[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANn89iKuQYk4RkmW8y08k+LO_-O+FMj9O-ySv5YF=vFsWc46+A@mail.gmail.com>
Date: Fri, 18 Aug 2017 06:53:16 -0700
From: Eric Dumazet <edumazet@...gle.com>
To: Ben Hutchings <ben@...adent.org.uk>
Cc: LKML <linux-kernel@...r.kernel.org>, stable@...r.kernel.org,
Andrew Morton <akpm@...ux-foundation.org>,
"David S. Miller" <davem@...emloft.net>,
Andrey Konovalov <andreyknvl@...gle.com>,
WANG Cong <xiyou.wangcong@...il.com>
Subject: Re: [PATCH 3.16 119/134] ipv4: restore rt->fi for reference counting
On Fri, Aug 18, 2017 at 6:13 AM, Ben Hutchings <ben@...adent.org.uk> wrote:
> 3.16.47-rc1 review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: WANG Cong <xiyou.wangcong@...il.com>
>
> commit 82486aa6f1b9bc8145e6d0fa2bc0b44307f3b875 upstream.
>
> IPv4 dst could use fi->fib_metrics to store metrics but fib_info
> itself is refcnt'ed, so without taking a refcnt fi and
> fi->fib_metrics could be freed while dst metrics still points to
> it. This triggers use-after-free as reported by Andrey twice.
>
> This patch reverts commit 2860583fe840 ("ipv4: Kill rt->fi") to
> restore this reference counting. It is a quick fix for -net and
> -stable, for -net-next, as Eric suggested, we can consider doing
> reference counting for metrics itself instead of relying on fib_info.
>
> IPv6 is very different, it copies or steals the metrics from mx6_config
> in fib6_commit_metrics() so probably doesn't need a refcnt.
>
> Decnet has already done the refcnt'ing, see dn_fib_semantic_match().
>
> Fixes: 2860583fe840 ("ipv4: Kill rt->fi")
> Reported-by: Andrey Konovalov <andreyknvl@...gle.com>
> Tested-by: Andrey Konovalov <andreyknvl@...gle.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@...il.com>
> Acked-by: Eric Dumazet <edumazet@...gle.com>
> Signed-off-by: David S. Miller <davem@...emloft.net>
> [bwh: Backported to 3.16:
> - Update all 5 places where rtable is initialised
> - Open-code fib_info_hold()
> - Adjust context]
> Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
> ---
I thought we refined this later with :
commit 3fb07daff8e99243366a081e5129560734de4ada
Author: Eric Dumazet <edumazet@...gle.com>
Date: Thu May 25 14:27:35 2017 -0700
ipv4: add reference counting to metrics
Andrey Konovalov reported crashes in ipv4_mtu()
I could reproduce the issue with KASAN kernels, between
10.246.7.151 and 10.246.7.152 :
1) 20 concurrent netperf -t TCP_RR -H 10.246.7.152 -l 1000 &
2) At the same time run following loop :
while :
do
ip ro add 10.246.7.152 dev eth0 src 10.246.7.151 mtu 1500
ip ro del 10.246.7.152 dev eth0 src 10.246.7.151 mtu 1500
done
Cong Wang attempted to add back rt->fi in commit
82486aa6f1b9 ("ipv4: restore rt->fi for reference counting")
but this proved to add some issues that were complex to solve.
Instead, I suggested to add a refcount to the metrics themselves,
being a standalone object (in particular, no reference to other objects)
I tried to make this patch as small as possible to ease its backport,
instead of being super clean. Note that we believe that only ipv4 dst
need to take care of the metric refcount. But if this is wrong,
this patch adds the basic infrastructure to extend this to other
families.
Many thanks to Julian Anastasov for reviewing this patch, and Cong Wang
for his efforts on this problem.
Fixes: 2860583fe840 ("ipv4: Kill rt->fi")
Signed-off-by: Eric Dumazet <edumazet@...gle.com>
Reported-by: Andrey Konovalov <andreyknvl@...gle.com>
Reviewed-by: Julian Anastasov <ja@....bg>
Acked-by: Cong Wang <xiyou.wangcong@...il.com>
Signed-off-by: David S. Miller <davem@...emloft.net>
And then :
commit 187e5b3ac84d3421d2de3aca949b2791fbcad554
Author: Eric Dumazet <edumazet@...gle.com>
Date: Tue Aug 15 05:26:17 2017 -0700
ipv4: fix NULL dereference in free_fib_info_rcu()
If fi->fib_metrics could not be allocated in fib_create_info()
we attempt to dereference a NULL pointer in free_fib_info_rcu() :
m = fi->fib_metrics;
if (m != &dst_default_metrics && atomic_dec_and_test(&m->refcnt))
kfree(m);
Before my recent patch, we used to call kfree(NULL) and nothing wrong
happened.
Instead of using RCU to defer freeing while we are under memory stress,
it seems better to take immediate action.
This was reported by syzkaller team.
Fixes: 3fb07daff8e9 ("ipv4: add reference counting to metrics")
Signed-off-by: Eric Dumazet <edumazet@...gle.com>
Reported-by: Dmitry Vyukov <dvyukov@...gle.com>
Signed-off-by: David S. Miller <davem@...emloft.net>
Powered by blists - more mailing lists