| Message ID | 20200819122255.6b32aa54d205.I316de8a67c79a393ae1826a1b2dcc08f31b1856e@changeid |
|---|---|
| State | Superseded |
| Delegated to: | David Miller |
| Headers | show |
| Series | netlink: fix state reallocation in policy export | expand |
On Wed, 19 Aug 2020 12:22:55 +0200 Johannes Berg wrote: > From: Johannes Berg <johannes.berg@intel.com> > > Evidently, when I did this previously, we didn't have more than > 10 policies and didn't run into the reallocation path, because > it's missing a memset() for the unused policies. Fix that. > > Fixes: d07dcf9aadd6 ("netlink: add infrastructure to expose policies to userspace") > Signed-off-by: Johannes Berg <johannes.berg@intel.com> > --- > net/netlink/policy.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/netlink/policy.c b/net/netlink/policy.c > index f6491853c797..3f3b421fd70c 100644 > --- a/net/netlink/policy.c > +++ b/net/netlink/policy.c > @@ -51,6 +51,9 @@ static int add_policy(struct nl_policy_dump **statep, > if (!state) > return -ENOMEM; > > + memset(&state->policies[state->n_alloc], 0, > + sizeof(state->policies[0]) * (n_alloc - state->n_alloc)); [flex_]array_size() ? To avoid the inevitable follow up from a bot..
On Wed, 2020-08-19 at 12:10 -0700, Jakub Kicinski wrote: > > + memset(&state->policies[state->n_alloc], 0, > > + sizeof(state->policies[0]) * (n_alloc - state->n_alloc)); > > [flex_]array_size() ? To avoid the inevitable follow up from a bot.. Yeah, hmm. I suppose you know this but we can't really overflow anything here since all of the factors are kernel controlled; you can't really have enough policies in memory to overflow this, I'd think. We walk the constant policies and their nested policies - nl80211 is a *heavy* user and only recently went >10 policies linked together (triggering the bug)... Really what we need is kzrealloc() ;-) I'll send a v2 using flex_array_size(), it doesn't look any worse and I don't care about the overflow check either since it's not at all a fast- path. johannes
diff --git a/net/netlink/policy.c b/net/netlink/policy.c index f6491853c797..3f3b421fd70c 100644 --- a/net/netlink/policy.c +++ b/net/netlink/policy.c @@ -51,6 +51,9 @@ static int add_policy(struct nl_policy_dump **statep, if (!state) return -ENOMEM; + memset(&state->policies[state->n_alloc], 0, + sizeof(state->policies[0]) * (n_alloc - state->n_alloc)); + state->policies[state->n_alloc].policy = policy; state->policies[state->n_alloc].maxtype = maxtype; state->n_alloc = n_alloc;