lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20161113112400.779778132@linuxfoundation.org>
Date:   Sun, 13 Nov 2016 12:24:48 +0100
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     linux-kernel@...r.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        stable@...r.kernel.org,
        Francesco Santoro <francesco.santoro@...nd.com>,
        Samuel Gauthier <samuel.gauthier@...nd.com>,
        Balakumaran Kannan <Balakumaran.Kannan@...sony.com>,
        Maruthi Thotad <Maruthi.Thotad@...sony.com>,
        Sabrina Dubroca <sd@...asysnail.net>,
        Hannes Frederic Sowa <hannes@...essinduktion.org>,
        Weilong Chen <chenweilong@...wei.com>,
        Gao feng <gaofeng@...fujitsu.com>,
        Nicolas Dichtel <nicolas.dichtel@...nd.com>,
        "David S. Miller" <davem@...emloft.net>
Subject: [PATCH 4.4 16/34] ipv6: correctly add local routes when lo goes up

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicolas Dichtel <nicolas.dichtel@...nd.com>


[ Upstream commit a220445f9f4382c36a53d8ef3e08165fa27f7e2c ]

The goal of the patch is to fix this scenario:
 ip link add dummy1 type dummy
 ip link set dummy1 up
 ip link set lo down ; ip link set lo up

After that sequence, the local route to the link layer address of dummy1 is
not there anymore.

When the loopback is set down, all local routes are deleted by
addrconf_ifdown()/rt6_ifdown(). At this time, the rt6_info entry still
exists, because the corresponding idev has a reference on it. After the rcu
grace period, dst_rcu_free() is called, and thus ___dst_free(), which will
set obsolete to DST_OBSOLETE_DEAD.

In this case, init_loopback() is called before dst_rcu_free(), thus
obsolete is still sets to something <= 0. So, the function doesn't add the
route again. To avoid that race, let's check the rt6 refcnt instead.

Fixes: 25fb6ca4ed9c ("net IPv6 : Fix broken IPv6 routing table after loopback down-up")
Fixes: a881ae1f625c ("ipv6: don't call addrconf_dst_alloc again when enable lo")
Fixes: 33d99113b110 ("ipv6: reallocate addrconf router for ipv6 address when lo device up")
Reported-by: Francesco Santoro <francesco.santoro@...nd.com>
Reported-by: Samuel Gauthier <samuel.gauthier@...nd.com>
CC: Balakumaran Kannan <Balakumaran.Kannan@...sony.com>
CC: Maruthi Thotad <Maruthi.Thotad@...sony.com>
CC: Sabrina Dubroca <sd@...asysnail.net>
CC: Hannes Frederic Sowa <hannes@...essinduktion.org>
CC: Weilong Chen <chenweilong@...wei.com>
CC: Gao feng <gaofeng@...fujitsu.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@...nd.com>
Signed-off-by: David S. Miller <davem@...emloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
 net/ipv6/addrconf.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -2916,7 +2916,7 @@ static void init_loopback(struct net_dev
 				 * lo device down, release this obsolete dst and
 				 * reallocate a new router for ifa.
 				 */
-				if (sp_ifa->rt->dst.obsolete > 0) {
+				if (!atomic_read(&sp_ifa->rt->rt6i_ref)) {
 					ip6_rt_put(sp_ifa->rt);
 					sp_ifa->rt = NULL;
 				} else {


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ