[PATCH 4.9 02/31] xfrm: fix refcount leak in __xfrm_policy_check()

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Xin Xiong <xiongx18@fudan.edu.cn>,
	Xin Tan <tanxin.ctf@gmail.com>,
	Steffen Klassert <steffen.klassert@secunet.com>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 02/31] xfrm: fix refcount leak in __xfrm_policy_check()
Date: Fri,  2 Sep 2022 14:18:28 +0200	[thread overview]
Message-ID: <20220902121356.838472344@linuxfoundation.org> (raw)
In-Reply-To: <20220902121356.732130937@linuxfoundation.org>

From: Xin Xiong <xiongx18@fudan.edu.cn>

[ Upstream commit 9c9cb23e00ddf45679b21b4dacc11d1ae7961ebe ]

The issue happens on an error path in __xfrm_policy_check(). When the
fetching process of the object `pols[1]` fails, the function simply
returns 0, forgetting to decrement the reference count of `pols[0]`,
which is incremented earlier by either xfrm_sk_policy_lookup() or
xfrm_policy_lookup(). This may result in memory leaks.

Fix it by decreasing the reference count of `pols[0]` in that path.

Fixes: 134b0fc544ba ("IPsec: propagate security module errors up from flow_cache_lookup")
Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/xfrm/xfrm_policy.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 0894108f561cb..ae90a273475c0 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2538,6 +2538,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
 		if (pols[1]) {
 			if (IS_ERR(pols[1])) {
 				XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
+				xfrm_pol_put(pols[0]);
 				return 0;
 			}
 			pols[1]->curlft.use_time = get_seconds();
-- 
2.35.1

next prev parent reply	other threads:[~2022-09-02 12:21 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-02 12:18 [PATCH 4.9 00/31] 4.9.327-rc1 review Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 01/31] parisc: Fix exception handler for fldw and fstw instructions Greg Kroah-Hartman
2022-09-02 12:18 ` Greg Kroah-Hartman [this message]
2022-09-02 12:18 ` [PATCH 4.9 03/31] af_key: Do not call xfrm_probe_algs in parallel Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 04/31] rose: check NULL rose_loopback_neigh->loopback Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 05/31] bonding: 802.3ad: fix no transmission of LACPDUs Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 06/31] netfilter: nft_payload: report ERANGE for too long offset and length Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 07/31] ratelimit: Fix data-races in ___ratelimit() Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 08/31] net: Fix a data-race around sysctl_tstamp_allow_data Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 09/31] net: Fix a data-race around sysctl_net_busy_poll Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 10/31] net: Fix a data-race around sysctl_net_busy_read Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 11/31] net: Fix a data-race around sysctl_somaxconn Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 12/31] ixgbe: stop resetting SYSTIME in ixgbe_ptp_start_cyclecounter Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 13/31] btrfs: check if root is readonly while setting security xattr Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 14/31] loop: Check for overflow while configuring loop Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 15/31] asm-generic: sections: refactor memory_intersects Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 16/31] mm/hugetlb: fix hugetlb not supporting softdirty tracking Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 17/31] mm: Force TLB flush for PFNMAP mappings before unlink_file_vma() Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 18/31] s390/mm: do not trigger write fault when vma does not allow VM_WRITE Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 19/31] x86/cpu: Add Tiger Lake to Intel family Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 20/31] x86/bugs: Add "unknown" reporting for MMIO Stale Data Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 21/31] kbuild: Fix include path in scripts/Makefile.modpost Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 22/31] Bluetooth: L2CAP: Fix build errors in some archs Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 23/31] media: pvrusb2: fix memory leak in pvr_probe Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 24/31] HID: hidraw: fix memory leak in hidraw_release() Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 25/31] fbdev: fb_pm2fb: Avoid potential divide by zero error Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 26/31] ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 27/31] arm64: map FDT as RW for early_init_dt_scan() Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 28/31] s390/hypfs: avoid error message under KVM Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 29/31] netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to y Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 30/31] mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 4.9 31/31] kprobes: dont call disarm_kprobe() for disabled kprobes Greg Kroah-Hartman
2022-09-02 16:35 ` [PATCH 4.9 00/31] 4.9.327-rc1 review Jon Hunter
2022-09-02 16:45 ` Florian Fainelli
2022-09-02 22:21 ` Shuah Khan
2022-09-03  0:34 ` Guenter Roeck
2022-09-03 13:16 ` Naresh Kamboju
2022-09-05  7:42 ` Pavel Machek

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:0894108f561c dfblob:ae90a273475c )
 OR (
bs:"[PATCH 4.9 02/31] xfrm: fix refcount leak in __xfrm_policy_check()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220902121356.838472344@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=steffen.klassert@secunet.com \
    --cc=tanxin.ctf@gmail.com \
    --cc=xiongx18@fudan.edu.cn \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox