lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANn89i+t9e6qRwvkc70dbxAXLz2bGC6uamB==cfcJee3d8tbgQ@mail.gmail.com>
Date: Tue, 14 Oct 2025 00:43:16 -0700
From: Eric Dumazet <edumazet@...gle.com>
To: Paolo Abeni <pabeni@...hat.com>
Cc: Sabrina Dubroca <sd@...asysnail.net>, "David S . Miller" <davem@...emloft.net>, 
	Jakub Kicinski <kuba@...nel.org>, Simon Horman <horms@...nel.org>, 
	Willem de Bruijn <willemb@...gle.com>, netdev@...r.kernel.org, eric.dumazet@...il.com, 
	Michal Kubecek <mkubecek@...e.cz>
Subject: Re: [PATCH net] udp: drop secpath before storing an skb in a receive queue

On Tue, Oct 14, 2025 at 12:32 AM Paolo Abeni <pabeni@...hat.com> wrote:
>
>
>
> On 10/14/25 8:37 AM, Sabrina Dubroca wrote:
> > 2025-10-14, 06:04:54 +0000, Eric Dumazet wrote:
> >> Michal reported and bisected an issue after recent adoption
> >> of skb_attempt_defer_free() in UDP.
> >>
> >> We had the same issue for TCP, that Sabrina fixed in commit 9b6412e6979f
> >> ("tcp: drop secpath at the same time as we currently drop dst")
> >
> > I'm not convinced this is the same bug. The TCP one was a "leaked"
> > reference (delayed put). This looks more like a double put/missing
> > hold to me (we get to the destroy path without having done the proper
> > delete, which would set XFRM_STATE_DEAD).
> >
> > And this shouldn't be an issue after b441cf3f8c4b ("xfrm: delete
> > x->tunnel as we delete x").
>
> I think Sabrina is right. If the skb carries a secpath,
> UDP_SKB_IS_STATELESS is not set, and skb_release_head_state() will be
> called by skb_consume_udp().
>
> skb_ext_put() does not clear skb->extensions nor ext->refcnt, if
> skb_attempt_defer_free() enters the slow path (kfree_skb_napi_cache()),
> the skb will go through again skb_release_head_state(), with a double free.
>
> I think something alike the following (completely untested) should work:
> ---
> diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
> index 95241093b7f0..4a308fd6aa6c 100644
> --- a/net/ipv4/udp.c
> +++ b/net/ipv4/udp.c
> @@ -1851,8 +1851,10 @@ void skb_consume_udp(struct sock *sk, struct
> sk_buff *skb, int len)
>                 sk_peek_offset_bwd(sk, len);
>
>         if (!skb_shared(skb)) {
> -               if (unlikely(udp_skb_has_head_state(skb)))
> +               if (unlikely(udp_skb_has_head_state(skb))) {
>                         skb_release_head_state(skb);
> +                       skb->active_extensions = 0;

Wait, what, skb_ext_put() can not be called twice ?

Because we prefer not dirtying skb in skb_release_head_state() ?

Perhaps add a big comment in skb_release_head_state() to avoid mistakes.

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index bc12790017b0b5c0be99f8fb9d362b3730fa4eb0..8d274ddd54ad4c59cc29f821fc371c89052bf875
100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -1141,6 +1141,10 @@ void skb_release_head_state(struct sk_buff *skb)
 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
        nf_conntrack_put(skb_nfct(skb));
 #endif
+
+       /* Note: we do not call skb_ext_reset() to avoid dirtying
+        * a cache line. Callers might have to clear skb->active_extensions.
+        */
        skb_ext_put(skb);
 }

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ