From nobody Mon Oct 23 15:10:32 2023
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SDdt04LN6z4y9MP;
	Mon, 23 Oct 2023 15:10:32 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4SDdt03qpvz4J7n;
	Mon, 23 Oct 2023 15:10:32 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1698073832;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Yqc/ZtaaM89LfPMG7rjAWF0WEb8DR7dtn9o/c4pELtI=;
	b=hTLrnPMybazeRv0v69VfuAjh5Rx8UCx3U1X4P18GbknGEm5Ow1wAOlV0bqxK4Iv+Ley9Ti
	SAiO/8cBOCTkJlRW/tXz3kndEQvKFaQ3g9uHUdzHHBubGFb7+8YPDQ2vv0yw9OAm4eT+Nx
	w14Pjwfxx8as044606WVt1rfInuwxW3VqF9bEwxK3qT4vBUTPwIb6OheMBesllBCFlnDic
	D4pzM6M5K56PqgM7IjPZAt3fgQBrXgwN2l+HRVG+2bxgLtqHwIx//fyhSsDiZZ/9/6IwfO
	dQ1j/+/97U2pkHjIkG0klvSNffn9VV9/DvvAditFx6Bt0pVxEogsr77//IFyAw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1698073832; a=rsa-sha256; cv=none;
	b=naPzpnXOuH5EJ4RRNBBRhUKily/CbVkrH1JeUkbNjyKLtwwonPYT0DwZDrxbeM6h/GlSSh
	+dn5r/4IxXe++gf6Sn3ZLh3t9TY/QIT5DSqawBuYSpSRlQWo+e8WKTAzGA0ialmu5vnjNd
	ZByekPWz4/K1fYCtwObgA3twaZBzF7f5dFb+Zyr2NmT0+mkxyJjPfQg/QBmGmuRZRYn8Uo
	LhJ1gJAJ4ZrkceNHMIf5BYLidcAip27CA6LZ7AJE7pIu38y8YEZHVwDIpKRcFW9GhRBhrN
	YWM3YhO5i9PBkLJ9CC+4fjxHWH3unBiJPS5raK4DhBWqOvBmBAC9dVRB9jwwIA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1698073832;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Yqc/ZtaaM89LfPMG7rjAWF0WEb8DR7dtn9o/c4pELtI=;
	b=XmE97XblkB99zgBhfWk+39L17+TiapzvNI0TIOLXw+5kgXpUBuUeKKjYOZ/lUKlW4ddgCK
	j4yIDuoS0aoK8X4z9tJdla1XdnBZqQ2v+DPS3v5XwtvWXzH7Lj1rZ6tH6lDBQjqppAKsbv
	dYGFiAYMGVuwp1jeTlKijcr3IGryFYtr7XT02WO/bLE1PdH1hkNmf9fcQo7VnvvIZi6Kah
	CgBfjzI9dPz+GXb6j+RU2bXHzH08Spy3bwymQfx69STIJbAxSc0WvAmjezP9boOQMit+CC
	nmk3kjnpjqHj8tSI0mHJAxFObyrqc6UxpwgEYjcTXTUjQX8TcoAyDWyONTy9sQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SDdt02tbQzksP;
	Mon, 23 Oct 2023 15:10:32 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 39NFAWTK038434;
	Mon, 23 Oct 2023 15:10:32 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 39NFAWWi038431;
	Mon, 23 Oct 2023 15:10:32 GMT
	(envelope-from git)
Date: Mon, 23 Oct 2023 15:10:32 GMT
Message-Id: <202310231510.39NFAWWi038431@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: ae2ca32781a9 - main - netlink: fix potential llentry
  lock leak in newneigh handler
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: ae2ca32781a90abe987e128ca167ab400a87f369
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=ae2ca32781a90abe987e128ca167ab400a87f369

commit ae2ca32781a90abe987e128ca167ab400a87f369
Author:     R. Christian McDonald <rcm@rcm.sh>
AuthorDate: 2023-10-23 11:23:55 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2023-10-23 14:24:51 +0000

    netlink: fix potential llentry lock leak in newneigh handler
    
    The netlink newneigh handler has the potential to leak the lock on
    llentry objects in the kernel. This patch reconciles several paths
    through the newneigh handler that could result in a lock leak.
    
    MFC after:      1 week
    Reviewed by:    markj, kp
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D42307
---
 sys/netlink/route/neigh.c | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/sys/netlink/route/neigh.c b/sys/netlink/route/neigh.c
index 9914e7febf57..5be0c1f9d91f 100644
--- a/sys/netlink/route/neigh.c
+++ b/sys/netlink/route/neigh.c
@@ -436,17 +436,18 @@ rtnl_handle_newneigh(struct nlmsghdr *hdr, struct nlpcb *nlp, struct nl_pstate *
 	struct llentry *lle_tmp = lla_lookup(llt, LLE_EXCLUSIVE, attrs.nda_dst);
 	if (lle_tmp != NULL) {
 		error = EEXIST;
-		if (hdr->nlmsg_flags & NLM_F_EXCL) {
-			LLE_WUNLOCK(lle_tmp);
-			lle_tmp = NULL;
-		} else if (hdr->nlmsg_flags & NLM_F_REPLACE) {
+		if (hdr->nlmsg_flags & NLM_F_REPLACE) {
+			error = EPERM;
 			if ((lle_tmp->la_flags & LLE_IFADDR) == 0) {
+				error = 0; /* success */
 				lltable_unlink_entry(llt, lle_tmp);
+				llentry_free(lle_tmp);
+				lle_tmp = NULL;
 				lltable_link_entry(llt, lle);
-				error = 0;
-			} else
-				error = EPERM;
+			}
 		}
+		if (lle_tmp)
+			LLE_WUNLOCK(lle_tmp);
 	} else {
 		if (hdr->nlmsg_flags & NLM_F_CREATE)
 			lltable_link_entry(llt, lle);
@@ -456,14 +457,11 @@ rtnl_handle_newneigh(struct nlmsghdr *hdr, struct nlpcb *nlp, struct nl_pstate *
 	IF_AFDATA_WUNLOCK(attrs.nda_ifp);
 
 	if (error != 0) {
-		if (lle != NULL)
-			llentry_free(lle);
+		/* throw away the newly allocated llentry */
+		llentry_free(lle);
 		return (error);
 	}
 
-	if (lle_tmp != NULL)
-		llentry_free(lle_tmp);
-
 	/* XXX: We're inside epoch */
 	EVENTHANDLER_INVOKE(lle_event, lle, LLENTRY_RESOLVED);
 	LLE_WUNLOCK(lle);