Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp934530rwd; Thu, 1 Jun 2023 08:20:57 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ47SQuwYqtmwTqmXevEX6uCCEgXTbTHg47ddaXCEQOc2I8Ke2xVW/tUHiY42o6sdm+pprW0 X-Received: by 2002:a05:6358:52d0:b0:123:2d9a:5edb with SMTP id z16-20020a05635852d000b001232d9a5edbmr6547714rwz.15.1685632857175; Thu, 01 Jun 2023 08:20:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685632857; cv=none; d=google.com; s=arc-20160816; b=VWmiyNJYrXGmGU6hp7jKc0uL9334qoN450Cdxaiq6wLwhjCdobQ2PRbI5kTAtzBwpV EFrFaqEcsbknxNMCdlpExd0DdWN5svrZO0eWAqXN3XcbZl0abXFNAhzrclatXNrRJL21 QGpGLuQvNdWK3LSZ3upZT64VWsmOke3QLIHyQGbQVdeL8u23cPXTqTasa7timnkhxKv1 0km3StkIlmTAxe08xusOqGdxh3q/a2I8Kriwq5I5MEAk0g5WtlxeLdIJ0w7VmB3f3TrO q12Gjzji57GxPwZN/2p+FQkZhnpYDI1QK+Dl6rYhRxJPPbbEN8RKGgdJaR6gaqP8aTJy pyBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=e/ZDCbaS5BasDGweOpypX69jqZRIVn168PE8kkE06BM=; b=M12KkVhin7Bsy0aAvrOch3vgK6iAAsxQXVO7fkUGy6CddLs22qdAd+0WGx0E/lTjQv Jz0/jqnqAOwaTLR/JhOlPtPDdSIBM4SJa3prQ91TsD2spu1h2SKLRKa+RpHrBq+dh5lG S5On8USsqL8TEXoa4DF6ry1WMdVE9xA1n1D4kC2CCAbqqWfVp6eU4qpyLp4qT1xlWr2s fhcX5d7gGY3FHCETBRy+wnteLhnwQd11Ck9hX6MOJNncpNV5d5uRriupMt6hYQeAXYZH a6dCmFkwre2a0G4g6acqX8iwB/1iN6I1lS16ZhmywSLBq4tDaGKRfNjfwKQTxTCmT+YB MQPg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=pbm6sStA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p5-20020a17090a4f0500b002565045f145si1238600pjh.122.2023.06.01.08.20.43; Thu, 01 Jun 2023 08:20:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=pbm6sStA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234339AbjFAPLi (ORCPT + 99 others); Thu, 1 Jun 2023 11:11:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51060 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234444AbjFAPLd (ORCPT ); Thu, 1 Jun 2023 11:11:33 -0400 Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 511921709 for ; Thu, 1 Jun 2023 08:11:15 -0700 (PDT) Received: by mail-wm1-x333.google.com with SMTP id 5b1f17b1804b1-3f6a6b9bebdso92235e9.0 for ; Thu, 01 Jun 2023 08:11:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1685632262; x=1688224262; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=e/ZDCbaS5BasDGweOpypX69jqZRIVn168PE8kkE06BM=; b=pbm6sStAd9k4icSNrF8FKrRnjXhNVxOIBj6hWYKhyhV+GCAJXTJAFfmp/Yd2Su7y03 KRX4UNkQAu+CKX9EoN9lq/kpGH8I5dRMeSjXYKyofzyJwziDRD+HqWBEp00zpvUEtvve cvCjoPBMoPmB53JpaY3hEYQDCHg7QJu/bWbNwL4r81gSB6rg+mznOi24+75t7t3TKos1 9JweGRXEHiU0BgCAUICByA2yFUdGc42PFMzdKDfFzuIQUaw4y9X3c35C/BA1LMmOZJwy uyQcq+yBYhyWfCiJHnJdBgMjg0pRYRhxhwLD3yQKxsfVb2/uw5w8XOteqmZpILZS69Jb rp8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685632262; x=1688224262; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=e/ZDCbaS5BasDGweOpypX69jqZRIVn168PE8kkE06BM=; b=iwefVu9zEjLCg2Cc/qngfAW4lz25VQMOk+SK94JYhmvptcdbSmHjwg/MTI+U8vlXZ/ fiAcWaMUJn4r4+3pJ5/USARl/LItDP0O7By7H9P7fjes4WwQaguUTuQVgbh2NdZVPdrQ AIeeX2bMNH/9F5WJvasoWfQD/9LxsjLIUnxh+1LnfM8b3i9SgWN+gQ//vLQ+ndKR1EE6 CgNfuWhfjE3DB+h87zcot6Z9I5Hme2TVxBv56d6Da1p+N4ycOTUmluslR0WK5qeLfcxG TDIPAkUP2/AwoIjmkpJz/+JcEQ7FgH6G2vRKOPARwU+xsVwLkBXiGWbP0GUa8MDnH2cW 7bxw== X-Gm-Message-State: AC+VfDzArWOtRL4RcAC2ujI//aaPKcLQRDr2PWL8/NjhxOqBdsDv0JAr sulVOqQfzC3gbFQzNVf1ntdcP4J41wR9fNi4EX/nnA== X-Received: by 2002:a05:600c:3ac9:b0:3f1:6fe9:4a95 with SMTP id d9-20020a05600c3ac900b003f16fe94a95mr239669wms.4.1685632262377; Thu, 01 Jun 2023 08:11:02 -0700 (PDT) MIME-Version: 1.0 References: <20230531141556.1637341-1-lee@kernel.org> <20230601140640.GG449117@google.com> In-Reply-To: <20230601140640.GG449117@google.com> From: Eric Dumazet Date: Thu, 1 Jun 2023 17:10:50 +0200 Message-ID: Subject: Re: [PATCH 1/1] net/sched: cls_u32: Fix reference counter leak leading to overflow To: Lee Jones Cc: Jamal Hadi Salim , xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, stable@kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 1, 2023 at 4:06=E2=80=AFPM Lee Jones wrote: > > On Wed, 31 May 2023, Jamal Hadi Salim wrote: > > > On Wed, May 31, 2023 at 11:03=E2=80=AFAM Eric Dumazet wrote: > > > > > > On Wed, May 31, 2023 at 4:16=E2=80=AFPM Lee Jones wr= ote: > > > > > > > > In the event of a failure in tcf_change_indev(), u32_set_parms() wi= ll > > > > immediately return without decrementing the recently incremented > > > > reference counter. If this happens enough times, the counter will > > > > rollover and the reference freed, leading to a double free which ca= n be > > > > used to do 'bad things'. > > > > > > > > Cc: stable@kernel.org # v4.14+ > > > > > > Please add a Fixes: tag. > > Why? How have you identified v4.14+ ? Probably you did some research/"git archeology". By adding the Fixes: tag, you allow us to double check immediately, and see if other bugs need to be fixed at the same time. You can also CC blamed patch authors, to get some feedback. Otherwise, we (people reviewing this patch) have to also do this research from scratch. In this case, it seems bug was added in commit 705c7091262d02b09eb686c24491de61bf42fdb2 Author: Jiri Pirko Date: Fri Aug 4 14:29:14 2017 +0200 net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct A nice Fixes: tag would then be Fixes: 705c7091262d ("net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct") Thanks.