diff for duplicates of <20230814070349.GA3921@unreal> diff --git a/a/1.txt b/N1/1.txt index 1822028..2281818 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,84 +1,92 @@ On Mon, Aug 14, 2023 at 09:33:52AM +0800, Dong Chenchen wrote: -> BUG: KASAN: slab-use-after-free in xfrm_policy_inexact_list_reinsert+0xb6/0x430 -> Read of size 1 at addr ffff8881051f3bf8 by task ip/668 -> -> CPU: 2 PID: 668 Comm: ip Not tainted 6.5.0-rc5-00182-g25aa0bebba72-dirty #64 -> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13 04/01/2014 -> Call Trace: -> <TASK> -> dump_stack_lvl+0x72/0xa0 -> print_report+0xd0/0x620 -> kasan_report+0xb6/0xf0 -> xfrm_policy_inexact_list_reinsert+0xb6/0x430 -> xfrm_policy_inexact_insert_node.constprop.0+0x537/0x800 -> xfrm_policy_inexact_alloc_chain+0x23f/0x320 -> xfrm_policy_inexact_insert+0x6b/0x590 -> xfrm_policy_insert+0x3b1/0x480 -> xfrm_add_policy+0x23c/0x3c0 -> xfrm_user_rcv_msg+0x2d0/0x510 -> netlink_rcv_skb+0x10d/0x2d0 -> xfrm_netlink_rcv+0x49/0x60 -> netlink_unicast+0x3fe/0x540 -> netlink_sendmsg+0x528/0x970 -> sock_sendmsg+0x14a/0x160 -> ____sys_sendmsg+0x4fc/0x580 -> ___sys_sendmsg+0xef/0x160 -> __sys_sendmsg+0xf7/0x1b0 -> do_syscall_64+0x3f/0x90 -> entry_SYSCALL_64_after_hwframe+0x73/0xdd -> -> The root cause is: -> -> cpu 0 cpu1 -> xfrm_dump_policy -> xfrm_policy_walk -> list_move_tail -> xfrm_add_policy -> ... ... -> xfrm_policy_inexact_list_reinsert -> list_for_each_entry_reverse -> if (!policy->bydst_reinsert) -> //read non-existent policy -> xfrm_dump_policy_done -> xfrm_policy_walk_done -> list_del(&walk->walk.all); -> -> If dump_one_policy() returns err (triggered by netlink socket), -> xfrm_policy_walk() will move walk initialized by socket to list -> net->xfrm.policy_all. so this socket becomes visible in the global -> policy list. The head *walk can be traversed when users add policies -> with different prefixlen and trigger xfrm_policy node merge. -> -> It can be fixed by skip such "policies" with walk.dead set to 1. +>> BUG: KASAN: slab-use-after-free in xfrm_policy_inexact_list_reinsert+0xb6/0x430 +>> Read of size 1 at addr ffff8881051f3bf8 by task ip/668 +>> +>> CPU: 2 PID: 668 Comm: ip Not tainted 6.5.0-rc5-00182-g25aa0bebba72-dirty #64 +>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13 04/01/2014 +>> Call Trace: +>> <TASK> +>> dump_stack_lvl+0x72/0xa0 +>> print_report+0xd0/0x620 +>> kasan_report+0xb6/0xf0 +>> xfrm_policy_inexact_list_reinsert+0xb6/0x430 +>> xfrm_policy_inexact_insert_node.constprop.0+0x537/0x800 +>> xfrm_policy_inexact_alloc_chain+0x23f/0x320 +>> xfrm_policy_inexact_insert+0x6b/0x590 +>> xfrm_policy_insert+0x3b1/0x480 +>> xfrm_add_policy+0x23c/0x3c0 +>> xfrm_user_rcv_msg+0x2d0/0x510 +>> netlink_rcv_skb+0x10d/0x2d0 +>> xfrm_netlink_rcv+0x49/0x60 +>> netlink_unicast+0x3fe/0x540 +>> netlink_sendmsg+0x528/0x970 +>> sock_sendmsg+0x14a/0x160 +>> ____sys_sendmsg+0x4fc/0x580 +>> ___sys_sendmsg+0xef/0x160 +>> __sys_sendmsg+0xf7/0x1b0 +>> do_syscall_64+0x3f/0x90 +>> entry_SYSCALL_64_after_hwframe+0x73/0xdd +>> +>> The root cause is: +>> +>> cpu 0 cpu1 +>> xfrm_dump_policy +>> xfrm_policy_walk +>> list_move_tail +>> xfrm_add_policy +>> ... ... +>> xfrm_policy_inexact_list_reinsert +>> list_for_each_entry_reverse +>> if (!policy->bydst_reinsert) +>> //read non-existent policy +>> xfrm_dump_policy_done +>> xfrm_policy_walk_done +>> list_del(&walk->walk.all); +>> +>> If dump_one_policy() returns err (triggered by netlink socket), +>> xfrm_policy_walk() will move walk initialized by socket to list +>> net->xfrm.policy_all. so this socket becomes visible in the global +>> policy list. The head *walk can be traversed when users add policies +>> with different prefixlen and trigger xfrm_policy node merge. +>> +>> It can be fixed by skip such "policies" with walk.dead set to 1. +> +>But where in the xfrm_dump_policy() flow, these policies are becoming to +>be walk.dead == 1? +> +>Thanks +> +user will use xfrm_dispatch[XFRM_MSG_GETPOLICY] ops to get xfrm policy. + + .start = xfrm_dump_policy_start -But where in the xfrm_dump_policy() flow, these policies are becoming to -be walk.dead == 1? +xfrm_dump_policy_start() will set walk.dead to 1 by call +xfrm_policy_walk_init(). Thanks - -> -> Fixes: 9cf545ebd591 ("xfrm: policy: store inexact policies in a tree ordered by destination address") -> Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list") -> Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com> -> --- -> net/xfrm/xfrm_policy.c | 3 +++ -> 1 file changed, 3 insertions(+) -> -> diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c -> index d6b405782b63..5b56faad78e0 100644 -> --- a/net/xfrm/xfrm_policy.c -> +++ b/net/xfrm/xfrm_policy.c -> @@ -848,6 +848,9 @@ static void xfrm_policy_inexact_list_reinsert(struct net *net, -> matched_d = 0; -> -> list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) { -> + if (policy->walk.dead) -> + continue; -> + -> struct hlist_node *newpos = NULL; -> bool matches_s, matches_d; -> -> -- -> 2.25.1 -> -> +>> +>> Fixes: 9cf545ebd591 ("xfrm: policy: store inexact policies in a tree ordered by destination address") +>> Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list") +>> Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com> +>> --- +>> net/xfrm/xfrm_policy.c | 3 +++ +>> 1 file changed, 3 insertions(+) +>> +>> diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +>> index d6b405782b63..5b56faad78e0 100644 +>> --- a/net/xfrm/xfrm_policy.c +>> +++ b/net/xfrm/xfrm_policy.c +>> @@ -848,6 +848,9 @@ static void xfrm_policy_inexact_list_reinsert(struct net *net, +>> matched_d = 0; +>> +>> list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) { +>> + if (policy->walk.dead) +>> + continue; +>> + +>> struct hlist_node *newpos = NULL; +>> bool matches_s, matches_d; +>> +>> -- +>> 2.25.1 +>> +>> diff --git a/a/content_digest b/N1/content_digest index b7eb31d..7547745 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,105 +1,113 @@ "ref\020230814013352.2771452-1-dongchenchen2@huawei.com\0" - "From\0Leon Romanovsky <leon@kernel.org>\0" + "From\0Dong Chenchen <dongchenchen2@huawei.com>\0" "Subject\0Re: [PATCH net] net: xfrm: skip policies marked as dead while reinserting policies\0" - "Date\0Mon, 14 Aug 2023 10:03:49 +0300\0" - "To\0Dong Chenchen <dongchenchen2@huawei.com>\0" - "Cc\0steffen.klassert@secunet.com" - herbert@gondor.apana.org.au - davem@davemloft.net - edumazet@google.com - kuba@kernel.org - pabeni@redhat.com - fw@strlen.de - timo.teras@iki.fi - yuehaibing@huawei.com - weiyongjun1@huawei.com - netdev@vger.kernel.org - " linux-kernel@vger.kernel.org\0" + "Date\0Mon, 14 Aug 2023 16:58:46 +0800\0" + "To\0<leon@kernel.org>\0" + "Cc\0<steffen.klassert@secunet.com>" + <herbert@gondor.apana.org.au> + <davem@davemloft.net> + <edumazet@google.com> + <kuba@kernel.org> + <pabeni@redhat.com> + <fw@strlen.de> + <timo.teras@iki.fi> + <yuehaibing@huawei.com> + <weiyongjun1@huawei.com> + <netdev@vger.kernel.org> + " <linux-kernel@vger.kernel.org>\0" "\00:1\0" "b\0" "On Mon, Aug 14, 2023 at 09:33:52AM +0800, Dong Chenchen wrote:\n" - "> BUG: KASAN: slab-use-after-free in xfrm_policy_inexact_list_reinsert+0xb6/0x430\n" - "> Read of size 1 at addr ffff8881051f3bf8 by task ip/668\n" - "> \n" - "> CPU: 2 PID: 668 Comm: ip Not tainted 6.5.0-rc5-00182-g25aa0bebba72-dirty #64\n" - "> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13 04/01/2014\n" - "> Call Trace:\n" - "> <TASK>\n" - "> dump_stack_lvl+0x72/0xa0\n" - "> print_report+0xd0/0x620\n" - "> kasan_report+0xb6/0xf0\n" - "> xfrm_policy_inexact_list_reinsert+0xb6/0x430\n" - "> xfrm_policy_inexact_insert_node.constprop.0+0x537/0x800\n" - "> xfrm_policy_inexact_alloc_chain+0x23f/0x320\n" - "> xfrm_policy_inexact_insert+0x6b/0x590\n" - "> xfrm_policy_insert+0x3b1/0x480\n" - "> xfrm_add_policy+0x23c/0x3c0\n" - "> xfrm_user_rcv_msg+0x2d0/0x510\n" - "> netlink_rcv_skb+0x10d/0x2d0\n" - "> xfrm_netlink_rcv+0x49/0x60\n" - "> netlink_unicast+0x3fe/0x540\n" - "> netlink_sendmsg+0x528/0x970\n" - "> sock_sendmsg+0x14a/0x160\n" - "> ____sys_sendmsg+0x4fc/0x580\n" - "> ___sys_sendmsg+0xef/0x160\n" - "> __sys_sendmsg+0xf7/0x1b0\n" - "> do_syscall_64+0x3f/0x90\n" - "> entry_SYSCALL_64_after_hwframe+0x73/0xdd\n" - "> \n" - "> The root cause is:\n" - "> \n" - "> cpu 0\t\t\tcpu1\n" - "> xfrm_dump_policy\n" - "> xfrm_policy_walk\n" - "> list_move_tail\n" - "> \t\t\txfrm_add_policy\n" - "> \t\t\t... ...\n" - "> \t\t\txfrm_policy_inexact_list_reinsert\n" - "> \t\t\tlist_for_each_entry_reverse\n" - "> \t\t\t\tif (!policy->bydst_reinsert)\n" - "> \t\t\t\t//read non-existent policy\n" - "> xfrm_dump_policy_done\n" - "> xfrm_policy_walk_done\n" - "> list_del(&walk->walk.all);\n" - "> \n" - "> If dump_one_policy() returns err (triggered by netlink socket),\n" - "> xfrm_policy_walk() will move walk initialized by socket to list\n" - "> net->xfrm.policy_all. so this socket becomes visible in the global\n" - "> policy list. The head *walk can be traversed when users add policies\n" - "> with different prefixlen and trigger xfrm_policy node merge.\n" - "> \n" - "> It can be fixed by skip such \"policies\" with walk.dead set to 1.\n" + ">> BUG: KASAN: slab-use-after-free in xfrm_policy_inexact_list_reinsert+0xb6/0x430\n" + ">> Read of size 1 at addr ffff8881051f3bf8 by task ip/668\n" + ">> \n" + ">> CPU: 2 PID: 668 Comm: ip Not tainted 6.5.0-rc5-00182-g25aa0bebba72-dirty #64\n" + ">> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13 04/01/2014\n" + ">> Call Trace:\n" + ">> <TASK>\n" + ">> dump_stack_lvl+0x72/0xa0\n" + ">> print_report+0xd0/0x620\n" + ">> kasan_report+0xb6/0xf0\n" + ">> xfrm_policy_inexact_list_reinsert+0xb6/0x430\n" + ">> xfrm_policy_inexact_insert_node.constprop.0+0x537/0x800\n" + ">> xfrm_policy_inexact_alloc_chain+0x23f/0x320\n" + ">> xfrm_policy_inexact_insert+0x6b/0x590\n" + ">> xfrm_policy_insert+0x3b1/0x480\n" + ">> xfrm_add_policy+0x23c/0x3c0\n" + ">> xfrm_user_rcv_msg+0x2d0/0x510\n" + ">> netlink_rcv_skb+0x10d/0x2d0\n" + ">> xfrm_netlink_rcv+0x49/0x60\n" + ">> netlink_unicast+0x3fe/0x540\n" + ">> netlink_sendmsg+0x528/0x970\n" + ">> sock_sendmsg+0x14a/0x160\n" + ">> ____sys_sendmsg+0x4fc/0x580\n" + ">> ___sys_sendmsg+0xef/0x160\n" + ">> __sys_sendmsg+0xf7/0x1b0\n" + ">> do_syscall_64+0x3f/0x90\n" + ">> entry_SYSCALL_64_after_hwframe+0x73/0xdd\n" + ">> \n" + ">> The root cause is:\n" + ">> \n" + ">> cpu 0\t\t\tcpu1\n" + ">> xfrm_dump_policy\n" + ">> xfrm_policy_walk\n" + ">> list_move_tail\n" + ">> \t\t\txfrm_add_policy\n" + ">> \t\t\t... ...\n" + ">> \t\t\txfrm_policy_inexact_list_reinsert\n" + ">> \t\t\tlist_for_each_entry_reverse\n" + ">> \t\t\t\tif (!policy->bydst_reinsert)\n" + ">> \t\t\t\t//read non-existent policy\n" + ">> xfrm_dump_policy_done\n" + ">> xfrm_policy_walk_done\n" + ">> list_del(&walk->walk.all);\n" + ">> \n" + ">> If dump_one_policy() returns err (triggered by netlink socket),\n" + ">> xfrm_policy_walk() will move walk initialized by socket to list\n" + ">> net->xfrm.policy_all. so this socket becomes visible in the global\n" + ">> policy list. The head *walk can be traversed when users add policies\n" + ">> with different prefixlen and trigger xfrm_policy node merge.\n" + ">> \n" + ">> It can be fixed by skip such \"policies\" with walk.dead set to 1.\n" + ">\n" + ">But where in the xfrm_dump_policy() flow, these policies are becoming to\n" + ">be walk.dead == 1?\n" + ">\n" + ">Thanks\n" + ">\n" + "user will use xfrm_dispatch[XFRM_MSG_GETPOLICY] ops to get xfrm policy.\n" + "\t\n" + "\t.start = xfrm_dump_policy_start\n" "\n" - "But where in the xfrm_dump_policy() flow, these policies are becoming to\n" - "be walk.dead == 1?\n" + "xfrm_dump_policy_start() will set walk.dead to 1 by call \n" + "xfrm_policy_walk_init().\n" "\n" "Thanks\n" - "\n" - "> \n" - "> Fixes: 9cf545ebd591 (\"xfrm: policy: store inexact policies in a tree ordered by destination address\")\n" - "> Fixes: 12a169e7d8f4 (\"ipsec: Put dumpers on the dump list\")\n" - "> Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>\n" - "> ---\n" - "> net/xfrm/xfrm_policy.c | 3 +++\n" - "> 1 file changed, 3 insertions(+)\n" - "> \n" - "> diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c\n" - "> index d6b405782b63..5b56faad78e0 100644\n" - "> --- a/net/xfrm/xfrm_policy.c\n" - "> +++ b/net/xfrm/xfrm_policy.c\n" - "> @@ -848,6 +848,9 @@ static void xfrm_policy_inexact_list_reinsert(struct net *net,\n" - "> \tmatched_d = 0;\n" - "> \n" - "> \tlist_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {\n" - "> +\t\tif (policy->walk.dead)\n" - "> +\t\t\tcontinue;\n" - "> +\n" - "> \t\tstruct hlist_node *newpos = NULL;\n" - "> \t\tbool matches_s, matches_d;\n" - "> \n" - "> -- \n" - "> 2.25.1\n" - "> \n" - > + ">> \n" + ">> Fixes: 9cf545ebd591 (\"xfrm: policy: store inexact policies in a tree ordered by destination address\")\n" + ">> Fixes: 12a169e7d8f4 (\"ipsec: Put dumpers on the dump list\")\n" + ">> Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>\n" + ">> ---\n" + ">> net/xfrm/xfrm_policy.c | 3 +++\n" + ">> 1 file changed, 3 insertions(+)\n" + ">> \n" + ">> diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c\n" + ">> index d6b405782b63..5b56faad78e0 100644\n" + ">> --- a/net/xfrm/xfrm_policy.c\n" + ">> +++ b/net/xfrm/xfrm_policy.c\n" + ">> @@ -848,6 +848,9 @@ static void xfrm_policy_inexact_list_reinsert(struct net *net,\n" + ">> \tmatched_d = 0;\n" + ">> \n" + ">> \tlist_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {\n" + ">> +\t\tif (policy->walk.dead)\n" + ">> +\t\t\tcontinue;\n" + ">> +\n" + ">> \t\tstruct hlist_node *newpos = NULL;\n" + ">> \t\tbool matches_s, matches_d;\n" + ">> \n" + ">> -- \n" + ">> 2.25.1\n" + ">> \n" + >> -5173a1210680d1206a8b890ad33452a9549277e82cce1a78783c51da7edd7cdf +b44b8893ff1f6af165aa7c8970ed14821e0e7b0c260fa761fcc43fa8e2ede6ac
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.