Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1006149rwd; Wed, 31 May 2023 08:15:40 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6nN3BfLUCoLFY1kAz3TyGQKyCM8Bd3O1bwGhlDwMejRvSfcqsVWrmnvoLSWR40RhDQx0kY X-Received: by 2002:a17:902:d2d1:b0:1b1:9272:5610 with SMTP id n17-20020a170902d2d100b001b192725610mr90754plc.47.1685546139783; Wed, 31 May 2023 08:15:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685546139; cv=none; d=google.com; s=arc-20160816; b=rwJNgd+2uA14oy6nwriQrilFsDoq6DEQw2EOvjHPAmto6Jy1t69C64DEg+Iz8pIrOT MqJOkHuRkwjwU1IV7wqZOT8PniWWeMqyRRTir7JtRekbCTkmIJD2V+i05I6L9ih6LHhL TRqJu3if+uek/N9VHOpVTeePhxm4vnBUJqYBLuY0AALnQ0xWVcvpU+9oz00+LiK+dKoR BddwPqb+CR2iFUxaq/C5rI6O7cELTKPoizpK7jAI1Su22BDFK9ZbKRFf4Q6rnahvv5q/ 0gD0BnvLrB0oRc44dwB6GWwYdnTbQu1rdf5GA0PCEZw7HgDLx7FeLV5VVI5SWnjjF9U2 qwOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=HKym96YAzpIP9uRUNi0zGjtXWFUPd2ygLCpBbo0BoMc=; b=YdfiL4cbWyh7NJbNDeSY2m1FwFTGgk4rIotgQHVsDOGoBOYtknkY3NsxW+1FOr25iG 9/QNMU/mV79joJCgHqj31zgioW6coAvZ3mzykaVNjsMIg+szfhaXLxamJHBZUzj5nYyO 9Wr9vAc4bg7AsBznWhPuR3WeTrouSwvJIh9v1Glmc/20HME0qxXx0yNOWgKdCJ5jAsuu dMPjUuFj6YTYIIv1YgmWUnD/zP7RXIKOSfnzs3lG7U+8dyuNi2Of6uax4nSxsZDbOT2d iHYPhxvkL/ageVG3MgaYFFHx8I2hrbu12WDpHQGXD5Q37MPvnZOKoN7f3IiZ0SZXj/or dcsw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mojatatu-com.20221208.gappssmtp.com header.s=20221208 header.b=rsDm8mSy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 2-20020a170902c10200b001affb6b00f1si989929pli.455.2023.05.31.08.15.24; Wed, 31 May 2023 08:15:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@mojatatu-com.20221208.gappssmtp.com header.s=20221208 header.b=rsDm8mSy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233967AbjEaPGT (ORCPT + 99 others); Wed, 31 May 2023 11:06:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36898 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230497AbjEaPGB (ORCPT ); Wed, 31 May 2023 11:06:01 -0400 Received: from mail-oa1-x30.google.com (mail-oa1-x30.google.com [IPv6:2001:4860:4864:20::30]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B1EA610D0 for ; Wed, 31 May 2023 08:05:40 -0700 (PDT) Received: by mail-oa1-x30.google.com with SMTP id 586e51a60fabf-19f0e612589so4126364fac.2 for ; Wed, 31 May 2023 08:05:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mojatatu-com.20221208.gappssmtp.com; s=20221208; t=1685545536; x=1688137536; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=HKym96YAzpIP9uRUNi0zGjtXWFUPd2ygLCpBbo0BoMc=; b=rsDm8mSycBA9yjsx3K+zjz6B/A5ovegUVU46esg64idEZcUM2/vcGhkQIejHdpUUqi ZiFFtrVJzP1DyFEVjp8ckHlunExlJkN15Yraj7vBA8415T/sWBiGugfEtislSdrcOgIp I/4aoyfpmO/nnteg81xWA6cN/hT2v+F9KtMnEgFGk0CvRjTDwh9wnIGgx0CrSOMu2zl3 pEK/MO4SgzhvQHmXlAHBsbOOOHjjtPhbYbTHJobAUkiiqFWTNL1ZX4kx4WTEJiigKcXC rv6XqqfwdXshhLCzNELkHJs6CRBDHTtxTktrj3kZHSf+1wt0etkahP1LRMQiR/3e2Xus BR1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685545536; x=1688137536; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HKym96YAzpIP9uRUNi0zGjtXWFUPd2ygLCpBbo0BoMc=; b=HN7fWIrRnI6jhirbT+/qxFVRZdS+93QE2FEAItHFEOYRoJ89Ju/hfjQI0bPOIdspwT 2vyI6jWV5PT/tIPIXyNBU6WvDJYvcR657U3IeApELDYluecog3k6FEKHilyyR20jnCHM bvynQmKDFDflcjJv2u0b416iDGavik/3mrLRqAmJRTONoqAXokRTn4UJ1TpGQCUc9J68 l3unBeXfwBxVMkZ0YpbbY8iSunW6MZLCidwHTDKei8CGYSJk72oW0gsczJnQOd/RHWCv aR8TY/Bq3HYjVbeg4Ql5puYL4wSxA7aHGjWD0tuZSlwvDnYRiodhBg6eouvIVY8VIhoY aT3g== X-Gm-Message-State: AC+VfDxRtbS+BmoewewyQL1UxpNrVpmUWMrBmv/fnS7/GmxA9GC5HbY2 Dw1Igx5BbvOX+EnHhrk/eqPkNSkjCQrbgCNxD7Sb9Q== X-Received: by 2002:a05:6870:659e:b0:192:63b5:13cc with SMTP id fp30-20020a056870659e00b0019263b513ccmr5480033oab.12.1685545536357; Wed, 31 May 2023 08:05:36 -0700 (PDT) MIME-Version: 1.0 References: <20230531141556.1637341-1-lee@kernel.org> In-Reply-To: <20230531141556.1637341-1-lee@kernel.org> From: Jamal Hadi Salim Date: Wed, 31 May 2023 11:05:25 -0400 Message-ID: Subject: Re: [PATCH 1/1] net/sched: cls_u32: Fix reference counter leak leading to overflow To: Lee Jones Cc: xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, stable@kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 31, 2023 at 10:16=E2=80=AFAM Lee Jones wrote: > > In the event of a failure in tcf_change_indev(), u32_set_parms() will > immediately return without decrementing the recently incremented > reference counter. If this happens enough times, the counter will > rollover and the reference freed, leading to a double free which can be > used to do 'bad things'. > > Cc: stable@kernel.org # v4.14+ > Signed-off-by: Lee Jones > --- > net/sched/cls_u32.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c > index 4e2e269f121f8..fad61ca5e90bf 100644 > --- a/net/sched/cls_u32.c > +++ b/net/sched/cls_u32.c > @@ -762,8 +762,11 @@ static int u32_set_parms(struct net *net, struct tcf= _proto *tp, > if (tb[TCA_U32_INDEV]) { > int ret; > ret =3D tcf_change_indev(net, tb[TCA_U32_INDEV], extack); > - if (ret < 0) > + if (ret < 0) { > + if (tb[TCA_U32_LINK]) > + n->ht_down->refcnt--; > return -EINVAL; > + } > n->ifindex =3D ret; > } > return 0; The spirit of the patch looks right I dont think this fully solves the issue you state. My suggestion: Move the if (tb[TCA_U32_INDEV]) above the if (tb[TCA_U32_LINK]) { Did you see this in practice or you found it by eyeballing the code? Can you also add a tdc test for it? There are simple ways to create the scenario. cheers, jamal > 2.41.0.rc0.172.g3f132b7071-goog >