Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp3472703rwd; Sat, 3 Jun 2023 06:04:17 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4rYYWMvQPx7Oe5yNpIrBUTeQFqfz+eWFUEi3Qr1NnRz/YSFUwzzczCSi4CR1h/GjG2ZC3E X-Received: by 2002:a05:6a20:42a3:b0:114:6669:21f8 with SMTP id o35-20020a056a2042a300b00114666921f8mr322595pzj.35.1685797457331; Sat, 03 Jun 2023 06:04:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685797457; cv=none; d=google.com; s=arc-20160816; b=fGaxIZsWlyIRdrJqupgFuWm37g2PS4Z+oFOScURHgf2Ws07v0nObFMgG/4eEwD713V NtmzO+5Nq/TdEVrU7vj8wIYBFuEsWSE0xPd5pQ1RNxCX1aYzEmWZs4duIRTIww2RcV0b I1uDaqQkRXvW3s9U5pdAvYAHuOaFyEH8LquQ9q0rNC2PJpbVAdDjC6d4As3Ejdfa0eEP Hh4MsXSd7LbhDlrRzY+9ur7p/rJI36HuCgPj4apF2XjKYOCbabzBNSk/oxg9XLFFsHyw APRpT0StKyx0am3cLHzQHCH0MWVan3ZWOqBb1jmKvTGsb1thhu+CCXOtIRw3v3HgCz0q n4xw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=iuVyWmNBcPzZ9px5HApvrbE+4UzVEeYd3n/ao4IebL4=; b=rm3tiwrKyMThR2v1W5c+z1yS+FVruzxz5hp1HSmruOOLG0rVcIaGsw/rBKqq6d7hkr p52eV3YzmIvGFJEYdGFK9tfpdO63zKUwG3MzCwg4DLoA0f39D1xMwI2WERaX6bRNYUws achfIQs/HyNU/VByf0fFaLA6qKu/M9mXWAh7xOActmHxuyXIbL/AcBuj8IYnoZBjWOy/ zKgvvYsVl9FuDKQw4efiz2Vw4/uZP62I5fXM/a7TQ6Z4gwn7QNGW0HzYm7ZO/x67P/DN QxnR889YAB8cj6Sf5BDGggoj4GK8JrQHVS3f2xzMWuB/MVLjm9iswj6Flp0a9ESBmLkA bRTw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mojatatu-com.20221208.gappssmtp.com header.s=20221208 header.b="DPE/X+8C"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a70-20020a639049000000b0051394ccd19csi2638881pge.55.2023.06.03.06.04.01; Sat, 03 Jun 2023 06:04:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@mojatatu-com.20221208.gappssmtp.com header.s=20221208 header.b="DPE/X+8C"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235083AbjFCMfT (ORCPT + 99 others); Sat, 3 Jun 2023 08:35:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43732 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230185AbjFCMfR (ORCPT ); Sat, 3 Jun 2023 08:35:17 -0400 Received: from mail-yw1-x112b.google.com (mail-yw1-x112b.google.com [IPv6:2607:f8b0:4864:20::112b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8EC23A6 for ; Sat, 3 Jun 2023 05:35:16 -0700 (PDT) Received: by mail-yw1-x112b.google.com with SMTP id 00721157ae682-565e8d575cbso28776427b3.3 for ; Sat, 03 Jun 2023 05:35:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mojatatu-com.20221208.gappssmtp.com; s=20221208; t=1685795716; x=1688387716; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=iuVyWmNBcPzZ9px5HApvrbE+4UzVEeYd3n/ao4IebL4=; b=DPE/X+8C36OC5xHFfMvKRPL7NWsT8/ievCoAE3dGGX0hZSLuysF8HLj83SPAI8Dp/C gD9Frniifmn6yMIuosNNoWULw3A0iAucNHhhoRHEXjHymk/vCLsUilgeiOA32KmJvfJr MAz7W9HQTClxzvduMHySapUto3C/OsGxQdoU2IFpV72wg6+6QQ24t4+bNofN+aI09LKx fsJ6LTYoUa6wEJEt1ADnKeBgCUy1++zeDFBf1Ip6b90I2tgD2OzjBxg7z3D3ZcmVGNOY pNrUooHL9um5fagF8E5lBCdSR0nFNYGdEiJC1r3lEhwH08oqTX2H1ili/Mcys6xuxVs0 nKMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685795716; x=1688387716; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=iuVyWmNBcPzZ9px5HApvrbE+4UzVEeYd3n/ao4IebL4=; b=bMMYApokQx/guhfewHu9MfJj5eX6X54Mp8v3S8WeNq6jGcmDdylmodq3kLkeXV7doX NED+QAT+Ge7+ZU6NsFxkvL2fBFAq94ncKn2KNgLWaiKiN/qTiYmha4jFkyG7lrQ5NSoC +1o4IpYdX+9vEu9yDC/4KYspZAun95Tb7bajuRzt7r8dO9Ie8MC7EDMhMjV0PRajP26V 92RMCOOFPV4tFBEKGSC/kh1EpZNlObyzGo29UrYIPMnw+7McuH0DiMYqVbo6WqNfjgg6 pr03qTKUHQmfiBTZA/Maw+KjWxv0oqS65/7drGoES99eapoUX5Eg1xoNJokKiPduwDyw x/7Q== X-Gm-Message-State: AC+VfDweK+lUOB2noGgwEsPzC9KZSyKAQFwVYnkT+K4PK1MmWkZEc0rJ awRkNUfZ++FlUrnpW9sqfDIIg91W166UaBhCEzKwpg== X-Received: by 2002:a0d:d956:0:b0:565:bf0d:e26d with SMTP id b83-20020a0dd956000000b00565bf0de26dmr2223614ywe.51.1685795715767; Sat, 03 Jun 2023 05:35:15 -0700 (PDT) MIME-Version: 1.0 References: <20230531141556.1637341-1-lee@kernel.org> <20230601140640.GG449117@google.com> In-Reply-To: <20230601140640.GG449117@google.com> From: Jamal Hadi Salim Date: Sat, 3 Jun 2023 08:35:04 -0400 Message-ID: Subject: Re: [PATCH 1/1] net/sched: cls_u32: Fix reference counter leak leading to overflow To: Lee Jones Cc: Eric Dumazet , xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, stable@kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 1, 2023 at 10:06=E2=80=AFAM Lee Jones wrote: > > On Wed, 31 May 2023, Jamal Hadi Salim wrote: > > > On Wed, May 31, 2023 at 11:03=E2=80=AFAM Eric Dumazet wrote: > > > > > > On Wed, May 31, 2023 at 4:16=E2=80=AFPM Lee Jones wr= ote: > > > > > > > > In the event of a failure in tcf_change_indev(), u32_set_parms() wi= ll > > > > immediately return without decrementing the recently incremented > > > > reference counter. If this happens enough times, the counter will > > > > rollover and the reference freed, leading to a double free which ca= n be > > > > used to do 'bad things'. > > > > > > > > Cc: stable@kernel.org # v4.14+ > > > > > > Please add a Fixes: tag. > > Why? > > From memory, I couldn't identify a specific commit to fix, which is why > I used a Cc tag as per the Stable documentation: > > Option 1 > ******** > > To have the patch automatically included in the stable tree, add the tag > > .. code-block:: none > > Cc: stable@vger.kernel.org > > in the sign-off area. Once the patch is merged it will be applied to > the stable tree without anything else needing to be done by the author > or subsystem maintainer. > > > > > Signed-off-by: Lee Jones > > > > --- > > > > net/sched/cls_u32.c | 5 ++++- > > > > 1 file changed, 4 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c > > > > index 4e2e269f121f8..fad61ca5e90bf 100644 > > > > --- a/net/sched/cls_u32.c > > > > +++ b/net/sched/cls_u32.c > > > > @@ -762,8 +762,11 @@ static int u32_set_parms(struct net *net, stru= ct tcf_proto *tp, > > > > if (tb[TCA_U32_INDEV]) { > > > > int ret; > > > > ret =3D tcf_change_indev(net, tb[TCA_U32_INDEV], ex= tack); > > > > > > This call should probably be done earlier in the function, next to > > > tcf_exts_validate_ex() > > > > > > Otherwise we might ask why the tcf_bind_filter() does not need to be = undone. > > > > > > Something like: > > > > > > diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c > > > index 4e2e269f121f8a301368b9783753e055f5af6a4e..ac957ff2216ae18bcabdd= 3af3b0e127447ef8f91 > > > 100644 > > > --- a/net/sched/cls_u32.c > > > +++ b/net/sched/cls_u32.c > > > @@ -718,13 +718,18 @@ static int u32_set_parms(struct net *net, struc= t > > > tcf_proto *tp, > > > struct nlattr *est, u32 flags, u32 fl_flags, > > > struct netlink_ext_ack *extack) > > > { > > > - int err; > > > + int err, ifindex =3D -1; > > > > > > err =3D tcf_exts_validate_ex(net, tp, tb, est, &n->exts, flag= s, > > > fl_flags, extack); > > > if (err < 0) > > > return err; > > > > > > + if (tb[TCA_U32_INDEV]) { > > > + ifindex =3D tcf_change_indev(net, tb[TCA_U32_INDEV], = extack); > > > + if (ifindex < 0) > > > + return -EINVAL; > > > + } > > Thanks for the advice. Leave it with me. > > > > if (tb[TCA_U32_LINK]) { > > > u32 handle =3D nla_get_u32(tb[TCA_U32_LINK]); > > > struct tc_u_hnode *ht_down =3D NULL, *ht_old; > > > @@ -759,13 +764,9 @@ static int u32_set_parms(struct net *net, struct > > > tcf_proto *tp, > > > tcf_bind_filter(tp, &n->res, base); > > > } > > > > > > - if (tb[TCA_U32_INDEV]) { > > > - int ret; > > > - ret =3D tcf_change_indev(net, tb[TCA_U32_INDEV], exta= ck); > > > - if (ret < 0) > > > - return -EINVAL; > > > - n->ifindex =3D ret; > > > - } > > > + if (ifindex >=3D 0) > > > + n->ifindex =3D ifindex; > > > + > > > > I guess we crossed paths ;-> > > > Please, add a tdc test as well - it doesnt have to be in this patch, > > can be a followup. > > I don't know how to do that, or even what a 'tdc' is. Is it trivial? > > Can you point me towards the documentation please? There is a README in tools/testing/selftests/tc-testing/README If you created the scenario by running some tc command line it should not be difficult to create such a test. Or just tell us what command line you used to create it and we can help do one for you this time. If you found the issue by just eyeballing the code or syzkaller then just say that in the commit. cheers, jamal > -- > Lee Jones [=E6=9D=8E=E7=90=BC=E6=96=AF]