From nobody Wed Nov  1 09:06:06 2023
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SL1MM0XCdz503ng;
	Wed,  1 Nov 2023 09:06:07 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4SL1ML6Z9Sz3K3P;
	Wed,  1 Nov 2023 09:06:06 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1698829567;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=dQ+vCrOVxLFY0q/zUicEjRprFH4RPnkTM5Jq/gnuEqE=;
	b=hZf+OS3iZ4SalzjBMRacuyW3MYwh7L5/5ltQkY+LzKOu1DT3uZZE7QmYG3oVyXlSsvW/Ja
	NiSp5B5rdDfR1tdzNIerPWvmYOD9TtGIoyHrGw8oAw6qPGKmsCvjhj/4dUFKOb+SdBvUWy
	sFuLiPhGLMw9UlQv95Ts5SPzAVck9lR1XyqqpLvZm8LyRwZPCfoTFMbFTQmBLe6OL5qxtp
	6doP1mGMCZQPtg8a6xAyKYAN3E3gddPQJRou5SvUMTeXfUGUQ3By6d0fXKoi8nsbpKaXPa
	ep59OMRG5Gfc81QibnTxJKvpeFyeQGLIhDK8oVmaDkK/qwax5nFg8PWrYwxWOQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1698829567;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=dQ+vCrOVxLFY0q/zUicEjRprFH4RPnkTM5Jq/gnuEqE=;
	b=ZCEpBthZ+Y9OM7eWyVv3zIBOgDGmaObn62oL/HCzfX5iP5ktHUdHGa4Zjso45CyCKTIgGW
	xv+atQ1ymvt6EH+WeI4V6gO9tERT4zj++LYHypO0HGZg4YVjmdFeGsep4aKR8jcReLCWAQ
	hyrhFlLgckkkfiKeUzkOaJBY7+TtkfYU5AnBDLjGCpn5fby283/DnJOM4xR9FMdwPJZqdn
	kuiFX3f3zMnszSbR9P9CBGstTp97cNGOe+UYSWTLhyOuN2Ir4Ds0otc6YbVCt/Hg2uQJ2F
	zyMUVeSlxHkrx9tEG+NMiPMl+P5ESKpdC4120b6VEFZ4IlkRyDuPBcjhl7UrSA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1698829567; a=rsa-sha256; cv=none;
	b=XNB6BlzcB7Lu7+a1q4EA8Y3HhwKUGu4IQnIfKcUvDYYcYtYqf9MQ2v7PKsQruMxieDF7Ob
	hb2yKUMtNAg7bZLrVqDVhMI1LvPISJNCmSvWQUw4CvcjgJK3XvbF0HGbRCwoMSsPdZQpwD
	JKc7uXlIsJnpILd5EJuTZZF4228ZuSBh3J3YsY7uEHABPFcdbtasu3GktMS2I7bcx6A5Yu
	6D/O2OeSY0z0phmPbkMwnbzmdKKlQcNL2JpVvPEWvzMzF3vP88+Wc4hKBfzYsaSvNczlkL
	c90Tp0XLYZBNMVXIx2jHBb/0f/1S8QrRf24HNZ7F39gfrHsGFJBxFfuQd31uyA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SL1ML5T2bzg6G;
	Wed,  1 Nov 2023 09:06:06 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3A1966a0065134;
	Wed, 1 Nov 2023 09:06:06 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3A1966gm065132;
	Wed, 1 Nov 2023 09:06:06 GMT
	(envelope-from git)
Date: Wed, 1 Nov 2023 09:06:06 GMT
Message-Id: <202311010906.3A1966gm065132@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 9abf60f5cebf - stable/13 - netlink: fix potential
  llentry lock leak in newneigh handler
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 9abf60f5cebf1904959daacb4084113acc78a173
Auto-Submitted: auto-generated

The branch stable/13 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=9abf60f5cebf1904959daacb4084113acc78a173

commit 9abf60f5cebf1904959daacb4084113acc78a173
Author:     R. Christian McDonald <rcm@rcm.sh>
AuthorDate: 2023-10-23 11:23:55 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2023-10-31 08:08:44 +0000

    netlink: fix potential llentry lock leak in newneigh handler
    
    The netlink newneigh handler has the potential to leak the lock on
    llentry objects in the kernel. This patch reconciles several paths
    through the newneigh handler that could result in a lock leak.
    
    MFC after:      1 week
    Reviewed by:    markj, kp
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D42307
    
    (cherry picked from commit ae2ca32781a90abe987e128ca167ab400a87f369)
---
 sys/netlink/route/neigh.c | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/sys/netlink/route/neigh.c b/sys/netlink/route/neigh.c
index 140194b4ad32..dcb37313d0db 100644
--- a/sys/netlink/route/neigh.c
+++ b/sys/netlink/route/neigh.c
@@ -416,17 +416,18 @@ rtnl_handle_newneigh(struct nlmsghdr *hdr, struct nlpcb *nlp, struct nl_pstate *
 	struct llentry *lle_tmp = lla_lookup(llt, LLE_EXCLUSIVE, attrs.nda_dst);
 	if (lle_tmp != NULL) {
 		error = EEXIST;
-		if (hdr->nlmsg_flags & NLM_F_EXCL) {
-			LLE_WUNLOCK(lle_tmp);
-			lle_tmp = NULL;
-		} else if (hdr->nlmsg_flags & NLM_F_REPLACE) {
+		if (hdr->nlmsg_flags & NLM_F_REPLACE) {
+			error = EPERM;
 			if ((lle_tmp->la_flags & LLE_IFADDR) == 0) {
+				error = 0; /* success */
 				lltable_unlink_entry(llt, lle_tmp);
+				llentry_free(lle_tmp);
+				lle_tmp = NULL;
 				lltable_link_entry(llt, lle);
-				error = 0;
-			} else
-				error = EPERM;
+			}
 		}
+		if (lle_tmp)
+			LLE_WUNLOCK(lle_tmp);
 	} else {
 		if (hdr->nlmsg_flags & NLM_F_CREATE)
 			lltable_link_entry(llt, lle);
@@ -436,14 +437,11 @@ rtnl_handle_newneigh(struct nlmsghdr *hdr, struct nlpcb *nlp, struct nl_pstate *
 	IF_AFDATA_WUNLOCK(attrs.nda_ifp);
 
 	if (error != 0) {
-		if (lle != NULL)
-			llentry_free(lle);
+		/* throw away the newly allocated llentry */
+		llentry_free(lle);
 		return (error);
 	}
 
-	if (lle_tmp != NULL)
-		llentry_free(lle_tmp);
-
 	/* XXX: We're inside epoch */
 	EVENTHANDLER_INVOKE(lle_event, lle, LLENTRY_RESOLVED);
 	LLE_WUNLOCK(lle);