lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <32b3de64-93d5-4342-8255-6e6f991b933a@blackwall.org>
Date: Tue, 16 Dec 2025 09:58:34 +0200
From: Nikolay Aleksandrov <razor@...ckwall.org>
To: Wentao Liang <vulab@...as.ac.cn>, andrew+netdev@...n.ch,
 davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com
Cc: petrm@...dia.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
 stable@...r.kernel.org
Subject: Re: [PATCH] vxlan: fix dst ref count leak in the vxlan_xmit_one()
 error path

On 16/12/2025 05:36, Wentao Liang wrote:
> In the vxlan_xmit_one(), when the encap_bypass_if_local() returns an
> error, the function jumps to out_unlock without releasing the dst
> reference obtained from the udp_tunnel_dst_lookup(). This causes a
> reference count leak in both IPv4 and IPv6 paths.
> 
> Fix by calling the dst_release() before goto out_unlock in both error
> paths:
> - For IPv4: release &rt->dst
> - For IPv6: release ndst
> 
> Fixes: 56de859e9967 ("vxlan: lock RCU on TX path")
> Cc: stable@...r.kernel.org
> Signed-off-by: Wentao Liang <vulab@...as.ac.cn>
> ---
>   drivers/net/vxlan/vxlan_core.c | 8 ++++++--
>   1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
> index dab864bc733c..41bbc92cc234 100644
> --- a/drivers/net/vxlan/vxlan_core.c
> +++ b/drivers/net/vxlan/vxlan_core.c
> @@ -2479,8 +2479,10 @@ void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
>   			err = encap_bypass_if_local(skb, dev, vxlan, AF_INET,
>   						    dst_port, ifindex, vni,
>   						    &rt->dst, rt->rt_flags);
> -			if (err)
> +			if (err) {
> +				dst_release(&rt->dst);
>   				goto out_unlock;
> +			}
>   
>   			if (vxlan->cfg.df == VXLAN_DF_SET) {
>   				df = htons(IP_DF);
> @@ -2560,8 +2562,10 @@ void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
>   			err = encap_bypass_if_local(skb, dev, vxlan, AF_INET6,
>   						    dst_port, ifindex, vni,
>   						    ndst, rt6i_flags);
> -			if (err)
> +			if (err) {
> +				dst_release(ndst);
>   				goto out_unlock;
> +			}
>   		}
>   
>   		err = skb_tunnel_check_pmtu(skb, ndst,

Did you check what encap_bypass_if_local() does at all?

There is a reason why the code jumps to out_unlock on error,
encap_bypass_if_local handles that case itself. Don't blindly
change code, first check what it does.

Cheers,
  Nik

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ