From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Paolo Abeni <pabeni@redhat.com>,
Vlad Buslov <vladbu@nvidia.com>,
Antoine Tenart <atenart@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 19/34] net: do not keep the dst cache when uncloning an skb dst and its metadata
Date: Mon, 14 Feb 2022 10:25:45 +0100 [thread overview]
Message-ID: <20220214092446.567775131@linuxfoundation.org> (raw)
In-Reply-To: <20220214092445.946718557@linuxfoundation.org>
From: Antoine Tenart <atenart@kernel.org>
[ Upstream commit cfc56f85e72f5b9c5c5be26dc2b16518d36a7868 ]
When uncloning an skb dst and its associated metadata a new dst+metadata
is allocated and the tunnel information from the old metadata is copied
over there.
The issue is the tunnel metadata has references to cached dst, which are
copied along the way. When a dst+metadata refcount drops to 0 the
metadata is freed including the cached dst entries. As they are also
referenced in the initial dst+metadata, this ends up in UaFs.
In practice the above did not happen because of another issue, the
dst+metadata was never freed because its refcount never dropped to 0
(this will be fixed in a subsequent patch).
Fix this by initializing the dst cache after copying the tunnel
information from the old metadata to also unshare the dst cache.
Fixes: d71785ffc7e7 ("net: add dst_cache to ovs vxlan lwtunnel")
Cc: Paolo Abeni <pabeni@redhat.com>
Reported-by: Vlad Buslov <vladbu@nvidia.com>
Tested-by: Vlad Buslov <vladbu@nvidia.com>
Signed-off-by: Antoine Tenart <atenart@kernel.org>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/dst_metadata.h | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/include/net/dst_metadata.h b/include/net/dst_metadata.h
index 5a23535a5018d..33ca53057f318 100644
--- a/include/net/dst_metadata.h
+++ b/include/net/dst_metadata.h
@@ -97,6 +97,19 @@ static inline struct metadata_dst *tun_dst_unclone(struct sk_buff *skb)
memcpy(&new_md->u.tun_info, &md_dst->u.tun_info,
sizeof(struct ip_tunnel_info) + md_size);
+#ifdef CONFIG_DST_CACHE
+ /* Unclone the dst cache if there is one */
+ if (new_md->u.tun_info.dst_cache.cache) {
+ int ret;
+
+ ret = dst_cache_init(&new_md->u.tun_info.dst_cache, GFP_ATOMIC);
+ if (ret) {
+ metadata_dst_free(new_md);
+ return ERR_PTR(ret);
+ }
+ }
+#endif
+
skb_dst_drop(skb);
dst_hold(&new_md->dst);
skb_dst_set(skb, &new_md->dst);
--
2.34.1
next prev parent reply other threads:[~2022-02-14 9:29 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-14 9:25 [PATCH 4.9 00/34] 4.9.302-rc1 review Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 01/34] integrity: check the return value of audit_log_start() Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 02/34] ima: Remove ima_policy file before directory Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 03/34] NFS: Fix initialisation of nfs_client cl_flags field Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 04/34] NFSD: Clamp WRITE offsets Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 05/34] Input: i8042 - Fix misplaced backport of "add ASUS Zenbook Flip to noselftest list" Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 06/34] serial: sh-sci: Fix misplaced backport of "Fix late enablement of AUTORTS" Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 07/34] ALSA: line6: Fix misplaced backport of "Fix wrong altsetting for LINE6_PODHD500_1" Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 08/34] Revert "net: axienet: Wait for PhyRstCmplt after core reset" Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 09/34] NFSv4 only print the label when its queried Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 10/34] nfs: nfs4clinet: check the return value of kstrdup() Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 11/34] NFSv4 remove zero number of fs_locations entries error check Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 12/34] scsi: target: iscsi: Make sure the np under each tpg is unique Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 13/34] usb: dwc2: gadget: dont try to disable ep0 in dwc2_hsotg_suspend Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 14/34] ARM: dts: imx23-evk: Remove MX23_PAD_SSP1_DETECT from hog group Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 15/34] staging: fbtft: Fix error path in fbtft_driver_module_init() Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 16/34] ARM: dts: imx6qdl-udoo: Properly describe the SD card detect Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 17/34] bonding: pair enable_port with slave_arr_updates Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 18/34] ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on failure path Greg Kroah-Hartman
2022-02-14 9:25 ` Greg Kroah-Hartman [this message]
2022-02-14 9:25 ` [PATCH 4.9 20/34] net: fix a memleak when uncloning an skb dst and its metadata Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 21/34] tipc: rate limit warning for received illegal binding update Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 22/34] vt_ioctl: fix array_index_nospec in vt_setactivate Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 23/34] vt_ioctl: add array_index_nospec to VT_ACTIVATE Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 24/34] bpf: Add kconfig knob for disabling unpriv bpf by default Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 25/34] n_tty: wake up poll(POLLRDNORM) on receiving data Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 26/34] usb: dwc3: gadget: Prevent core from processing stale TRBs Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 27/34] USB: gadget: validate interface OS descriptor requests Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 28/34] usb: gadget: rndis: check size of RNDIS_MSG_SET command Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 29/34] USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320 Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 30/34] USB: serial: option: add ZTE MF286D modem Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 31/34] USB: serial: ch341: add support for GW Instek USB2.0-Serial devices Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 32/34] USB: serial: cp210x: add NCR Retail IO box id Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 4.9 33/34] USB: serial: cp210x: add CPI Bulk Coin Recycler id Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 4.9 34/34] hwmon: (dell-smm) Speed up setting of fan speed Greg Kroah-Hartman
2022-02-14 19:50 ` [PATCH 4.9 00/34] 4.9.302-rc1 review Florian Fainelli
2022-02-14 20:37 ` Slade Watkins
2022-02-14 22:33 ` Shuah Khan
2022-02-15 1:50 ` Guenter Roeck
2022-02-15 10:36 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220214092446.567775131@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=atenart@kernel.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=vladbu@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).