Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3975919pxb; Tue, 25 Jan 2022 00:26:13 -0800 (PST) X-Google-Smtp-Source: ABdhPJwbRn+CvUhr2B9AsMyGDN5QGBVe1YKhtM7e/UBYiy6X4vv7mJcXo9fT3XhSVmt4e3fSXveS X-Received: by 2002:a17:906:ca18:: with SMTP id jt24mr15696840ejb.23.1643099173013; Tue, 25 Jan 2022 00:26:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643099173; cv=none; d=google.com; s=arc-20160816; b=FHWhNWtJiwQNE8uOnuDOw0kysW2SOOb7Amq9OEonNE/NPPlFni8V3FdrlPRrNbR29l JhX+nNvuFVhJdw1MhQnQhFXRwpz5ZCbyxUCrD5XvUHprz9jU+cvXSejugQCTt0kKB/5v xFkKDITsVD51Kywv2uMSIT04ePr/IkTmVHy0JXi0pb076CbHqT9lJchxOZYqX7/b4zer rKyzOiXEZbHz1iYJNC5EaaARmdqSyhShHJisgpGHD3dXmrlo4grlgeVOeQOtjlsOHw/P t9LqFpDSYqAnckpis4CKspla/oPgPPCr/BqD7eHskk4rKbGc8/b2VUT6RQh6/4t1wjuW rMeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=tIgH3TwT/TekU4NcIbhs3Xebh06AI1LNQ7w4x64WNvU=; b=wEQexgWCFdYMCcbI5Pj8pVrf2s19PyKBdHiLbVB2CoBZUN/8f5vZRvB+SdXftWgnbV ZI9/6M4JagCTDQnr/lterU/Isueh/aD8D3cyLu+HdGGe8UIkwmVatqeLJAopibGqw8sj GKDwRAw2vv/JZfnZgbZ6iejsPzHLepJp2a/14c65I4N6+t32RTyfHOCK8ptxGoi694Jr zhdPeJ4DBaVh42RwX1VFB9TnKzQs7i24hd4u0o4OOr7WdQE5nB32dFUOd5GXZ6COhcR3 +FsZBWC7+3XtkP3ENgY02wetnbbpEOtd3UM8ey1AFxfwQOWUXw8NOf/G1MdCNWuOcJls 5Ilg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=oQuYxTqe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l6si10215342ejo.623.2022.01.25.00.25.47; Tue, 25 Jan 2022 00:26:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=oQuYxTqe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S3420146AbiAYCW7 (ORCPT + 99 others); Mon, 24 Jan 2022 21:22:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46604 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345731AbiAXTJS (ORCPT ); Mon, 24 Jan 2022 14:09:18 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0D430C061359; Mon, 24 Jan 2022 11:02:17 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 9FA9460E8D; Mon, 24 Jan 2022 19:02:16 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7D289C340E5; Mon, 24 Jan 2022 19:02:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643050936; bh=/21cnJbkG4LiQeLMdTF15F+v5kVgRMWcxYcW/eO6v+4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oQuYxTqezyjmotmt6jGWhRbtTdZBbyWREdV5ZMMcOO61LeIwCRWWOsy1FgpO8cwCW FnkDg6xnw0/r8Enr5U469CWDvr+RAvqjCQ5DhcrzfLQacJcEa9ts4b/rS1ZkdfPZ93 7PzVo9EzwNZXNtmhtlGVKvqBiJKQng4bkgQ6u2Tg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , Paul Moore , syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com, "David S. Miller" , Ben Hutchings Subject: [PATCH 4.9 151/157] cipso,calipso: resolve a number of problems with the DOI refcounts Date: Mon, 24 Jan 2022 19:44:01 +0100 Message-Id: <20220124183937.549864875@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124183932.787526760@linuxfoundation.org> References: <20220124183932.787526760@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Paul Moore commit ad5d07f4a9cd671233ae20983848874731102c08 upstream. The current CIPSO and CALIPSO refcounting scheme for the DOI definitions is a bit flawed in that we: 1. Don't correctly match gets/puts in netlbl_cipsov4_list(). 2. Decrement the refcount on each attempt to remove the DOI from the DOI list, only removing it from the list once the refcount drops to zero. This patch fixes these problems by adding the missing "puts" to netlbl_cipsov4_list() and introduces a more conventional, i.e. not-buggy, refcounting mechanism to the DOI definitions. Upon the addition of a DOI to the DOI list, it is initialized with a refcount of one, removing a DOI from the list removes it from the list and drops the refcount by one; "gets" and "puts" behave as expected with respect to refcounts, increasing and decreasing the DOI's refcount by one. Fixes: b1edeb102397 ("netlabel: Replace protocol/NetLabel linking with refrerence counts") Fixes: d7cce01504a0 ("netlabel: Add support for removing a CALIPSO DOI.") Reported-by: syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com Signed-off-by: Paul Moore Signed-off-by: David S. Miller [bwh: Backported to 4.9: adjust context] Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman --- net/ipv4/cipso_ipv4.c | 11 +---------- net/ipv6/calipso.c | 14 +++++--------- net/netlabel/netlabel_cipso_v4.c | 3 +++ 3 files changed, 9 insertions(+), 19 deletions(-) --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c @@ -534,16 +534,10 @@ int cipso_v4_doi_remove(u32 doi, struct ret_val = -ENOENT; goto doi_remove_return; } - if (!atomic_dec_and_test(&doi_def->refcount)) { - spin_unlock(&cipso_v4_doi_list_lock); - ret_val = -EBUSY; - goto doi_remove_return; - } list_del_rcu(&doi_def->list); spin_unlock(&cipso_v4_doi_list_lock); - cipso_v4_cache_invalidate(); - call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu); + cipso_v4_doi_putdef(doi_def); ret_val = 0; doi_remove_return: @@ -600,9 +594,6 @@ void cipso_v4_doi_putdef(struct cipso_v4 if (!atomic_dec_and_test(&doi_def->refcount)) return; - spin_lock(&cipso_v4_doi_list_lock); - list_del_rcu(&doi_def->list); - spin_unlock(&cipso_v4_doi_list_lock); cipso_v4_cache_invalidate(); call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu); --- a/net/ipv6/calipso.c +++ b/net/ipv6/calipso.c @@ -97,6 +97,9 @@ struct calipso_map_cache_entry { static struct calipso_map_cache_bkt *calipso_cache; +static void calipso_cache_invalidate(void); +static void calipso_doi_putdef(struct calipso_doi *doi_def); + /* Label Mapping Cache Functions */ @@ -458,15 +461,10 @@ static int calipso_doi_remove(u32 doi, s ret_val = -ENOENT; goto doi_remove_return; } - if (!atomic_dec_and_test(&doi_def->refcount)) { - spin_unlock(&calipso_doi_list_lock); - ret_val = -EBUSY; - goto doi_remove_return; - } list_del_rcu(&doi_def->list); spin_unlock(&calipso_doi_list_lock); - call_rcu(&doi_def->rcu, calipso_doi_free_rcu); + calipso_doi_putdef(doi_def); ret_val = 0; doi_remove_return: @@ -522,10 +520,8 @@ static void calipso_doi_putdef(struct ca if (!atomic_dec_and_test(&doi_def->refcount)) return; - spin_lock(&calipso_doi_list_lock); - list_del_rcu(&doi_def->list); - spin_unlock(&calipso_doi_list_lock); + calipso_cache_invalidate(); call_rcu(&doi_def->rcu, calipso_doi_free_rcu); } --- a/net/netlabel/netlabel_cipso_v4.c +++ b/net/netlabel/netlabel_cipso_v4.c @@ -587,6 +587,7 @@ list_start: break; } + cipso_v4_doi_putdef(doi_def); rcu_read_unlock(); genlmsg_end(ans_skb, data); @@ -595,12 +596,14 @@ list_start: list_retry: /* XXX - this limit is a guesstimate */ if (nlsze_mult < 4) { + cipso_v4_doi_putdef(doi_def); rcu_read_unlock(); kfree_skb(ans_skb); nlsze_mult *= 2; goto list_start; } list_failure_lock: + cipso_v4_doi_putdef(doi_def); rcu_read_unlock(); list_failure: kfree_skb(ans_skb);