex_lock(&net_mutex);	133	mutex_lock(&net_mutex);
118	err = setup_net(new_net);	134	err = setup_net(new_net);
119	if (err)	135	if (!err) {
120	goto out_unlock;	136	rtnl_lock();
121		137	list_add_tail(&new_net->list, &net_namespace_list);
122	rtnl_lock();	138	rtnl_unlock();
123	list_add_tail(&new_net->list, &net_namespace_list);	139	}
124	rtnl_unlock();
125
126
127	out_unlock:
128	mutex_unlock(&net_mutex);	140	mutex_unlock(&net_mutex);
		141
		142	if (err)
		143	goto out_free;
129	out:	144	out:
130	put_net(old_net);	145	put_net(old_net);
131	if (err) {
132	net_free(new_net);
133	new_net = ERR_PTR(err);
134	}
135	return new_net;	146	return new_net;
		147
		148	out_free:
		149	net_free(new_net);
		150	out_err:
		151	new_net = ERR_PTR(err);
		152	goto out;
136	}	153	}
137		154
138	static void cleanup_net(struct work_struct *work)	155	static void cleanup_net(struct work_struct *work)
@@ -188,6 +205,7 @@ struct net copy_net_ns(unsigned long flags, struct net old_net)
188		205
189	static int __init net_ns_init(void)	206	static int __init net_ns_init(void)
190	{	207	{
		208	struct net_generic *ng;
191	int err;	209	int err;
192		210
193	printk(KERN_INFO "net_namespace: %zd bytes\n", sizeof(struct net));	211	printk(KERN_INFO "net_namespace: %zd bytes\n", sizeof(struct net));
@@ -202,6 +220,12 @@ static int __init net_ns_init(void)
202	panic("Could not create netns workq");	220	panic("Could not create netns workq");
203	#endif	221	#endif
204		222
		223	ng = net_alloc_generic();
		224	if (!ng)
		225	panic("Could not allocate generic netns");
		226
		227	rcu_assign_pointer(init_net.gen, ng);
		228
205	mutex_lock(&net_mutex);	229	mutex_lock(&net_mutex);
206	err = setup_net(&init_net);	230	err = setup_net(&init_net);
207		231