Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp6301049rwi; Sun, 23 Oct 2022 22:29:16 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5H+jNeFHJg5y2n6TEsMGCGpZO/pANXIaf9LzdV3HcESJM1PpDLwLlzc7XvTgGm17HDX95s X-Received: by 2002:a63:fd57:0:b0:43c:9a42:74fb with SMTP id m23-20020a63fd57000000b0043c9a4274fbmr26756983pgj.174.1666589356397; Sun, 23 Oct 2022 22:29:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666589356; cv=none; d=google.com; s=arc-20160816; b=ZX+6fgZpDNhbN8RdPnRZKNoNDs8mcvzln+XhCCqhAsEW0w95sks6h0RVhGxD8Uwxjk fCPz9marnaZzaQ1uBSnCNwescplyTssFo3uShEwCl5m01YASKulXuXA+7Tc/6bAxhQUB i/EzzRX7ZFz2IPqojiSKB0n5dvjxbTcCzFW4u8gjHLvYNDFS2qV0ouSca7SJBWc9Eg8d yb7sA6tS/7HrDZUlfRYrnoY9v7uL++YGnPTqod9U0rY837s17RTbHuE3sD5+md7X6ch9 eTgh7HFSRtdkYwJrKv831n2UBN+JDRuXtZvqKwtlubP361R9q5SDDr0vSQCLQ48yI1MW VBEw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=/gAfybOY3UbaMo3X0FCxvHr2ytztZWyUcTh9xOi9xEU=; b=dKOJrUTfgItwbYtb5M274pwqbTzh0UOoCxqVhiJ7LUymYFHp2RpI8uvX6AGIrNHkLB MQqZMoKiAP42zJ4L/Suyd+MB+0m6QlQZ3DwYrsByf9X1Ld0H6PD09/vZB81h0wIox3ms 6f5DjDx2Bpn9FU7ILGM03LOjUOD25/4Q0g1dfX3mMOYIWQdKhTSf5tibAR8+RyQEpxfI ByAyzJREPQhRJGOwUoK1Jll63Q362ZMpyTc3IQIA7yI+I2YAdxJj+RyisFR6bgXDzNyJ YJUENn3k2Sf9eFNem5/J2kCqxvxan0xI17tC5ofb9h0RscWbTuar+EQKMjhJCu6fVwgh gtwg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=hQ21BxPk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s13-20020a632c0d000000b00440fb4f79bdsi29463337pgs.9.2022.10.23.22.29.03; Sun, 23 Oct 2022 22:29:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=hQ21BxPk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230170AbiJXFVY (ORCPT + 99 others); Mon, 24 Oct 2022 01:21:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33792 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230041AbiJXFVU (ORCPT ); Mon, 24 Oct 2022 01:21:20 -0400 Received: from mail-yw1-x1131.google.com (mail-yw1-x1131.google.com [IPv6:2607:f8b0:4864:20::1131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0BACC647DF for ; Sun, 23 Oct 2022 22:21:18 -0700 (PDT) Received: by mail-yw1-x1131.google.com with SMTP id 00721157ae682-333a4a5d495so76317977b3.10 for ; Sun, 23 Oct 2022 22:21:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=/gAfybOY3UbaMo3X0FCxvHr2ytztZWyUcTh9xOi9xEU=; b=hQ21BxPkmt1H8Nmam2/tzAclzxiS0ruEdg0J6+vXBspyMTBeNvU+tHLhB3RhiUVpk+ PJenENE2QaVAiFGnE6iLSur6Fkv89871tSt4aNHmsO00O8judWfptmptBeI77DJOmxoH ULp+zDvqWXzT85LWfW0zXGzKDeB31xi9PU1a6CejVVBpyZIrH31lj1WH8GQfAl0x++Dl tBH06d//si3z00oJz69YVieNg8aQanua5ri4kUwAdZex8k+MhYc2SZZTpMzgcpVcSxFm XTwoTy6fMbrWsB6pb0quidvZTAVhTIp6OH5HcSik4Ly66jYSGJyxq6Bco+lDMP4EZLw2 m5aw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/gAfybOY3UbaMo3X0FCxvHr2ytztZWyUcTh9xOi9xEU=; b=HCoSegtJgmN1oJYSPfmyzD/qvcci+F5X82KxbC5pTMONaH5f3rHqJxad37k58bOyUf TXy7nZkHVhyA2dZGylQhYEi8PWbdySWrr2P5cZQ0Lvw8YvgkdvUpJH9xowGeVUrA9T02 qpe9zr7vNmGpqAXLHxQglPLOFtrpW1recaqJfdIP5Tm5Tpu1mDJHfnKNpFQpHylnySCN MmZU6mwsQBco3gUJinfUEcTlQ28Xfv1N7HKE0EVvnzEjwEgO/WESvcM42WwcfCbCbTCo xzZU96gF56/zG23fDsx38QQnKMXaXZMxyZn13scGmzfqf95S2kkIq8QOqYwyn87zVSRP 8ToQ== X-Gm-Message-State: ACrzQf39ALY0Rgiy/GGxEl5nWePrZJ3vgGgRp0O7l+nr99WAaPlel6yt YLVD4F2WvWNO8P3ZCKWMaotbqvTFN+BPVAQwuGjYNg== X-Received: by 2002:a81:1b09:0:b0:35d:cf91:aadc with SMTP id b9-20020a811b09000000b0035dcf91aadcmr27286274ywb.47.1666588876995; Sun, 23 Oct 2022 22:21:16 -0700 (PDT) MIME-Version: 1.0 References: <000000000000fd9a4005ebbeac67@google.com> In-Reply-To: From: Eric Dumazet Date: Sun, 23 Oct 2022 22:21:05 -0700 Message-ID: Subject: Re: [PATCH] af_key: Fix send_acquire race with pfkey_register To: Herbert Xu Cc: syzbot , davem@davemloft.net, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, pabeni@redhat.com, steffen.klassert@secunet.com, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Oct 23, 2022 at 10:10 PM Herbert Xu wrote: > > With name space support, it is possible for a pfkey_register to > occur in the middle of a send_acquire, thus changing the number > of supported algorithms. > > This can be fixed by taking a mutex to make it single-threaded > again. > > Reported-by: syzbot+1e9af9185d8850e2c2fa@syzkaller.appspotmail.com > Fixes: 283bc9f35bbb ("xfrm: Namespacify xfrm state/policy locks") > Signed-off-by: Herbert Xu > > diff --git a/net/key/af_key.c b/net/key/af_key.c > index c85df5b958d2..4ceef96fef57 100644 > --- a/net/key/af_key.c > +++ b/net/key/af_key.c > @@ -3160,6 +3160,7 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct > (sockaddr_size * 2) + > sizeof(struct sadb_x_policy); > > + mutex_lock(&pfkey_mutex); > if (x->id.proto == IPPROTO_AH) > size += count_ah_combs(t); > else if (x->id.proto == IPPROTO_ESP) > @@ -3171,8 +3172,10 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct > } > > skb = alloc_skb(size + 16, GFP_ATOMIC); Are you sure we can sleep in mutex_lock() ? Use of GFP_ATOMIC would suggest otherwise :/ > - if (skb == NULL) > + if (skb == NULL) { > + mutex_unlock(&pfkey_mutex); > return -ENOMEM; > + } > > hdr = skb_put(skb, sizeof(struct sadb_msg)); > hdr->sadb_msg_version = PF_KEY_V2; > @@ -3228,6 +3231,7 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct > dump_ah_combs(skb, t); > else if (x->id.proto == IPPROTO_ESP) > dump_esp_combs(skb, t); > + mutex_unlock(&pfkey_mutex); > > /* security context */ > if (xfrm_ctx) { > -- > Email: Herbert Xu > Home Page: http://gondor.apana.org.au/~herbert/ > PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt