lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <lsq.1487198500.603246029@decadent.org.uk>
Date:   Wed, 15 Feb 2017 22:41:40 +0000
From:   Ben Hutchings <ben@...adent.org.uk>
To:     linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC:     akpm@...ux-foundation.org,
        "Samuel Gauthier" <samuel.gauthier@...nd.com>,
        "Gao feng" <gaofeng@...fujitsu.com>,
        "Hannes Frederic Sowa" <hannes@...essinduktion.org>,
        "Balakumaran Kannan" <Balakumaran.Kannan@...sony.com>,
        "Sabrina Dubroca" <sd@...asysnail.net>,
        "Weilong Chen" <chenweilong@...wei.com>,
        "Nicolas Dichtel" <nicolas.dichtel@...nd.com>,
        "David S. Miller" <davem@...emloft.net>,
        "Maruthi Thotad" <Maruthi.Thotad@...sony.com>,
        "Francesco Santoro" <francesco.santoro@...nd.com>
Subject: [PATCH 3.16 128/306] ipv6: correctly add local routes when lo goes up

3.16.40-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nicolas Dichtel <nicolas.dichtel@...nd.com>

commit a220445f9f4382c36a53d8ef3e08165fa27f7e2c upstream.

The goal of the patch is to fix this scenario:
 ip link add dummy1 type dummy
 ip link set dummy1 up
 ip link set lo down ; ip link set lo up

After that sequence, the local route to the link layer address of dummy1 is
not there anymore.

When the loopback is set down, all local routes are deleted by
addrconf_ifdown()/rt6_ifdown(). At this time, the rt6_info entry still
exists, because the corresponding idev has a reference on it. After the rcu
grace period, dst_rcu_free() is called, and thus ___dst_free(), which will
set obsolete to DST_OBSOLETE_DEAD.

In this case, init_loopback() is called before dst_rcu_free(), thus
obsolete is still sets to something <= 0. So, the function doesn't add the
route again. To avoid that race, let's check the rt6 refcnt instead.

Fixes: 25fb6ca4ed9c ("net IPv6 : Fix broken IPv6 routing table after loopback down-up")
Fixes: a881ae1f625c ("ipv6: don't call addrconf_dst_alloc again when enable lo")
Fixes: 33d99113b110 ("ipv6: reallocate addrconf router for ipv6 address when lo device up")
Reported-by: Francesco Santoro <francesco.santoro@...nd.com>
Reported-by: Samuel Gauthier <samuel.gauthier@...nd.com>
CC: Balakumaran Kannan <Balakumaran.Kannan@...sony.com>
CC: Maruthi Thotad <Maruthi.Thotad@...sony.com>
CC: Sabrina Dubroca <sd@...asysnail.net>
CC: Hannes Frederic Sowa <hannes@...essinduktion.org>
CC: Weilong Chen <chenweilong@...wei.com>
CC: Gao feng <gaofeng@...fujitsu.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@...nd.com>
Signed-off-by: David S. Miller <davem@...emloft.net>
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
 net/ipv6/addrconf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -2692,7 +2692,7 @@ static void init_loopback(struct net_dev
 				 * lo device down, release this obsolete dst and
 				 * reallocate a new router for ifa.
 				 */
-				if (sp_ifa->rt->dst.obsolete > 0) {
+				if (!atomic_read(&sp_ifa->rt->rt6i_ref)) {
 					ip6_rt_put(sp_ifa->rt);
 					sp_ifa->rt = NULL;
 				} else {

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ