lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140113233819.GO6586@order.stressinduktion.org>
Date:	Tue, 14 Jan 2014 00:38:19 +0100
From:	Hannes Frederic Sowa <hannes@...essinduktion.org>
To:	Eric Dumazet <eric.dumazet@...il.com>
Cc:	Bob Falken <NetFestivalHaveFun@....com>,
	Julian Anastasov <ja@....bg>, netdev@...r.kernel.org,
	kaber@...sh.net, tgraf@...g.ch
Subject: Re: [PATCH net] net: avoid reference counter overflows on fib_rules in multicast forwarding

On Mon, Jan 13, 2014 at 07:18:34AM -0800, Eric Dumazet wrote:
> On Mon, 2014-01-13 at 02:45 +0100, Hannes Frederic Sowa wrote:
> > Bob Falken reported that after 4G packets, multicast forwarding stopped
> > working. This was because of a rule reference counter overflow which
> > freed the rule as soon as the overflow happend.
> > 
> > This patch solves this by adding the FIB_LOOKUP_NOREF flag to
> > fib_rules_lookup calls. This is safe even from non-rcu locked sections
> > as in this case the flag only implies not taking a reference to the rule,
> > which we don't need at all.
> 
> We need to not forget this when/if we remove FIB_LOOKUP_NOREF flag,
> as all callers use it : We'll have to keep rcu_read_lock() in
> fib_rules_lookup()

Yes. Also maybe there is a tiny race between ipmr_rules_exit and reg_vif_xmit.
mrt table might get cleaned up while in reg_vif_xmit and initialisation code
has an error and calls ipmr_rules_exit, because mr_tables are not reference
counted and not managed by rcu (but reg_vif_xmit is also not rcuified). This
could happen if an error happens while initialisation I don't think net
namespace destruction is a problem here, as reg_vif_xmit still has a valid
reference to the interface and thus the namespace.

> > Rules only hold references to the namespace, which are guaranteed to be
> > available during the call of the non-rcu protected function reg_vif_xmit
> > because of the interface reference which itself holds a reference to
> > the net namespace.
> > 
> > Fixes: f0ad0860d01e47 ("ipv4: ipmr: support multiple tables")
> > Fixes: d1db275dd3f6e4 ("ipv6: ip6mr: support multiple tables")
> > Reported-by: Bob Falken <NetFestivalHaveFun@....com>
> > Cc: Patrick McHardy <kaber@...sh.net>
> > Cc: Thomas Graf <tgraf@...g.ch>
> > Cc: Julian Anastasov <ja@....bg>
> > Cc: Eric Dumazet <eric.dumazet@...il.com>
> > Signed-off-by: Hannes Frederic Sowa <hannes@...essinduktion.org>
> > ---
> > Bob Falken already tested this patch, as it is similar to my first
> > attempt but the additional and similar fix for ipv6.
> > 
> > We need an additional fix for kernels without FIB_LOOKUP_NOREF, but I'll
> > move that to tomorrow, as it is already late here.
> 
> Acked-by: Eric Dumazet <edumazet@...gle.com>

Thanks for the review!

I don't think we need an additional patch for this for the longterm kernels
2.6.32 and 2.6.34, as rule support for ipmr and ip6mr only entered in 2.6.35.
RCUification of fib_lookup happened in 2.6.37. So this patch should cover all
current stable kernels.

Greetings,

  Hannes

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ