mirror of
https://github.com/torvalds/linux.git
synced 2026-06-02 11:33:28 +02:00
xfrm: iptfs: reset runtime state when cloning SAs
iptfs_clone_state() clones the IPTFS mode data with kmemdup(). This
copies runtime objects which must not be shared with the original SA,
including the embedded sk_buff_head, hrtimers, spinlock, and in-flight
reassembly/reorder state.
If xfrm_state_migrate() fails after clone_state() but before the later
init_state() call has reinitialized those fields, the cloned state can be
destroyed by xfrm_state_gc_task() with list and timer state copied from the
original SA. With queued packets this lets the clone splice and free skbs
owned by the original IPTFS queue, leading to use-after-free and
double-free reports in iptfs_destroy_state() and skb release paths.
Reinitialize the clone's runtime state before publishing it through
x->mode_data. Because clone_state() now publishes a destroyable mode_data
object before init_state(), take the mode callback module reference there.
Avoid taking it again from __iptfs_init_state() for the same object.
Fixes: 0e4fbf013f ("xfrm: iptfs: add user packet (tunnel ingress) handling")
Cc: stable@vger.kernel.org
Signed-off-by: Shaomin Chen <eeesssooo020@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
This commit is contained in:
Shaomin Chen
Steffen Klassert
parent
dfa0d7b0ff
commit
7f83d17407
|
|
@ -2650,7 +2650,8 @@ static void __iptfs_init_state(struct xfrm_state *x,
|
|||
x->props.enc_hdr_len = sizeof(struct ip_iptfs_hdr);
|
||||
|
||||
/* Always keep a module reference when x->mode_data is set */
|
||||
__module_get(x->mode_cbs->owner);
|
||||
if (x->mode_data != xtfs)
|
||||
__module_get(x->mode_cbs->owner);
|
||||
|
||||
x->mode_data = xtfs;
|
||||
xtfs->x = x;
|
||||
|
|
@ -2658,22 +2659,39 @@ static void __iptfs_init_state(struct xfrm_state *x,
|
|||
|
||||
static int iptfs_clone_state(struct xfrm_state *x, struct xfrm_state *orig)
|
||||
{
|
||||
struct skb_wseq *w_saved = NULL;
|
||||
struct xfrm_iptfs_data *xtfs;
|
||||
|
||||
xtfs = kmemdup(orig->mode_data, sizeof(*xtfs), GFP_KERNEL);
|
||||
if (!xtfs)
|
||||
return -ENOMEM;
|
||||
|
||||
xtfs->ra_newskb = NULL;
|
||||
if (xtfs->cfg.reorder_win_size) {
|
||||
xtfs->w_saved = kzalloc_objs(*xtfs->w_saved,
|
||||
xtfs->cfg.reorder_win_size);
|
||||
if (!xtfs->w_saved) {
|
||||
w_saved = kzalloc_objs(*w_saved, xtfs->cfg.reorder_win_size);
|
||||
if (!w_saved) {
|
||||
kfree_sensitive(xtfs);
|
||||
return -ENOMEM;
|
||||
}
|
||||
}
|
||||
xtfs->w_saved = w_saved;
|
||||
|
||||
__skb_queue_head_init(&xtfs->queue);
|
||||
xtfs->queue_size = 0;
|
||||
hrtimer_setup(&xtfs->iptfs_timer, iptfs_delay_timer, CLOCK_MONOTONIC,
|
||||
IPTFS_HRTIMER_MODE);
|
||||
|
||||
spin_lock_init(&xtfs->drop_lock);
|
||||
hrtimer_setup(&xtfs->drop_timer, iptfs_drop_timer, CLOCK_MONOTONIC,
|
||||
IPTFS_HRTIMER_MODE);
|
||||
|
||||
xtfs->w_seq_set = false;
|
||||
xtfs->w_wantseq = 0;
|
||||
xtfs->w_savedlen = 0;
|
||||
xtfs->ra_newskb = NULL;
|
||||
xtfs->ra_wantseq = 0;
|
||||
xtfs->ra_runtlen = 0;
|
||||
|
||||
__module_get(x->mode_cbs->owner);
|
||||
x->mode_data = xtfs;
|
||||
xtfs->x = x;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user