lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8d13d82c-6a91-1434-f1af-a2f39ecadbfb@gmail.com>
Date:   Wed, 2 Oct 2019 16:13:12 -0600
From:   David Ahern <dsahern@...il.com>
To:     Eric Dumazet <eric.dumazet@...il.com>,
        David Ahern <dsahern@...nel.org>, davem@...emloft.net,
        jakub.kicinski@...ronome.com
Cc:     netdev@...r.kernel.org, rajendra.dendukuri@...adcom.com
Subject: Re: [PATCH net v2] ipv6: Handle race in addrconf_dad_work

On 10/2/19 3:23 PM, Eric Dumazet wrote:
> 
> 
> On 10/2/19 2:08 PM, Eric Dumazet wrote:
>>
>>
>> On 10/1/19 11:18 AM, Eric Dumazet wrote:
>>>
>>>
>>> On 9/30/19 8:28 PM, David Ahern wrote:
>>>> From: David Ahern <dsahern@...il.com>
>>>>
>>>> Rajendra reported a kernel panic when a link was taken down:
>>>>
>>>> [ 6870.263084] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a8
>>>> [ 6870.271856] IP: [<ffffffff8efc5764>] __ipv6_ifa_notify+0x154/0x290
>>>>
>>>> <snip>
>>>>
>>>
>>> Reviewed-by: Eric Dumazet <edumazet@...gle.com>
>>>
>>> Thanks !
>>>
>>
>> Apparently this patch causes problems. I yet have to make an analysis.

Ugh. I presume syzbot? can you forward the stack trace?

> 
> It seems we need to allow the code to do some changes if IF_READY is not set.
> 
> WDYT ?
> 
> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
> index dd3be06d5a066e494617d4917c757eae19340d4d..e8181a3700213b9574ea25130689c9218236245d 100644
> --- a/net/ipv6/addrconf.c
> +++ b/net/ipv6/addrconf.c
> @@ -4035,7 +4035,7 @@ static void addrconf_dad_work(struct work_struct *w)
>         /* check if device was taken down before this delayed work
>          * function could be canceled
>          */
> -       if (idev->dead || !(idev->if_flags & IF_READY))
> +       if (idev->dead)
>                 goto out;
>  
>         spin_lock_bh(&ifp->lock);
> @@ -4083,6 +4083,11 @@ static void addrconf_dad_work(struct work_struct *w)
>                 goto out;
>  
>         write_lock_bh(&idev->lock);
> +       if (!(idev->if_flags & IF_READY)) {
> +               write_unlock_bh(&idev->lock);
> +               goto out;
> +       }

That restores the original BUG() - ie., the reason for this patch.

The IF_READY flag needs to be checked before the call to addrconf_dad_begin.

> +
>         spin_lock(&ifp->lock);
>         if (ifp->state == INET6_IFADDR_STATE_DEAD) {
>                 spin_unlock(&ifp->lock);
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ