Commit 486a87f1 authored by Daniel Lezcano's avatar Daniel Lezcano Committed by David S. Miller

netns: fix double free at netns creation

This patch fix a double free when a network namespace fails.
The previous code does a kfree of the net_generic structure when
one of the init subsystem initialization fails.
The 'setup_net' function does kfree(ng) and returns an error.
The caller, 'copy_net_ns', call net_free on error, and this one
calls kfree(net->gen), making this pointer freed twice.

This patch make the code symetric, the net_alloc does the net_generic
allocation and the net_free frees the net_generic.
Signed-off-by: default avatarDaniel Lezcano <daniel.lezcano@free.fr>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent ee923623
...@@ -32,24 +32,14 @@ static __net_init int setup_net(struct net *net) ...@@ -32,24 +32,14 @@ static __net_init int setup_net(struct net *net)
{ {
/* Must be called with net_mutex held */ /* Must be called with net_mutex held */
struct pernet_operations *ops; struct pernet_operations *ops;
int error; int error = 0;
struct net_generic *ng;
atomic_set(&net->count, 1); atomic_set(&net->count, 1);
#ifdef NETNS_REFCNT_DEBUG #ifdef NETNS_REFCNT_DEBUG
atomic_set(&net->use_count, 0); atomic_set(&net->use_count, 0);
#endif #endif
error = -ENOMEM;
ng = kzalloc(sizeof(struct net_generic) +
INITIAL_NET_GEN_PTRS * sizeof(void *), GFP_KERNEL);
if (ng == NULL)
goto out;
ng->len = INITIAL_NET_GEN_PTRS;
rcu_assign_pointer(net->gen, ng);
error = 0;
list_for_each_entry(ops, &pernet_list, list) { list_for_each_entry(ops, &pernet_list, list) {
if (ops->init) { if (ops->init) {
error = ops->init(net); error = ops->init(net);
...@@ -70,7 +60,6 @@ static __net_init int setup_net(struct net *net) ...@@ -70,7 +60,6 @@ static __net_init int setup_net(struct net *net)
} }
rcu_barrier(); rcu_barrier();
kfree(ng);
goto out; goto out;
} }
...@@ -78,16 +67,43 @@ static __net_init int setup_net(struct net *net) ...@@ -78,16 +67,43 @@ static __net_init int setup_net(struct net *net)
static struct kmem_cache *net_cachep; static struct kmem_cache *net_cachep;
static struct workqueue_struct *netns_wq; static struct workqueue_struct *netns_wq;
static struct net *net_alloc(void) static struct net_generic *net_alloc_generic(void)
{ {
return kmem_cache_zalloc(net_cachep, GFP_KERNEL); struct net_generic *ng;
size_t generic_size = sizeof(struct net_generic) +
INITIAL_NET_GEN_PTRS * sizeof(void *);
ng = kzalloc(generic_size, GFP_KERNEL);
if (ng)
ng->len = INITIAL_NET_GEN_PTRS;
return ng;
} }
static void net_free(struct net *net) static struct net *net_alloc(void)
{ {
struct net *net = NULL;
struct net_generic *ng;
ng = net_alloc_generic();
if (!ng)
goto out;
net = kmem_cache_zalloc(net_cachep, GFP_KERNEL);
if (!net) if (!net)
return; goto out_free;
rcu_assign_pointer(net->gen, ng);
out:
return net;
out_free:
kfree(ng);
goto out;
}
static void net_free(struct net *net)
{
#ifdef NETNS_REFCNT_DEBUG #ifdef NETNS_REFCNT_DEBUG
if (unlikely(atomic_read(&net->use_count) != 0)) { if (unlikely(atomic_read(&net->use_count) != 0)) {
printk(KERN_EMERG "network namespace not free! Usage: %d\n", printk(KERN_EMERG "network namespace not free! Usage: %d\n",
...@@ -112,27 +128,28 @@ struct net *copy_net_ns(unsigned long flags, struct net *old_net) ...@@ -112,27 +128,28 @@ struct net *copy_net_ns(unsigned long flags, struct net *old_net)
err = -ENOMEM; err = -ENOMEM;
new_net = net_alloc(); new_net = net_alloc();
if (!new_net) if (!new_net)
goto out; goto out_err;
mutex_lock(&net_mutex); mutex_lock(&net_mutex);
err = setup_net(new_net); err = setup_net(new_net);
if (err) if (!err) {
goto out_unlock;
rtnl_lock(); rtnl_lock();
list_add_tail(&new_net->list, &net_namespace_list); list_add_tail(&new_net->list, &net_namespace_list);
rtnl_unlock(); rtnl_unlock();
}
out_unlock:
mutex_unlock(&net_mutex); mutex_unlock(&net_mutex);
if (err)
goto out_free;
out: out:
put_net(old_net); put_net(old_net);
if (err) { return new_net;
out_free:
net_free(new_net); net_free(new_net);
out_err:
new_net = ERR_PTR(err); new_net = ERR_PTR(err);
} goto out;
return new_net;
} }
static void cleanup_net(struct work_struct *work) static void cleanup_net(struct work_struct *work)
...@@ -188,6 +205,7 @@ struct net *copy_net_ns(unsigned long flags, struct net *old_net) ...@@ -188,6 +205,7 @@ struct net *copy_net_ns(unsigned long flags, struct net *old_net)
static int __init net_ns_init(void) static int __init net_ns_init(void)
{ {
struct net_generic *ng;
int err; int err;
printk(KERN_INFO "net_namespace: %zd bytes\n", sizeof(struct net)); printk(KERN_INFO "net_namespace: %zd bytes\n", sizeof(struct net));
...@@ -202,6 +220,12 @@ static int __init net_ns_init(void) ...@@ -202,6 +220,12 @@ static int __init net_ns_init(void)
panic("Could not create netns workq"); panic("Could not create netns workq");
#endif #endif
ng = net_alloc_generic();
if (!ng)
panic("Could not allocate generic netns");
rcu_assign_pointer(init_net.gen, ng);
mutex_lock(&net_mutex); mutex_lock(&net_mutex);
err = setup_net(&init_net); err = setup_net(&init_net);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment