From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Hangyu Hua <hbh25y@gmail.com>,
Steffen Klassert <steffen.klassert@secunet.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 02/37] xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup()
Date: Wed, 27 Jul 2022 18:10:28 +0200 [thread overview]
Message-ID: <20220727161000.930543212@linuxfoundation.org> (raw)
In-Reply-To: <20220727161000.822869853@linuxfoundation.org>
From: Hangyu Hua <hbh25y@gmail.com>
[ Upstream commit f85daf0e725358be78dfd208dea5fd665d8cb901 ]
xfrm_policy_lookup() will call xfrm_pol_hold_rcu() to get a refcount of
pols[0]. This refcount can be dropped in xfrm_expand_policies() when
xfrm_expand_policies() return error. pols[0]'s refcount is balanced in
here. But xfrm_bundle_lookup() will also call xfrm_pols_put() with
num_pols == 1 to drop this refcount when xfrm_expand_policies() return
error.
This patch also fix an illegal address access. pols[0] will save a error
point when xfrm_policy_lookup fails. This lead to xfrm_pols_put to resolve
an illegal address in xfrm_bundle_lookup's error path.
Fix these by setting num_pols = 0 in xfrm_expand_policies()'s error path.
Fixes: 80c802f3073e ("xfrm: cache bundles instead of policies for outgoing flows")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_policy.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index d87121d61a2b..e1840f70c0ff 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1673,8 +1673,10 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family,
*num_xfrms = 0;
return 0;
}
- if (IS_ERR(pols[0]))
+ if (IS_ERR(pols[0])) {
+ *num_pols = 0;
return PTR_ERR(pols[0]);
+ }
*num_xfrms = pols[0]->xfrm_nr;
@@ -1688,6 +1690,7 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family,
if (pols[1]) {
if (IS_ERR(pols[1])) {
xfrm_pols_put(pols, *num_pols);
+ *num_pols = 0;
return PTR_ERR(pols[1]);
}
(*num_pols)++;
--
2.35.1
next prev parent reply other threads:[~2022-07-27 16:25 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-27 16:10 [PATCH 4.14 00/37] 4.14.290-rc1 review Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 01/37] xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE Greg Kroah-Hartman
2022-07-27 16:10 ` Greg Kroah-Hartman [this message]
2022-07-27 16:10 ` [PATCH 4.14 03/37] power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 04/37] perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 05/37] ip: Fix a data-race around sysctl_fwmark_reflect Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 06/37] tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 07/37] tcp: Fix a data-race around sysctl_tcp_probe_threshold Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 08/37] tcp: Fix a data-race around sysctl_tcp_probe_interval Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 09/37] i2c: cadence: Change large transfer count reset logic to be unconditional Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 10/37] net: stmmac: fix dma queue left shift overflow issue Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 11/37] igmp: Fix data-races around sysctl_igmp_llm_reports Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 12/37] igmp: Fix a data-race around sysctl_igmp_max_memberships Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 13/37] tcp: Fix a data-race around sysctl_tcp_notsent_lowat Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 14/37] be2net: Fix buffer overflow in be_get_module_eeprom Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 15/37] Revert "Revert "char/random: silence a lockdep splat with printk()"" Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 16/37] mm/mempolicy: fix uninit-value in mpol_rebind_policy() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 17/37] bpf: Make sure mac_header was set before using it Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 18/37] drm/tilcdc: Remove obsolete crtc_mode_valid() hack Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 19/37] tilcdc: tilcdc_external: fix an incorrect NULL check on list iterator Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 20/37] ALSA: memalloc: Align buffer allocations in page size Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 21/37] Bluetooth: Add bt_skb_sendmsg helper Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 22/37] Bluetooth: Add bt_skb_sendmmsg helper Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 23/37] Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 24/37] Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 25/37] Bluetooth: Fix passing NULL to PTR_ERR Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 26/37] Bluetooth: SCO: Fix sco_send_frame returning skb->len Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 27/37] Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 28/37] tty: drivers/tty/, stop using tty_schedule_flip() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 29/37] tty: the rest, " Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 30/37] tty: drop tty_schedule_flip() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 31/37] tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 32/37] tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.14 33/37] net: usb: ax88179_178a needs FLAG_SEND_ZLP Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.14 34/37] PCI: hv: Fix multi-MSI to allow more than one MSI vector Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.14 35/37] PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.14 36/37] PCI: hv: Reuse existing IRTE allocation in compose_msi_msg() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.14 37/37] PCI: hv: Fix interrupt mapping for multi-MSI Greg Kroah-Hartman
2022-07-28 10:06 ` [PATCH 4.14 00/37] 4.14.290-rc1 review Naresh Kamboju
2022-07-28 14:32 ` Jon Hunter
2022-07-28 22:57 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220727161000.930543212@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=hbh25y@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.