lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANn89i+JY3PA_p5t3FrCeO+tAo3YuYOtnkeOeyYvBcqKhpgNZQ@mail.gmail.com> Date: Sun, 23 Oct 2022 23:31:00 -0700 From: Eric Dumazet <edumazet@...gle.com> To: Herbert Xu <herbert@...dor.apana.org.au> Cc: syzbot <syzbot+1e9af9185d8850e2c2fa@...kaller.appspotmail.com>, davem@...emloft.net, kuba@...nel.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, pabeni@...hat.com, steffen.klassert@...unet.com, syzkaller-bugs@...glegroups.com Subject: Re: [v2 PATCH] af_key: Fix send_acquire race with pfkey_register On Sun, Oct 23, 2022 at 11:06 PM Herbert Xu <herbert@...dor.apana.org.au> wrote: > > On Sun, Oct 23, 2022 at 10:21:05PM -0700, Eric Dumazet wrote: > > > > Are you sure we can sleep in mutex_lock() ? > > > > Use of GFP_ATOMIC would suggest otherwise :/ > > Good point. Acquires are triggered from the network stack so > it may be in BH context. > > ---8<--- > With name space support, it is possible for a pfkey_register to > occur in the middle of a send_acquire, thus changing the number > of supported algorithms. > > This can be fixed by taking a lock to make it single-threaded > again. As this lock can be taken from both thread and softirq > contexts, we need to take the necessary precausions with disabling > BH and make it a spin lock. > > Reported-by: syzbot+1e9af9185d8850e2c2fa@...kaller.appspotmail.com > Fixes: 283bc9f35bbb ("xfrm: Namespacify xfrm state/policy locks") > Signed-off-by: Herbert Xu <herbert@...dor.apana.org.au> > > diff --git a/net/key/af_key.c b/net/key/af_key.c > index c85df5b958d2..4e0d21e2045e 100644 > --- a/net/key/af_key.c > +++ b/net/key/af_key.c > @@ -23,6 +23,7 @@ > #include <linux/proc_fs.h> > #include <linux/init.h> > #include <linux/slab.h> > +#include <linux/spinlock.h> > #include <net/net_namespace.h> > #include <net/netns/generic.h> > #include <net/xfrm.h> > @@ -39,6 +40,7 @@ struct netns_pfkey { > atomic_t socks_nr; > }; > static DEFINE_MUTEX(pfkey_mutex); > +static DEFINE_SPINLOCK(pfkey_alg_lock); > > #define DUMMY_MARK 0 > static const struct xfrm_mark dummy_mark = {0, 0}; > @@ -1697,11 +1699,11 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, const struct sad > pfk->registered |= (1<<hdr->sadb_msg_satype); > } > > - mutex_lock(&pfkey_mutex); > + spin_lock_bh(&pfkey_alg_lock); > xfrm_probe_algs(); > > supp_skb = compose_sadb_supported(hdr, GFP_KERNEL | __GFP_ZERO); s/GFP_KERNEL/GFP_ATOMIC/ > - mutex_unlock(&pfkey_mutex); > + spin_unlock_bh(&pfkey_alg_lock); > > if (!supp_skb) { > if (hdr->sadb_msg_satype != SADB_SATYPE_UNSPEC) > @@ -3160,6 +3162,7 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct > (sockaddr_size * 2) + > sizeof(struct sadb_x_policy); > > + spin_lock_bh(&pfkey_alg_lock); > if (x->id.proto == IPPROTO_AH) > size += count_ah_combs(t); > else if (x->id.proto == IPPROTO_ESP) > @@ -3171,8 +3174,10 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct > } > > skb = alloc_skb(size + 16, GFP_ATOMIC); > - if (skb == NULL) > + if (skb == NULL) { > + spin_unlock_bh(&pfkey_alg_lock); > return -ENOMEM; > + } > > hdr = skb_put(skb, sizeof(struct sadb_msg)); > hdr->sadb_msg_version = PF_KEY_V2; > @@ -3228,6 +3233,7 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct > dump_ah_combs(skb, t); > else if (x->id.proto == IPPROTO_ESP) > dump_esp_combs(skb, t); > + spin_unlock_bh(&pfkey_alg_lock); > > /* security context */ > if (xfrm_ctx) { > -- > Email: Herbert Xu <herbert@...dor.apana.org.au> > Home Page: http://gondor.apana.org.au/~herbert/ > PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Powered by blists - more mailing lists