lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <519ea12b-4c24-9e8e-c5eb-ca02c9c7d264@i-love.sakura.ne.jp> Date: Sat, 4 May 2019 23:52:31 +0900 From: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp> To: "David S. Miller" <davem@...emloft.net> Cc: David Ahern <dsahern@...il.com>, Eric Dumazet <eric.dumazet@...il.com>, Julian Anastasov <ja@....bg>, Cong Wang <xiyou.wangcong@...il.com>, syzbot <syzbot+30209ea299c09d8785c9@...kaller.appspotmail.com>, ddstreet@...e.org, dvyukov@...gle.com, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, syzkaller-bugs@...glegroups.com, Linus Torvalds <torvalds@...ux-foundation.org> Subject: [PATCH] ipv4: Delete uncached routes upon unregistration of loopback device. syzbot is hitting infinite loop when a loopback device in a namespace is unregistered [1]. This is because rt_flush_dev() is moving the refcount of "any device to unregister" to "a loopback device in that namespace" but nobody can drop the refcount moved from non loopback devices when the loopback device in that namespace is unregistered. This behavior was introduced by commit caacf05e5ad1abf0 ("ipv4: Properly purge netdev references on uncached routes.") but there is no description why we have to temporarily move the refcount to "a loopback device in that namespace" and why it is safe to do so, for rt_flush_dev() becomes a no-op when "a loopback device in that namespace" is about to be unregistered. Since I don't know the reason, this patch breaks the infinite loop by deleting the uncached route (which eventually drops the refcount via dst_destroy()) when "a loopback device in that namespace" is unregistered rather than when "non-loopback devices in that namespace" is unregistered. [1] https://syzkaller.appspot.com/bug?id=bae9a2236bfede42cf3d219e6bf6740c583568a4 Signed-off-by: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp> Reported-by: syzbot <syzbot+30209ea299c09d8785c9@...kaller.appspotmail.com> --- net/ipv4/route.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 6fdf1c195d8e..7e865c11d4f3 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1522,15 +1522,21 @@ void rt_flush_dev(struct net_device *dev) { struct net *net = dev_net(dev); struct rtable *rt; + struct rtable *tmp; int cpu; for_each_possible_cpu(cpu) { struct uncached_list *ul = &per_cpu(rt_uncached_list, cpu); spin_lock_bh(&ul->lock); - list_for_each_entry(rt, &ul->head, rt_uncached) { + list_for_each_entry_safe(rt, tmp, &ul->head, rt_uncached) { if (rt->dst.dev != dev) continue; + if (dev == net->loopback_dev) { + list_del_init(&rt->rt_uncached); + ip_rt_put(rt); + continue; + } rt->dst.dev = net->loopback_dev; dev_hold(rt->dst.dev); dev_put(dev); -- 2.17.1
Powered by blists - more mailing lists