lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <c502f3e2-7d6b-4510-a812-c5b656d081d6@redhat.com>
Date: Tue, 14 Oct 2025 09:32:09 +0200
From: Paolo Abeni <pabeni@...hat.com>
To: Sabrina Dubroca <sd@...asysnail.net>, Eric Dumazet <edumazet@...gle.com>
Cc: "David S . Miller" <davem@...emloft.net>, Jakub Kicinski
 <kuba@...nel.org>, Simon Horman <horms@...nel.org>,
 Willem de Bruijn <willemb@...gle.com>, netdev@...r.kernel.org,
 eric.dumazet@...il.com, Michal Kubecek <mkubecek@...e.cz>
Subject: Re: [PATCH net] udp: drop secpath before storing an skb in a receive
 queue



On 10/14/25 8:37 AM, Sabrina Dubroca wrote:
> 2025-10-14, 06:04:54 +0000, Eric Dumazet wrote:
>> Michal reported and bisected an issue after recent adoption
>> of skb_attempt_defer_free() in UDP.
>>
>> We had the same issue for TCP, that Sabrina fixed in commit 9b6412e6979f
>> ("tcp: drop secpath at the same time as we currently drop dst")
> 
> I'm not convinced this is the same bug. The TCP one was a "leaked"
> reference (delayed put). This looks more like a double put/missing
> hold to me (we get to the destroy path without having done the proper
> delete, which would set XFRM_STATE_DEAD).
> 
> And this shouldn't be an issue after b441cf3f8c4b ("xfrm: delete
> x->tunnel as we delete x").

I think Sabrina is right. If the skb carries a secpath,
UDP_SKB_IS_STATELESS is not set, and skb_release_head_state() will be
called by skb_consume_udp().

skb_ext_put() does not clear skb->extensions nor ext->refcnt, if
skb_attempt_defer_free() enters the slow path (kfree_skb_napi_cache()),
the skb will go through again skb_release_head_state(), with a double free.

I think something alike the following (completely untested) should work:
---
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 95241093b7f0..4a308fd6aa6c 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1851,8 +1851,10 @@ void skb_consume_udp(struct sock *sk, struct
sk_buff *skb, int len)
 		sk_peek_offset_bwd(sk, len);

 	if (!skb_shared(skb)) {
-		if (unlikely(udp_skb_has_head_state(skb)))
+		if (unlikely(udp_skb_has_head_state(skb))) {
 			skb_release_head_state(skb);
+			skb->active_extensions = 0;
+		}
 		skb_attempt_defer_free(skb);
 		return;
 	}
---

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ