| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANn89iJ-t1sHTrRKQfnHVa7xyAh2=WYW27PthNGXs3=pSKY+MA@mail.gmail.com>
Date: Mon, 13 Oct 2025 23:54:00 -0700
From: Eric Dumazet <edumazet@...gle.com>
To: Sabrina Dubroca <sd@...asysnail.net>
Cc: "David S . Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>,
Willem de Bruijn <willemb@...gle.com>, netdev@...r.kernel.org, eric.dumazet@...il.com,
Michal Kubecek <mkubecek@...e.cz>
Subject: Re: [PATCH net] udp: drop secpath before storing an skb in a receive queue
On Mon, Oct 13, 2025 at 11:37 PM Sabrina Dubroca <sd@...asysnail.net> wrote:
>
> 2025-10-14, 06:04:54 +0000, Eric Dumazet wrote:
> > Michal reported and bisected an issue after recent adoption
> > of skb_attempt_defer_free() in UDP.
> >
> > We had the same issue for TCP, that Sabrina fixed in commit 9b6412e6979f
> > ("tcp: drop secpath at the same time as we currently drop dst")
>
> I'm not convinced this is the same bug. The TCP one was a "leaked"
> reference (delayed put). This looks more like a double put/missing
> hold to me (we get to the destroy path without having done the proper
> delete, which would set XFRM_STATE_DEAD).
>
Hmm, this was bisected to use of skb_attempt_defer_free(), surely holding
xfrm in a per-cpu queue looks the same to me.
We also had recent syzbot reports hinting at that.
> And this shouldn't be an issue after b441cf3f8c4b ("xfrm: delete
> x->tunnel as we delete x").
>
> > Many thanks to Michal and Sabrina.
> >
> > Fixes: 6471658dc66c ("udp: use skb_attempt_defer_free()")
> > Reported-and-bisected-by: Michal Kubecek <mkubecek@...e.cz>
> > Closes: https://lore.kernel.org/netdev/gpjh4lrotyephiqpuldtxxizrsg6job7cvhiqrw72saz2ubs3h@g6fgbvexgl3r/
> > Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> > Cc: Sabrina Dubroca <sd@...asysnail.net>
> > ---
> > net/ipv4/udp.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
> > index 95241093b7f0..3f05ee70029c 100644
> > --- a/net/ipv4/udp.c
> > +++ b/net/ipv4/udp.c
> > @@ -1709,6 +1709,8 @@ int __udp_enqueue_schedule_skb(struct sock *sk, struct sk_buff *skb)
> > int dropcount;
> > int nb = 0;
> >
> > + secpath_reset(skb);
>
> See also the comment for udp_try_make_stateless:
>
> /* all head states (dst, sk, nf conntrack) except skb extensions are
> * cleared by udp_rcv().
> *
> * We need to preserve secpath, if present, to eventually process
> * IP_CMSG_PASSSEC at recvmsg() time.
> *
> * Other extensions can be cleared.
> */
>
>
> It looks like this patch would re-introduce the problem fixed by
> dce4551cb2ad ("udp: preserve head state for IP_CMSG_PASSSEC").
Arg, I tried to not slow down the consumer part, too bad for XFRM then.
What about then :
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 95241093b7f0..ac45e4056c51 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1853,6 +1853,7 @@ void skb_consume_udp(struct sock *sk, struct
sk_buff *skb, int len)
if (!skb_shared(skb)) {
if (unlikely(udp_skb_has_head_state(skb)))
skb_release_head_state(skb);
+ secpath_reset(skb);
skb_attempt_defer_free(skb);
return;
}
Powered by blists - more mailing lists