Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp997143rwd; Wed, 31 May 2023 08:09:45 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7jlkoT1xdUyYKfuEDAy+ZvOuUcTSG23v94XqW3C/oGy4pkKGJqf2IeMsbhVzicOTKsimtY X-Received: by 2002:a17:903:64e:b0:1ad:fcdc:2a9f with SMTP id kh14-20020a170903064e00b001adfcdc2a9fmr4176396plb.51.1685545785389; Wed, 31 May 2023 08:09:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685545785; cv=none; d=google.com; s=arc-20160816; b=ZZmCBvhDkG5FY3Q6BWWZAg3W/Gr8nzMo0BRAwmJqfrZXHg1sYdjjPKOl1EIhpZx3/Q /pEVRl0X/TCqDrLvAlSOFCDQRV6mMBqT4Q6MhgzRp4i6Gq5Jb/208v+bHh/ZZarTm3Cy zooacHUB2VrhgUzNAR2wwCSq7VUvI2HbO86uBNp24TfJszWw04KDX22TG49sK3sqksyw 13TUxwsmjvgQNibB5qX0hF99pIMl+y2kTlfkadI4bZpsXJM0Xe/e0n1Sqz1EGxLDthAj vUi/JXMdySD2f745QH7WRzzoA3GAIxcFpWYaqmU39zLI5NppbKzZ9xNo5TlGxS89xf/Y uH5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=9aQg/XyLc0KoyLOMQC9nxzXd5jehGRavUIxUSIV2naQ=; b=eb+yRqIxU8PRkxJCz4xgWHQaLWsfr9L87hLcftAbPP+RqbENzVT2mmwFlTjIj/0xtV jIodatOJisKNZvaWDYNTa8vXxRhfkHVot0jfgimEqYkRau1LgGDkfDLQfpmiFfZwF0kX 27ehnaWC1ZeOgISioGwJiXUayxn17gMAYg0PaIF665jzlrzCVBVmB9qd+9OkTN82pncm 7sJthpaL7tkcV3IaBv08wLKiRtMlyCg+uPjBSBCVkLMevSfdF8mZj+SUpucoyua802Ij 5y5NJaAylweSIFHmR+GfD3IYzxNYAk4gYixx/fnm0iz+ntm+LHOJCU/4YeDBUnsqDbr5 k5OQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mojatatu-com.20221208.gappssmtp.com header.s=20221208 header.b="1EhPv/FG"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id jk2-20020a170903330200b0019acbf1dc4asi1006338plb.181.2023.05.31.08.09.27; Wed, 31 May 2023 08:09:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@mojatatu-com.20221208.gappssmtp.com header.s=20221208 header.b="1EhPv/FG"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234126AbjEaPH4 (ORCPT + 99 others); Wed, 31 May 2023 11:07:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38704 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232421AbjEaPHt (ORCPT ); Wed, 31 May 2023 11:07:49 -0400 Received: from mail-yb1-xb2e.google.com (mail-yb1-xb2e.google.com [IPv6:2607:f8b0:4864:20::b2e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6D21E12F for ; Wed, 31 May 2023 08:07:33 -0700 (PDT) Received: by mail-yb1-xb2e.google.com with SMTP id 3f1490d57ef6-ba8afcc82c0so10142265276.2 for ; Wed, 31 May 2023 08:07:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mojatatu-com.20221208.gappssmtp.com; s=20221208; t=1685545652; x=1688137652; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=9aQg/XyLc0KoyLOMQC9nxzXd5jehGRavUIxUSIV2naQ=; b=1EhPv/FGgUxPG7bhv9pWTsI9oglY2BT+2VHNgu6m+3vORlYefuXvCNDfSavIZlEXuq dlSl8rh+SFNbx36nrP/0GkdsrzahtH/Nq7Yla5bLSyD++kFxWXXgEMAGinIjlHsKDOu9 lIj04xMLqI3xHIZJsMwBaLwOUnLn5vqMNtx5Pfapt8p49CozlpTrJDiYoEi+r5Iqb/rA BENjtK3nWgXHC+SASym4IQJIjAU8AJkyJOjpFDsO4YLkcsZjj4rt5eBxxpuGVddFlDPa U3Bg8+KJ0+loUmO5o+mnhqV7SEAEXnjFoPcA2kDDDCEk79J8XJ8anTbs1j+dtCtUGqYE 9jaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685545652; x=1688137652; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9aQg/XyLc0KoyLOMQC9nxzXd5jehGRavUIxUSIV2naQ=; b=BhZITN+R0Na4OwBOAyOQEl/RzN/pFOe5Ncr74qkrqIbPPqgSSK8vAr/cZE1oIgRoIL 80czdSrI4+5e0MTs1IVo+3xTDgpPqWEMJgDu3o46bwJ6O7vHgyh3qxvG/oteiZES/bkD 55RTCoIpw3CHXmaIan+oxg70cVMOqYaPzortfMpp6mPVU2B7Ep3ZqcdCeAL0MZF2Pmve KhFC1LbO7Qs+YQJri23cxoefVTZUqFtbfd8nFls/OWK0IqnaD250oou0tmVTA6ck5l5B I/GwgGtwdRQDqKWK5IWdn1n7eoK8Cf9J6roXLDAi1u0jRwD+dWygeqwPatFFDAedm6rG MeZg== X-Gm-Message-State: AC+VfDzaP4G8f/Pm4zae9fw5MjTd5Z0BEGHIoVKuSN48E2FObiG0duMM 8AI1uWhKc1doDqFTl45lvWxcErjhcPafLSf7Qo5/JA== X-Received: by 2002:a81:6c84:0:b0:565:9fc7:9330 with SMTP id h126-20020a816c84000000b005659fc79330mr5984962ywc.17.1685545652645; Wed, 31 May 2023 08:07:32 -0700 (PDT) MIME-Version: 1.0 References: <20230531141556.1637341-1-lee@kernel.org> In-Reply-To: From: Jamal Hadi Salim Date: Wed, 31 May 2023 11:07:21 -0400 Message-ID: Subject: Re: [PATCH 1/1] net/sched: cls_u32: Fix reference counter leak leading to overflow To: Eric Dumazet Cc: Lee Jones , xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, stable@kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 31, 2023 at 11:03=E2=80=AFAM Eric Dumazet = wrote: > > On Wed, May 31, 2023 at 4:16=E2=80=AFPM Lee Jones wrote: > > > > In the event of a failure in tcf_change_indev(), u32_set_parms() will > > immediately return without decrementing the recently incremented > > reference counter. If this happens enough times, the counter will > > rollover and the reference freed, leading to a double free which can be > > used to do 'bad things'. > > > > Cc: stable@kernel.org # v4.14+ > > Please add a Fixes: tag. > > > Signed-off-by: Lee Jones > > --- > > net/sched/cls_u32.c | 5 ++++- > > 1 file changed, 4 insertions(+), 1 deletion(-) > > > > diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c > > index 4e2e269f121f8..fad61ca5e90bf 100644 > > --- a/net/sched/cls_u32.c > > +++ b/net/sched/cls_u32.c > > @@ -762,8 +762,11 @@ static int u32_set_parms(struct net *net, struct t= cf_proto *tp, > > if (tb[TCA_U32_INDEV]) { > > int ret; > > ret =3D tcf_change_indev(net, tb[TCA_U32_INDEV], extack= ); > > This call should probably be done earlier in the function, next to > tcf_exts_validate_ex() > > Otherwise we might ask why the tcf_bind_filter() does not need to be undo= ne. > > Something like: > > diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c > index 4e2e269f121f8a301368b9783753e055f5af6a4e..ac957ff2216ae18bcabdd3af3= b0e127447ef8f91 > 100644 > --- a/net/sched/cls_u32.c > +++ b/net/sched/cls_u32.c > @@ -718,13 +718,18 @@ static int u32_set_parms(struct net *net, struct > tcf_proto *tp, > struct nlattr *est, u32 flags, u32 fl_flags, > struct netlink_ext_ack *extack) > { > - int err; > + int err, ifindex =3D -1; > > err =3D tcf_exts_validate_ex(net, tp, tb, est, &n->exts, flags, > fl_flags, extack); > if (err < 0) > return err; > > + if (tb[TCA_U32_INDEV]) { > + ifindex =3D tcf_change_indev(net, tb[TCA_U32_INDEV], exta= ck); > + if (ifindex < 0) > + return -EINVAL; > + } > if (tb[TCA_U32_LINK]) { > u32 handle =3D nla_get_u32(tb[TCA_U32_LINK]); > struct tc_u_hnode *ht_down =3D NULL, *ht_old; > @@ -759,13 +764,9 @@ static int u32_set_parms(struct net *net, struct > tcf_proto *tp, > tcf_bind_filter(tp, &n->res, base); > } > > - if (tb[TCA_U32_INDEV]) { > - int ret; > - ret =3D tcf_change_indev(net, tb[TCA_U32_INDEV], extack); > - if (ret < 0) > - return -EINVAL; > - n->ifindex =3D ret; > - } > + if (ifindex >=3D 0) > + n->ifindex =3D ifindex; > + I guess we crossed paths ;-> Please, add a tdc test as well - it doesnt have to be in this patch, can be a followup. cheers, jamal > return 0; > }