Commit 21985f43 authored by Kuniyuki Iwashima's avatar Kuniyuki Iwashima Committed by Jakub Kicinski

udp: Call inet6_destroy_sock() in setsockopt(IPV6_ADDRFORM).

Commit 4b340ae2 ("IPv6: Complete IPV6_DONTFRAG support") forgot
to add a change to free inet6_sk(sk)->rxpmtu while converting an IPv6
socket into IPv4 with IPV6_ADDRFORM.  After conversion, sk_prot is
changed to udp_prot and ->destroy() never cleans it up, resulting in
a memory leak.

This is due to the discrepancy between inet6_destroy_sock() and
IPV6_ADDRFORM, so let's call inet6_destroy_sock() from IPV6_ADDRFORM
to remove the difference.

However, this is not enough for now because rxpmtu can be changed
without lock_sock() after commit 03485f2a ("udpv6: Add lockless
sendmsg() support").  We will fix this case in the following patch.

Note we will rename inet6_destroy_sock() to inet6_cleanup_sock() and
remove unnecessary inet6_destroy_sock() calls in sk_prot->destroy()
in the future.

Fixes: 4b340ae2 ("IPv6: Complete IPV6_DONTFRAG support")
Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 3c52c6bb
...@@ -1182,6 +1182,7 @@ void ipv6_icmp_error(struct sock *sk, struct sk_buff *skb, int err, __be16 port, ...@@ -1182,6 +1182,7 @@ void ipv6_icmp_error(struct sock *sk, struct sk_buff *skb, int err, __be16 port,
void ipv6_local_error(struct sock *sk, int err, struct flowi6 *fl6, u32 info); void ipv6_local_error(struct sock *sk, int err, struct flowi6 *fl6, u32 info);
void ipv6_local_rxpmtu(struct sock *sk, struct flowi6 *fl6, u32 mtu); void ipv6_local_rxpmtu(struct sock *sk, struct flowi6 *fl6, u32 mtu);
void inet6_cleanup_sock(struct sock *sk);
int inet6_release(struct socket *sock); int inet6_release(struct socket *sock);
int inet6_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len); int inet6_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len);
int inet6_getname(struct socket *sock, struct sockaddr *uaddr, int inet6_getname(struct socket *sock, struct sockaddr *uaddr,
......
...@@ -510,6 +510,12 @@ void inet6_destroy_sock(struct sock *sk) ...@@ -510,6 +510,12 @@ void inet6_destroy_sock(struct sock *sk)
} }
EXPORT_SYMBOL_GPL(inet6_destroy_sock); EXPORT_SYMBOL_GPL(inet6_destroy_sock);
void inet6_cleanup_sock(struct sock *sk)
{
inet6_destroy_sock(sk);
}
EXPORT_SYMBOL_GPL(inet6_cleanup_sock);
/* /*
* This does both peername and sockname. * This does both peername and sockname.
*/ */
......
...@@ -431,9 +431,6 @@ int do_ipv6_setsockopt(struct sock *sk, int level, int optname, ...@@ -431,9 +431,6 @@ int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
if (optlen < sizeof(int)) if (optlen < sizeof(int))
goto e_inval; goto e_inval;
if (val == PF_INET) { if (val == PF_INET) {
struct ipv6_txoptions *opt;
struct sk_buff *pktopt;
if (sk->sk_type == SOCK_RAW) if (sk->sk_type == SOCK_RAW)
break; break;
...@@ -464,7 +461,6 @@ int do_ipv6_setsockopt(struct sock *sk, int level, int optname, ...@@ -464,7 +461,6 @@ int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
break; break;
} }
fl6_free_socklist(sk);
__ipv6_sock_mc_close(sk); __ipv6_sock_mc_close(sk);
__ipv6_sock_ac_close(sk); __ipv6_sock_ac_close(sk);
...@@ -501,14 +497,14 @@ int do_ipv6_setsockopt(struct sock *sk, int level, int optname, ...@@ -501,14 +497,14 @@ int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
sk->sk_socket->ops = &inet_dgram_ops; sk->sk_socket->ops = &inet_dgram_ops;
sk->sk_family = PF_INET; sk->sk_family = PF_INET;
} }
opt = xchg((__force struct ipv6_txoptions **)&np->opt,
NULL); /* Disable all options not to allocate memory anymore,
if (opt) { * but there is still a race. See the lockless path
atomic_sub(opt->tot_len, &sk->sk_omem_alloc); * in udpv6_sendmsg() and ipv6_local_rxpmtu().
txopt_put(opt); */
} np->rxopt.all = 0;
pktopt = xchg(&np->pktoptions, NULL);
kfree_skb(pktopt); inet6_cleanup_sock(sk);
/* /*
* ... and add it to the refcnt debug socks count * ... and add it to the refcnt debug socks count
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment