lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 May 2017 13:56:12 -0700 From: Cong Wang <xiyou.wangcong@...il.com> To: Eric Dumazet <eric.dumazet@...il.com> Cc: David Miller <davem@...emloft.net>, Linux Kernel Network Developers <netdev@...r.kernel.org>, Andrey Konovalov <andreyknvl@...gle.com>, Eric Dumazet <edumazet@...gle.com> Subject: Re: [Patch net] ipv4: restore rt->fi for reference counting On Tue, May 9, 2017 at 9:56 AM, Eric Dumazet <eric.dumazet@...il.com> wrote: > On Tue, 2017-05-09 at 09:44 -0700, Cong Wang wrote: > >> >> Eric, how did you produce it? >> I guess it's because of nh_dev which is the only netdevice pointer inside >> fib_info. Let me take a deeper look. >> > > Nothing particular, I am using kexec to boot new kernels, and all my > attempts with your patch included demonstrated the issue. Interesting. So this happens on your eth0 teardown path, but I don't see any problem in the related NETDEV_UNREGISTER notifiers yet, we don't call dst_destroy() on this path and will defer it to GC, but that should not be delayed for so long? Wait... if we transfer dst->dev to loopback_dev because we don't want to block unregister path, then we might have a similar problem for rt->fi too, fib_info is still referenced by dst, so these nh_dev's still hold the dev references... Something like this (just for proof of concept): diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c index da449dd..85cd614 100644 --- a/net/ipv4/fib_semantics.c +++ b/net/ipv4/fib_semantics.c @@ -205,7 +205,7 @@ static void free_fib_info_rcu(struct rcu_head *head) struct fib_info *fi = container_of(head, struct fib_info, rcu); change_nexthops(fi) { - if (nexthop_nh->nh_dev) + if (nexthop_nh->nh_dev && !(nexthop_nh->nh_flags & RTNH_F_DEAD)) dev_put(nexthop_nh->nh_dev); lwtstate_put(nexthop_nh->nh_lwtstate); free_nh_exceptions(nexthop_nh); @@ -1414,8 +1414,10 @@ int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force) else if (nexthop_nh->nh_dev == dev && nexthop_nh->nh_scope != scope) { switch (event) { - case NETDEV_DOWN: case NETDEV_UNREGISTER: + dev_put(dev); + /* fall through */ + case NETDEV_DOWN: nexthop_nh->nh_flags |= RTNH_F_DEAD; /* fall through */ case NETDEV_CHANGE:
Powered by blists - more mailing lists