From nobody Thu Apr 2 20:21:27 2026 Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E23CC2566E9 for ; Thu, 26 Mar 2026 12:36:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774528617; cv=none; b=BBVM3vyBjhXNhS+6pTCgCrpUM5lisj1XPZ6+Xjum2qsT70CaeLpD7iIPGvOQ3IMApjK5C+tLpZDQlgpcpwoFm+QLHGUoqF6KsvYbo/Nn+AIYldEpAQYPa2k6VqdMM3ZLM11FY9WTBab06gE3UqjpLvdv8d7G3bXrupbokIKa8TE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774528617; c=relaxed/simple; bh=teTLwcxsQHwnI0K7HDYdZgjYhUAv4+o79ZGuNq4qBbc=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=SvRGGWL9g4bf0UHCVc6JyzaGmNMn/xQN5xGTky2108rDfWVZ+i1wJtUVqNAMkRzsfYsUwKkpWpHq5B2bRlg/3tzfDRRNrvDJY748nSwhJS4rOgMBq2zQo/KI9j5PzWXzA1KnYUX3TQX0qVtrDoQ/MKM6MboqCZvbTtZJXFqZvXY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=MUyyU6WW; arc=none smtp.client-ip=209.85.210.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="MUyyU6WW" Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-823c56765fdso500726b3a.1 for ; Thu, 26 Mar 2026 05:36:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774528615; x=1775133415; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=niF418V+ZD+AMHTjRkvi6339V7JwejnzPOFyEn2reUM=; b=MUyyU6WWqXhjxPAu5cQn1caSTw2244G4xRJ03+7I0bK2JjVDtLFTmDCusDXibr8Mgw qH2i3+8q5SN6l7MZvcwh127pfT7EpmWArcn9NMlZVW74fLHpXXGl7Fyvz4qOGu9T1LpX KVzYJuFoYVkTr3j6gw7A76PtB4XFs2zNkmNr3Q2405uiCrjn5IDTYM0CeDkrcJWs/AEY 5xaK8C2eq1E2i+9Ns3fxnP0mHc7N52kTBiuB2JmtTm73c/C5leQwCANFggj0paQJSURV qWhDpxJNIc89CRtF1uWXxXpH/3RS57etr+jx2QcllIxVnUfcMZ+FNCST7YfV3QW/P8tw KZ0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774528615; x=1775133415; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=niF418V+ZD+AMHTjRkvi6339V7JwejnzPOFyEn2reUM=; b=d4omamtAThMVnQY8LytGcKziswXwPQXMP8AHpspar5udDSu+XgCc+t8mMB+IbfRqT/ BXgDHWTgpTOP3t9RjrGlgozJxH7AkeAUEb8UL+bZSANsdGnp0URoZ+nEZne4r3HfLXFk S1oeGpLV8QByrpw4yMG3QQQsZM05vjXt/vMqgQq6GBBc/au30WmBhBgMcK1zy8LDBJ/d NL6fUJf+/ifm3L3rIXtLLLtN2NuQ0MCYGvRftqAjy9eHknVjMq9QVjCyWzZDP0lPpsM8 mJUFl+GeU9ykXAb63wCe6ntLgusBjzEvNV8G0dimYbGTQXDTCFeIiZEfQhpJttbJ98kJ dCtg== X-Forwarded-Encrypted: i=1; AJvYcCU73T60dgLII6mxhk0kFbpvVBC43bnBETV68bppB1GEWWGknW0Qw6zxRxH3u5kUPO7Q+dhNmO/eo8QrJ+I=@vger.kernel.org X-Gm-Message-State: AOJu0Yxt8ucWmZCNTvP4FKw0Y96JjOmsN0RXavwJBtOJguFMDMSP2P8Z Xk+XOtUpjVzsXJk+Aol6QQrEHDxPvfFewzYxT6BA+zuPjDqcrB/Ar64A X-Gm-Gg: ATEYQzxeVRjQi5NHNdzYPYqTnVfxqnsfnroi3aqWOGPSEA4jTrwfpQwmNp8QdOA/TSg uM3OZ95yi+/g1SQaiWGCM4tjRggj/rM4jkWnIDJU/ZnLxD3GU9gQZOTMiOrOgraw+uvtDbYO0d4 Vxmo3RqtjjIeIBFBO+Ibq3sH1aQTyVtN1t2yKB7gqEdDKwHubprA0JPTHWwCKnwX+OWzpRggly6 hrUNtyXt6lc60f7zG4rt43dWUuMUuJLgCJAytsds9oI8mo/+0rQ2zFkoy7p/LLzu2kjeWkM074R Y+eaHOnkskus5pvmR9Q+WOmi+5zy6tgWbhZ4IK9aDaz4pNRsDmkzdP9YKt7tOIVgxLTReQyEqVB tGbtiTzHFxYR0aOeAhRtL8wt3cKXXKQSI0ot/NE+CsysAs3C8CRmswTW/Sm4Ef4u+LBwt12JSma i4Zwdaq6i98WSGCj5UywByPT7MMnRzfKMggFKqg+20RdvdAIk5b8uMGrI3I72SQLhOPA== X-Received: by 2002:a05:6a00:1c83:b0:82a:6b97:34a1 with SMTP id d2e1a72fcca58-82c6decc5ccmr6470779b3a.27.1774528615053; Thu, 26 Mar 2026 05:36:55 -0700 (PDT) Received: from LAPTOP-KU1E7KI5.fudan.edu.cn ([2001:da8:8001:864:716c:ace7:5131:288a]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82c7d38d7f5sm2535796b3a.29.2026.03.26.05.36.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Mar 2026 05:36:54 -0700 (PDT) From: Keenan Dong To: steffen.klassert@secunet.com, netdev@vger.kernel.org Cc: keenanat2000@gmail.com, herbert@gondor.apana.org.au, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH net] xfrm: account XFRMA_IF_ID in aevent size calculation Date: Thu, 26 Mar 2026 20:36:39 +0800 Message-ID: <20260326123639.94056-1-keenanat2000@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then build_aevent() appends attributes including XFRMA_IF_ID when x->if_id is set. xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0) in xfrm_get_ae(), turning a malformed netlink interaction into a kernel panic. Account XFRMA_IF_ID in the size calculation unconditionally and replace the BUG_ON with normal error unwinding. Fixes: 7e6526404ade ("xfrm: Add a new lookup key to match xfrm interfaces.") Reported-by: Keenan Dong Signed-off-by: Keenan Dong --- net/xfrm/xfrm_user.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 1656b487f..d79240a1c 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -2677,7 +2677,8 @@ static inline unsigned int xfrm_aevent_msgsize(struct= xfrm_state *x) + nla_total_size(4) /* XFRM_AE_RTHR */ + nla_total_size(4) /* XFRM_AE_ETHR */ + nla_total_size(sizeof(x->dir)) /* XFRMA_SA_DIR */ - + nla_total_size(4); /* XFRMA_SA_PCPU */ + + nla_total_size(4) /* XFRMA_SA_PCPU */ + + nla_total_size(sizeof(x->if_id)); /* XFRMA_IF_ID */ } =20 static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const s= truct km_event *c) @@ -2789,7 +2790,12 @@ static int xfrm_get_ae(struct sk_buff *skb, struct n= lmsghdr *nlh, c.portid =3D nlh->nlmsg_pid; =20 err =3D build_aevent(r_skb, x, &c); - BUG_ON(err < 0); + if (err < 0) { + spin_unlock_bh(&x->lock); + xfrm_state_put(x); + kfree_skb(r_skb); + return err; + } =20 err =3D nlmsg_unicast(xfrm_net_nlsk(net, skb), r_skb, NETLINK_CB(skb).por= tid); spin_unlock_bh(&x->lock); --=20 2.43.0