Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3515741pxf; Mon, 15 Mar 2021 11:15:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzk3+AcFXPz5ikcXoInHR+uQQMvpjOXNTqAOFIlbd3alyjcS9g340Qyc3V4CpPBiDvExxSl X-Received: by 2002:a17:906:f88a:: with SMTP id lg10mr25662623ejb.39.1615832143853; Mon, 15 Mar 2021 11:15:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1615832143; cv=none; d=google.com; s=arc-20160816; b=Xcy7yUyheknPXvHR6ak45f9dZ5KhWcqKsGTnBRqxdE5WnBnSp1f5p5XW2QszjPcwOD fAumcDfAEPG2YK0lwutEj8ZOlSIe3VGY1E+mphfRa5AUnl6B8RTpSJbZuonsYTdXzQ57 3sG96k20tsstsPo14zmNrldFcUIz6j4eyiNKwwSS150Jfx4fxMrIJ0+OTSnXOivt0uV2 c2VV8UP0w6+aWw3j3vFkPAkV65op3UiprH4XAB5i1RLIbXq7z+G90TA9oXmtCRCOYoDx /vkMU4CTaqnnOLav6LK+V3pBnvF6nMuRWjhc+q0d8i8BPMcs4ojIZJQej9WvOZKd4Oa0 5XIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=30btF4ilctoJTnKWU1QK+cdQJw7q5QAU3/I8q2LhLlI=; b=lGNhTMKg02ehz1RUgTsioDSwxvY/vA/AAgmL0quF4Im19aGaIMjeXTl4PuqtexzrI2 lhlEfpHBtfRI5teZv26u12szqIVZOp5+khu605z4UIdhG8Q2RBlmHjdTApK2QbDM6oQx kI3UpH2gTL6r1FDeG/UMrYUlF1BqNRzqWVgE3EHKSmrKooBXo252/ISgepMREC2U8MxC LabJ8YK7xB2ooOThG2NxVynSN80z26OvlL0UquOBksxYZx27iwePuB3p8oZfpr5wV6+P uVMw6iExYS8WfvoT1QzJCH94J9JFb5fetZO90nt+SF2FdwlIx7mxGB7cXOtQaOxs6cYE bd8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=yWTYZcyt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z1si12249239edc.76.2021.03.15.11.15.21; Mon, 15 Mar 2021 11:15:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=yWTYZcyt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235910AbhCOOOs (ORCPT + 99 others); Mon, 15 Mar 2021 10:14:48 -0400 Received: from mail.kernel.org ([198.145.29.99]:37500 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230407AbhCON7L (ORCPT ); Mon, 15 Mar 2021 09:59:11 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 06C3E64EE9; Mon, 15 Mar 2021 13:58:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1615816724; bh=cwa9O6gcJyxFsf7aw8GCQXL7kgj6DFA1kw0CV3UWM0I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yWTYZcyt6+YnYSwo/Sy/EQFhczNOyCT9s/4LekSf8SqkL0e69mYz3wG414eWP+HYT uU/vCDE5KmQS5P2gAywCjuU/bXE6YN8TF4bwv7SnbhbDJqWj3hma5pTCK8TFeENE1i KlA6ygjfNXrZy0GQhgE53jpqY5fonJlsA+IoAY6I= From: gregkh@linuxfoundation.org To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com, Paul Moore , "David S. Miller" Subject: [PATCH 4.14 20/95] cipso,calipso: resolve a number of problems with the DOI refcounts Date: Mon, 15 Mar 2021 14:56:50 +0100 Message-Id: <20210315135740.944952360@linuxfoundation.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210315135740.245494252@linuxfoundation.org> References: <20210315135740.245494252@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Greg Kroah-Hartman From: Paul Moore commit ad5d07f4a9cd671233ae20983848874731102c08 upstream. The current CIPSO and CALIPSO refcounting scheme for the DOI definitions is a bit flawed in that we: 1. Don't correctly match gets/puts in netlbl_cipsov4_list(). 2. Decrement the refcount on each attempt to remove the DOI from the DOI list, only removing it from the list once the refcount drops to zero. This patch fixes these problems by adding the missing "puts" to netlbl_cipsov4_list() and introduces a more conventional, i.e. not-buggy, refcounting mechanism to the DOI definitions. Upon the addition of a DOI to the DOI list, it is initialized with a refcount of one, removing a DOI from the list removes it from the list and drops the refcount by one; "gets" and "puts" behave as expected with respect to refcounts, increasing and decreasing the DOI's refcount by one. Fixes: b1edeb102397 ("netlabel: Replace protocol/NetLabel linking with refrerence counts") Fixes: d7cce01504a0 ("netlabel: Add support for removing a CALIPSO DOI.") Reported-by: syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com Signed-off-by: Paul Moore Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/cipso_ipv4.c | 11 +---------- net/ipv6/calipso.c | 14 +++++--------- net/netlabel/netlabel_cipso_v4.c | 3 +++ 3 files changed, 9 insertions(+), 19 deletions(-) --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c @@ -533,16 +533,10 @@ int cipso_v4_doi_remove(u32 doi, struct ret_val = -ENOENT; goto doi_remove_return; } - if (!refcount_dec_and_test(&doi_def->refcount)) { - spin_unlock(&cipso_v4_doi_list_lock); - ret_val = -EBUSY; - goto doi_remove_return; - } list_del_rcu(&doi_def->list); spin_unlock(&cipso_v4_doi_list_lock); - cipso_v4_cache_invalidate(); - call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu); + cipso_v4_doi_putdef(doi_def); ret_val = 0; doi_remove_return: @@ -599,9 +593,6 @@ void cipso_v4_doi_putdef(struct cipso_v4 if (!refcount_dec_and_test(&doi_def->refcount)) return; - spin_lock(&cipso_v4_doi_list_lock); - list_del_rcu(&doi_def->list); - spin_unlock(&cipso_v4_doi_list_lock); cipso_v4_cache_invalidate(); call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu); --- a/net/ipv6/calipso.c +++ b/net/ipv6/calipso.c @@ -97,6 +97,9 @@ struct calipso_map_cache_entry { static struct calipso_map_cache_bkt *calipso_cache; +static void calipso_cache_invalidate(void); +static void calipso_doi_putdef(struct calipso_doi *doi_def); + /* Label Mapping Cache Functions */ @@ -458,15 +461,10 @@ static int calipso_doi_remove(u32 doi, s ret_val = -ENOENT; goto doi_remove_return; } - if (!refcount_dec_and_test(&doi_def->refcount)) { - spin_unlock(&calipso_doi_list_lock); - ret_val = -EBUSY; - goto doi_remove_return; - } list_del_rcu(&doi_def->list); spin_unlock(&calipso_doi_list_lock); - call_rcu(&doi_def->rcu, calipso_doi_free_rcu); + calipso_doi_putdef(doi_def); ret_val = 0; doi_remove_return: @@ -522,10 +520,8 @@ static void calipso_doi_putdef(struct ca if (!refcount_dec_and_test(&doi_def->refcount)) return; - spin_lock(&calipso_doi_list_lock); - list_del_rcu(&doi_def->list); - spin_unlock(&calipso_doi_list_lock); + calipso_cache_invalidate(); call_rcu(&doi_def->rcu, calipso_doi_free_rcu); } --- a/net/netlabel/netlabel_cipso_v4.c +++ b/net/netlabel/netlabel_cipso_v4.c @@ -581,6 +581,7 @@ list_start: break; } + cipso_v4_doi_putdef(doi_def); rcu_read_unlock(); genlmsg_end(ans_skb, data); @@ -589,12 +590,14 @@ list_start: list_retry: /* XXX - this limit is a guesstimate */ if (nlsze_mult < 4) { + cipso_v4_doi_putdef(doi_def); rcu_read_unlock(); kfree_skb(ans_skb); nlsze_mult *= 2; goto list_start; } list_failure_lock: + cipso_v4_doi_putdef(doi_def); rcu_read_unlock(); list_failure: kfree_skb(ans_skb);