Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp786260rwi; Wed, 26 Oct 2022 07:15:23 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6Q9Gf0VsMTnorUDSpdohA7R4O5n8eSekJEDO04cu0cjvPG1DWBIRYNkTsJDSCWUu7qnsC2 X-Received: by 2002:a17:902:f691:b0:186:b250:9763 with SMTP id l17-20020a170902f69100b00186b2509763mr13649190plg.62.1666793723545; Wed, 26 Oct 2022 07:15:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666793723; cv=none; d=google.com; s=arc-20160816; b=z8/jZ7uXH2M8ovGEuZ+6gXPyvrsUhjVfGrcxrwHUTbdnGCjUESdT4VRVkGhliBbHix oSoPetdXvbwi1SqBZjQki60em0ZK7RlplqHAoXzM+mrcClBqyEmqFO+2qaqqm9TUedno h+WmvyYmyfoDuMP9AwvStX+ULn3Lhz93NaQXIn/w82Wql6MNIEYUS5HVqA1mS3uEmQCV pHXXxWjVn7xIPIL+eOgbHaV8MoMP3wacSrichqzTNUN0NRMPtB8LNwYZUbtz+6rewHcb Qi/3ZKWT3y8FJwt1p6mMgRp8SSlxavoSWpH17vxEEPAm9E5kfxV7hTPT1Sl8gCYF3Fzf MkOg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=B7DvEU6ayodGzQjktL2uE4E7zyNCLmXkrDdKOvRf8aE=; b=ne5xykQ03irJjz9oH0Pb2/5qOMpgeS8Rj6ASj9+7jtHDGxUBTVz963dHGEpDt3plBA u1aHCFGFbSZZn8W3YVdiUNImw2dSQSfT7luQqr4eCJ5fk/bY03Hzri2zxb3GWyeQ5pnQ IJwod0J5cNYf3NURjYWaVxl8uYSNrc+xeqKvtbb83muH7Z6KyHo1Wuz2GfCu3wIb+q6J yb4vIxszBi22blLf6am5tshMFtCfGGw+ta/RK9d/O+rQq3H29gzxL99LwnRSTgBNNO6s 2Y/vs83osG/5JN5hlIrSLf+1ZYH5JESjYYIs1HoTtK7djBsuMNJzoMD2Z+jekBnaQxjb WRNQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w6-20020a170902e88600b00186a185131asi7841788plg.0.2022.10.26.07.15.11; Wed, 26 Oct 2022 07:15:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233525AbiJZNjQ (ORCPT + 99 others); Wed, 26 Oct 2022 09:39:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56282 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233232AbiJZNjI (ORCPT ); Wed, 26 Oct 2022 09:39:08 -0400 Received: from us-smtp-delivery-44.mimecast.com (us-smtp-delivery-44.mimecast.com [205.139.111.44]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3F05DCBFE3 for ; Wed, 26 Oct 2022 06:39:08 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-8-3mY7VsqLMXexof_X3L_guA-1; Wed, 26 Oct 2022 09:39:02 -0400 X-MC-Unique: 3mY7VsqLMXexof_X3L_guA-1 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 71E1738107B8; Wed, 26 Oct 2022 13:39:00 +0000 (UTC) Received: from hog (unknown [10.39.192.185]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4630C4022C2; Wed, 26 Oct 2022 13:38:57 +0000 (UTC) Date: Wed, 26 Oct 2022 15:38:23 +0200 From: Sabrina Dubroca To: Herbert Xu Cc: Eric Dumazet , syzbot , davem@davemloft.net, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, pabeni@redhat.com, steffen.klassert@secunet.com, syzkaller-bugs@googlegroups.com Subject: Re: [v3 PATCH] af_key: Fix send_acquire race with pfkey_register Message-ID: References: <000000000000fd9a4005ebbeac67@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9 X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 2022-10-25, 14:06:48 +0800, Herbert Xu wrote: > On Mon, Oct 24, 2022 at 09:20:00AM +0200, Sabrina Dubroca wrote: > > 2022-10-24, 14:06:12 +0800, Herbert Xu wrote: > > > @@ -1697,11 +1699,11 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, const struct sad > > > pfk->registered |= (1<sadb_msg_satype); > > > } > > > > > > - mutex_lock(&pfkey_mutex); > > > + spin_lock_bh(&pfkey_alg_lock); > > > xfrm_probe_algs(); > > > > I don't think we can do that: > > > > void xfrm_probe_algs(void) > > { > > int i, status; > > > > BUG_ON(in_softirq()); > > Indeed. I was also wrong in stating that this bug was created by > namespaces. This race has always existed since this code was first > added. > > ---8<--- > The function pfkey_send_acquire may race with pfkey_register > (which could even be in a different name space). This may result > in a buffer overrun. > > Allocating the maximum amount of memory that could be used prevents > this. > > Reported-by: syzbot+1e9af9185d8850e2c2fa@syzkaller.appspotmail.com > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Herbert Xu LGTM, thanks. Reviewed-by: Sabrina Dubroca -- Sabrina