lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 4 May 2019 21:13:44 +0800
From:   linmiaohe <linmiaohe@...wei.com>
To:     <davem@...emloft.net>, <kuznet@....inr.ac.ru>,
        <yoshfuji@...ux-ipv6.org>, <dsahern@...il.com>,
        <netdev@...r.kernel.org>, <linux-kernel@...r.kernel.org>
CC:     mousuanming <mousuanming@...wei.com>,
        Mingfangsen <mingfangsen@...wei.com>
Subject: [PATCH v2] net: route: Fix vrf dst_entry ref count false increasing

From: Suanming.Mou <mousuanming@...wei.com>

When config ip in default vrf same as the ip in specified
vrf, fib_lookup will return the route from table local
even if the in device is an enslaved l3mdev. Then the
dst_entry will hold the vrf device rather than loopback
device in local_input of function ip_route_input_slow.
So vrf dst_entry is false increased by route from table
local because device passed to rt_dst_alloc is in device
rather than fib result device.

Here is reproduce step:
1.enslave enp4s0 to vrf2, and config ip address:
ip link add vrf2 type vrf table 1
ip link set vrf2 up
ip link set enp4s0 master vrf2
ip addr ad 125.1.1.1/16 dev enp4s0

2.config same ip in default vrf:
ip addr ad 125.1.1.1/16 dev enp6s0

3.config peer and ping:
ip vrf exec vrf2 ping 125.1.1.2 -c 3

4.del vrf2 link:
ip link del vrf2

System hang with del vrf2 ops and "unregister_netdevice:
waiting for vrf2 to become free. Usage count = 1" occur.

Reported-by: Hui Wang <wanghui104@...wei.com>
Signed-off-by: Suanming.Mou <mousuanming@...wei.com>
Signed-off-by: Miaohe Lin <linmiaohe@...wei.com>
---
 net/ipv4/route.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 6fdf1c195d8e..74def8710ae8 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2077,6 +2077,11 @@ out:	return err;
 			}
 			do_cache = true;
 		}
+		/* Use fib res nh_dev as local input device because enslaved
+		 * l3mdev may hit route from other rule table. Dst_entry
+		 * should hold right device.
+		 */
+		dev = FIB_RES_DEV(*res);
 	}

 	rth = rt_dst_alloc(l3mdev_master_dev_rcu(dev) ? : net->loopback_dev,
-- 
2.21.GIT

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ