lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAKgT0UdxAV03ENPmVPwWXsT4FGcEH1xNq7o_SYwfDKVBfYmKCQ@mail.gmail.com>
Date:   Mon, 14 Nov 2016 14:25:33 -0800
From:   Alexander Duyck <alexander.duyck@...il.com>
To:     Eric Dumazet <eric.dumazet@...il.com>
Cc:     David Miller <davem@...emloft.net>,
        netdev <netdev@...r.kernel.org>,
        Alexander Duyck <alexander.h.duyck@...el.com>
Subject: Re: [PATCH net] ipv4: fix cloning issues in fib_trie_unmerge()

On Mon, Nov 14, 2016 at 1:34 PM, Eric Dumazet <eric.dumazet@...il.com> wrote:
> From: Eric Dumazet <edumazet@...gle.com>
>
> I had crashes in a DEBUG_PAGEALLOC kernels in fib_table_flush() or
> fib_table_lookup() that I back tracked to a refcounting issue
> happening when we clone struct fib_alias in fib_trie_unmerge()
>
> While fixing this issue, I also noticed a mem leak happening
> if fib_insert_alias() fails.
>
> Fixes: 0ddcf43d5d4a0 ("ipv4: FIB Local/MAIN table collapse")
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Cc: Alexander Duyck <alexander.h.duyck@...el.com>
> ---
>  net/ipv4/fib_trie.c |    7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
> index 4cff74d4133f..ebf49ab889e8 100644
> --- a/net/ipv4/fib_trie.c
> +++ b/net/ipv4/fib_trie.c
> @@ -1737,14 +1737,19 @@ struct fib_table *fib_trie_unmerge(struct fib_table *oldtb)
>                                 goto out;
>
>                         memcpy(new_fa, fa, sizeof(*fa));
> +                       if (fa->fa_info)
> +                               fa->fa_info->fib_treeref++;
>
>                         /* insert clone into table */
>                         if (!local_l)
>                                 local_l = fib_find_node(lt, &local_tp, l->key);
>
>                         if (fib_insert_alias(lt, local_tp, local_l, new_fa,
> -                                            NULL, l->key))
> +                                            NULL, l->key)) {
> +                               kmem_cache_free(fn_alias_kmem, new_fa);
> +                               fib_release_info(fa->fa_info);
>                                 goto out;
> +                       }
>                 }
>
>                 /* stop loop if key wrapped back to 0 */
>
>

Actually I think this creates a reference leak.  If you look the call
to fib_table_flush_external is skipping the call to fib_release_info.
If you add this then you would probably need to update
fib_table_flush_external so that we call fib_release_info like we do
for fib_table_flush.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ