lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 6 Apr 2020 11:03:27 +0200
From:   Steffen Klassert <>
To:     Yuehaibing <>
CC:     <>, <>,
        <>, <>,
Subject: Re: [PATCH net-next] xfrm: policy: Remove obsolete WARN while xfrm
 policy inserting

On Mon, Mar 30, 2020 at 10:05:32PM +0800, Yuehaibing wrote:
> On 2020/3/28 19:23, Steffen Klassert wrote:
> > On Fri, Mar 27, 2020 at 08:34:43PM +0800, YueHaibing wrote:
> >> Since commit 7cb8a93968e3 ("xfrm: Allow inserting policies with matching
> >> mark and different priorities"), we allow duplicate policies with
> >> different priority, this WARN is not needed any more.
> > 
> > Can you please describe a bit more detailed why this warning
> > can't trigger anymore?
> No, this warning is triggered while detect a duplicate entry in the policy list
> regardless of the priority. If we insert policy like this:
> policy A (mark.v = 3475289, mark.m = 0, priority = 1)	//A is inserted
> policy B (mark.v = 0, mark.m = 0, priority = 0) 	//B is inserted
> policy C (mark.v = 3475289, mark.m = 0, priority = 0)	//C is inserted and B is deleted

The codepath that replaces a policy by another should just trigger
on policy updates (XFRM_MSG_UPDPOLICY). Is that the case in your

It should not be possible to add policy C with XFRM_MSG_NEWPOLICY
as long as you have policy B inserted.

The update replaces an old policy by a new one, the lookup keys of
the old policy must match the lookup keys of the new one. But policy
B has not the same lookup keys as C, the mark is different. So B should
not be replaced with C.

> policy D (mark.v = 3475289, mark.m = 0, priority = 1)	
> while finding delpol in xfrm_policy_insert_list,
> first round delpol is matched C, whose priority is less than D, so contiue the loop,
> then A is matched´╝î WARN_ON is triggered.  It seems the WARN is useless.

Looks like the warning is usefull, it found a bug.

Powered by blists - more mailing lists