[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CADvbK_euiOKytyFd6KYgNoM5SbDcyz92Li=K7P48H35q1AFxYg@mail.gmail.com>
Date: Fri, 15 Sep 2023 14:51:56 -0400
From: Xin Long <lucien.xin@...il.com>
To: Zhang Changzhong <zhangchangzhong@...wei.com>
Cc: Steffen Klassert <steffen.klassert@...unet.com>, Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>, David Ahern <dsahern@...nel.org>,
Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] xfrm6: fix inet6_dev refcount underflow problem
On Fri, Sep 15, 2023 at 6:54 AM Zhang Changzhong
<zhangchangzhong@...wei.com> wrote:
>
> There are race conditions that may lead to inet6_dev refcount underflow
> in xfrm6_dst_destroy() and rt6_uncached_list_flush_dev().
>
> One of the refcount underflow bugs is shown below:
> (cpu 1) | (cpu 2)
> xfrm6_dst_destroy() |
> ... |
> in6_dev_put() |
> | rt6_uncached_list_flush_dev()
> ... | ...
> | in6_dev_put()
> rt6_uncached_list_del() | ...
> ... |
>
> xfrm6_dst_destroy() calls rt6_uncached_list_del() after in6_dev_put(),
> so rt6_uncached_list_flush_dev() has a chance to call in6_dev_put()
> again for the same inet6_dev.
>
> Fix it by moving in6_dev_put() after rt6_uncached_list_del() in
> xfrm6_dst_destroy().
>
> Fixes: 510c321b5571 ("xfrm: reuse uncached_list to track xdsts")
> Signed-off-by: Zhang Changzhong <zhangchangzhong@...wei.com>
> ---
> net/ipv6/xfrm6_policy.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
> index 41a680c..42fb6996 100644
> --- a/net/ipv6/xfrm6_policy.c
> +++ b/net/ipv6/xfrm6_policy.c
> @@ -117,10 +117,10 @@ static void xfrm6_dst_destroy(struct dst_entry *dst)
> {
> struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
>
> - if (likely(xdst->u.rt6.rt6i_idev))
> - in6_dev_put(xdst->u.rt6.rt6i_idev);
> dst_destroy_metrics_generic(dst);
> rt6_uncached_list_del(&xdst->u.rt6);
> + if (likely(xdst->u.rt6.rt6i_idev))
> + in6_dev_put(xdst->u.rt6.rt6i_idev);
> xfrm_dst_destroy(xdst);
> }
>
> --
> 2.9.5
>
Reviewed-by: Xin Long <lucien.xin@...il.com>
Thanks.
Powered by blists - more mailing lists