From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 283DFC43381 for ; Mon, 25 Feb 2019 14:04:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E727D20663 for ; Mon, 25 Feb 2019 14:04:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727331AbfBYOEd (ORCPT ); Mon, 25 Feb 2019 09:04:33 -0500 Received: from mx1.redhat.com ([209.132.183.28]:57706 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726099AbfBYOEb (ORCPT ); Mon, 25 Feb 2019 09:04:31 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 9D28E308624A; Mon, 25 Feb 2019 14:04:30 +0000 (UTC) Received: from localhost.localdomain (unknown [10.32.181.77]) by smtp.corp.redhat.com (Postfix) with ESMTP id 75B4860BF4; Mon, 25 Feb 2019 14:04:28 +0000 (UTC) Message-ID: <4bde1d403d4ba9b51cf18bbaac1d46147011b959.camel@redhat.com> Subject: Re: [PATCH net-next] net: sched: act_tunnel_key: fix metadata handling From: Davide Caratti To: Vlad Buslov , netdev@vger.kernel.org Cc: jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net, wenxu@ucloud.cn, roid@mellanox.com In-Reply-To: <20190225122122.8128-1-vladbu@mellanox.com> References: <20190225122122.8128-1-vladbu@mellanox.com> Organization: red hat Content-Type: text/plain; charset="UTF-8" Date: Mon, 25 Feb 2019 15:04:27 +0100 Mime-Version: 1.0 User-Agent: Evolution 3.30.3 (3.30.3-1.fc29) Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.49]); Mon, 25 Feb 2019 14:04:31 +0000 (UTC) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Mon, 2019-02-25 at 14:21 +0200, Vlad Buslov wrote: > Tunnel key action params->tcft_enc_metadata is only set when action is > TCA_TUNNEL_KEY_ACT_SET. However, metadata pointer is incorrectly > dereferenced during tunnel key init and release without verifying that > action is if correct type, which causes NULL pointer dereference. Metadata > tunnel dst_cache is also leaked on action overwrite. > > Fix metadata handling: > - Verify that metadata pointer is not NULL before dereferencing it in > tunnel_key_init error handling code. hello Vlad, thanks a lot for fixing this! <...> > @@ -384,10 +390,12 @@ static int tunnel_key_init(struct net *net, struct nlattr *nla, > > release_dst_cache: > #ifdef CONFIG_DST_CACHE > - dst_cache_destroy(&metadata->u.tun_info.dst_cache); > + if (metadata) > + dst_cache_destroy(&metadata->u.tun_info.dst_cache); > #endif > release_tun_meta: > - dst_release(&metadata->dst); > + if (metadata) > + dst_release(&metadata->dst); on Linux 'net' tree we don't have commit 41411e2fd6b8 ("net/sched: act_tunnel_key: Add dst_cache support"), but still the above two lines can avoid a NULL dereference in tunnel_key_init() error path, in the following case: * create an action with tunnel "set", with success * replace the previous rule rule with tunnel "unset", and have a failure here (e.g. allocation of 'params_new'). At the cost of creating some conflicts during the merge, it would probably be safer to split this commit into two parts, one targeting 'net' and one targeting 'net-next', so that the first one can be proposed for stable backports (and also I can rebase/retest my 'goto chain' series on top of it :) ) WDYT? -- davide