Skip to content

Commit

Permalink
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/gi…
Browse files Browse the repository at this point in the history
…t/klassert/ipsec

Steffen Klassert says:

====================
pull request (net): ipsec 2018-07-27

1) Fix PMTU handling of vti6. We update the PMTU on
   the xfrm dst_entry which is not cached anymore
   after the flowchache removal. So update the
   PMTU of the original dst_entry instead.
   From Eyal Birger.

2) Fix a leak of kernel memory to userspace.
   From Eric Dumazet.

3) Fix a possible dst_entry memleak in xfrm_lookup_route.
   From Tommi Rantala.

4) Fix a skb leak in case we can't call nlmsg_multicast
   from xfrm_nlmsg_multicast. From Florian Westphal.

5) Fix a leak of a temporary buffer in the error path of
   esp6_input. From Zhen Lei.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
David S. Miller committed Jul 27, 2018
2 parents 101f0cd + 7284fdf commit d0fdb36
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 13 deletions.
4 changes: 3 additions & 1 deletion net/ipv6/esp6.c
Original file line number Diff line number Diff line change
Expand Up @@ -669,8 +669,10 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)

sg_init_table(sg, nfrags);
ret = skb_to_sgvec(skb, sg, 0, skb->len);
if (unlikely(ret < 0))
if (unlikely(ret < 0)) {
kfree(tmp);
goto out;
}

skb->ip_summed = CHECKSUM_NONE;

Expand Down
11 changes: 6 additions & 5 deletions net/ipv6/ip6_vti.c
Original file line number Diff line number Diff line change
Expand Up @@ -480,10 +480,6 @@ vti6_xmit(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
goto tx_err_dst_release;
}

skb_scrub_packet(skb, !net_eq(t->net, dev_net(dev)));
skb_dst_set(skb, dst);
skb->dev = skb_dst(skb)->dev;

mtu = dst_mtu(dst);
if (!skb->ignore_df && skb->len > mtu) {
skb_dst_update_pmtu(skb, mtu);
Expand All @@ -498,9 +494,14 @@ vti6_xmit(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
htonl(mtu));
}

return -EMSGSIZE;
err = -EMSGSIZE;
goto tx_err_dst_release;
}

skb_scrub_packet(skb, !net_eq(t->net, dev_net(dev)));
skb_dst_set(skb, dst);
skb->dev = skb_dst(skb)->dev;

err = dst_output(t->net, skb->sk, skb);
if (net_xmit_eval(err) == 0) {
struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);
Expand Down
3 changes: 3 additions & 0 deletions net/xfrm/xfrm_policy.c
Original file line number Diff line number Diff line change
Expand Up @@ -2286,6 +2286,9 @@ struct dst_entry *xfrm_lookup_route(struct net *net, struct dst_entry *dst_orig,
if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE)
return make_blackhole(net, dst_orig->ops->family, dst_orig);

if (IS_ERR(dst))
dst_release(dst_orig);

return dst;
}
EXPORT_SYMBOL(xfrm_lookup_route);
Expand Down
18 changes: 11 additions & 7 deletions net/xfrm/xfrm_user.c
Original file line number Diff line number Diff line change
Expand Up @@ -1025,10 +1025,12 @@ static inline int xfrm_nlmsg_multicast(struct net *net, struct sk_buff *skb,
{
struct sock *nlsk = rcu_dereference(net->xfrm.nlsk);

if (nlsk)
return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC);
else
return -1;
if (!nlsk) {
kfree_skb(skb);
return -EPIPE;
}

return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC);
}

static inline unsigned int xfrm_spdinfo_msgsize(void)
Expand Down Expand Up @@ -1671,9 +1673,11 @@ static inline unsigned int userpolicy_type_attrsize(void)
#ifdef CONFIG_XFRM_SUB_POLICY
static int copy_to_user_policy_type(u8 type, struct sk_buff *skb)
{
struct xfrm_userpolicy_type upt = {
.type = type,
};
struct xfrm_userpolicy_type upt;

/* Sadly there are two holes in struct xfrm_userpolicy_type */
memset(&upt, 0, sizeof(upt));
upt.type = type;

return nla_put(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt);
}
Expand Down

0 comments on commit d0fdb36

Please sign in to comment.