| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACueBy4EAuBoHDQPVSg_wdUYXYxQzToRx4Y+TSgcBwxEcODt_w@mail.gmail.com>
Date: Fri, 7 Nov 2025 17:53:51 +0800
From: chuang <nashuiliang@...il.com>
To: Ido Schimmel <idosch@...sch.org>
Cc: Eric Dumazet <edumazet@...gle.com>, stable@...r.kernel.org,
"David S. Miller" <davem@...emloft.net>, David Ahern <dsahern@...nel.org>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>,
Networking <netdev@...r.kernel.org>, open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH net] ipv4: route: Prevent rt_bind_exception() from
rebinding stale fnhe
Thanks for reviewing the patch. I'm providing the detailed analysis
and debugging traces below to confirm the root cause and exact
location of the reference count leak.
1. Environment and Symptom
The issue was consistently reproduced when routing TCP traffic through
a Software IP Tunnel interface (sit0). The traffic flow is:
APP -> sit0 (IP tunnel) -> outside
This leads to a reference count leak that prevents the device from
being freed during unregistration, resulting in the kernel log
warning:
unregister_netdevice: waiting for sit0 to become free. Usage count = N
2. Enable refcnt_tracer
Live-crash analysis identified a stale dst entry retaining a reference
to sit0. With CONFIG_NET_DEV_REFCNT_TRACKER enabled, the allocation
stack for the leaked reference was identified:
[1279559.416854] leaked reference.
[1279559.416955] dst_init+0x48/0x100
[1279559.416965] dst_alloc+0x66/0xd0
[1279559.416966] rt_dst_alloc+0x3c/0xd0
[1279559.416974] ip_route_output_key_hash_rcu+0x1d7/0x940
[1279559.416978] ip_route_output_key_hash+0x6d/0xa0
[1279559.416979] ip_route_output_flow+0x1f/0x70
[1279559.416980] __ip_queue_xmit+0x415/0x480
[1279559.416984] ip_queue_xmit+0x15/0x20
[1279559.416986] __tcp_transmit_skb+0xad4/0xc50
3. Pinpointing the Unmatched dst_hold()
To pinpoint the specific reference not released, we added tracepoints
to all dst_hold/put functions and used eBPF to record the full
lifecycle. The tracing identified a hold operation with the following
call stack:
do_trace_dst_entry_inc+0x45
rt_set_nexthop.constprop.0+0x376 /* <<<<<<<<<<<<<<<<<<<< HERE */
__mkroute_output+0x2B7
ip_route_output_key_hash_rcu+0xBD
ip_route_output_key_hash+0x6D
ip_route_output_flow+0x1F
inet_sk_rebuild_header+0x19C
__tcp_retransmit_skb+0x7E
tcp_retransmit_skb+0x19
tcp_retransmit_timer+0x3DF
The address rt_set_nexthop.constprop.0+0x376 corresponds to the
dst_hold() call inside rt_bind_exception().
4. Root Cause Analysis
The sit driver's packet transmission path calls: sit_tunnel_xmit() ->
... -> update_or_create_fnhe(), which lead to fnhe_remove_oldest()
being called to delete entries exceeding the
FNHE_RECLAIM_DEPTH+random.
The race window is between fnhe_remove_oldest() selecting fnheX for
deletion and the subsequent kfree_rcu(). During this time, the
concurrent path's __mkroute_output() -> find_exception() can fetch the
soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a
new dst using a dst_hold(). When the original fnheX is freed via RCU,
the dst reference remains permanently leaked.
5. Fix Validation with eBPF
The patch mitigates this by zeroing fnhe_daddr before the
RCU-protected deletion steps. This prevents rt_bind_exception() from
attempting to reuse the entry.
The fix was validated by probing the rt_bind_exception path (which in
my environment is optimized to rt_set_nexthop.constprop.0) to catch
any zeroed but active FNHEs being processed:
bpftrace -e 'kprobe:rt_set_nexthop.constprop.0
{
$rt = (struct rtable *)arg0;
$fnhe = (struct fib_nh_exception *)arg3;
$fi = (struct flowi *)arg4;
/* Check for an FNHE that is marked for deletion (daddr == 0)
* but is still visible/valid (fnhe_expires != 0 and not expired).
*/
if ($fi != 0 && $fnhe != 0 && $fnhe->fnhe_daddr == 0 &&
$fnhe->fnhe_expires != 0 && $fnhe->fnhe_expires >= jiffies) {
printf("rt: %llx, dev: %s, will leak before this patch\n",
$rt, $rt->dst.dev->name);
}
}'
On Thu, Nov 6, 2025 at 8:31 AM chuang <nashuiliang@...il.com> wrote:
>
> Thanks, your analysis is excellent and makes perfect sense. I can
> briefly describe the issue.
>
> This problem took quite some time to analyze overall — we enabled
> netdev refcnt, added dst tracepoints, and eventually captured a race
> condition between fnhe deletion and rt_bind_exception.
>
> In our environment, we use the sit driver(ip tunnel). During the xmit
> path, it records the PMTU for each destination, creating or updating
> fnhe entries (even when the MTU is already appropriate). Because there
> are many data flows, the sit driver updates PMTU very frequently,
> which leads to the race condition mentioned above.
>
> Sorry for the brief summary — I’ll provide a more detailed explanation
> later, along with the patch verification method.
>
> On Wed, Nov 5, 2025 at 23:34 Ido Schimmel <idosch@...sch.org> wrote:
> >
> > On Wed, Nov 05, 2025 at 06:26:22AM -0800, Eric Dumazet wrote:
> > > On Mon, Nov 3, 2025 at 7:09 PM chuang <nashuiliang@...il.com> wrote:
> > > >
> > > > From 35dbc9abd8da820007391b707bd2c1a9c99ee67d Mon Sep 17 00:00:00 2001
> > > > From: Chuang Wang <nashuiliang@...il.com>
> > > > Date: Tue, 4 Nov 2025 02:52:11 +0000
> > > > Subject: [PATCH net] ipv4: route: Prevent rt_bind_exception() from rebinding
> > > > stale fnhe
> > > >
> > > > A race condition exists between fnhe_remove_oldest() and
> > > > rt_bind_exception() where a fnhe that is scheduled for removal can be
> > > > rebound to a new dst.
> > > >
> > > > The issue occurs when fnhe_remove_oldest() selects an fnhe (fnheX)
> > > > for deletion, but before it can be flushed and freed via RCU,
> > > > CPU 0 enters rt_bind_exception() and attempts to reuse the entry.
> > > >
> > > > CPU 0 CPU 1
> > > > __mkroute_output()
> > > > find_exception() [fnheX]
> > > > update_or_create_fnhe()
> > > > fnhe_remove_oldest() [fnheX]
> > > > rt_bind_exception() [bind dst]
> > > > RCU callback [fnheX freed, dst leak]
> > > >
> > > > If rt_bind_exception() successfully binds fnheX to a new dst, the
> > > > newly bound dst will never be properly freed because fnheX will
> > > > soon be released by the RCU callback, leading to a permanent
> > > > reference count leak on the old dst and the device.
> > > >
> > > > This issue manifests as a device reference count leak and a
> > > > warning in dmesg when unregistering the net device:
> > > >
> > > > unregister_netdevice: waiting for ethX to become free. Usage count = N
> > > >
> > > > Fix this race by clearing 'oldest->fnhe_daddr' before calling
> > > > fnhe_flush_routes(). Since rt_bind_exception() checks this field,
> > > > setting it to zero prevents the stale fnhe from being reused and
> > > > bound to a new dst just before it is freed.
> > > >
> > > > Cc: stable@...r.kernel.org
> > > > Fixes: 67d6d681e15b ("ipv4: make exception cache less predictible")
> > >
> > > I do not see how this commit added the bug you are looking at ?
> >
> > Not the author, but my understanding is that the issue is that an
> > exception entry which is queued for deletion allows a dst entry to be
> > bound to it. As such, nobody will ever release the reference from the
> > dst entry and the associated net device.
> >
> > Before 67d6d681e15b, exception entries were only queued for deletion by
> > ip_del_fnhe() and it prevented dst entries from binding themselves to
> > the deleted exception entry by clearing 'fnhe->fnhe_daddr' which is
> > checked in rt_bind_exception(). See ee60ad219f5c7.
> >
> > 67d6d681e15b added another point in the code that queues exception
> > entries for deletion, but without clearing 'fnhe->fnhe_daddr' first.
> > Therefore, it added another instance of the bug that was fixed in
> > ee60ad219f5c7.
> >
> > >
> > > > Signed-off-by: Chuang Wang <nashuiliang@...il.com>
> > > > ---
> > > > net/ipv4/route.c | 5 +++++
> > > > 1 file changed, 5 insertions(+)
> > > >
> > > > diff --git a/net/ipv4/route.c b/net/ipv4/route.c
> > > > index 6d27d3610c1c..b549d6a57307 100644
> > > > --- a/net/ipv4/route.c
> > > > +++ b/net/ipv4/route.c
> > > > @@ -607,6 +607,11 @@ static void fnhe_remove_oldest(struct
> > > > fnhe_hash_bucket *hash)
> > > > oldest_p = fnhe_p;
> > > > }
> > > > }
> > > > +
> > > > + /* Clear oldest->fnhe_daddr to prevent this fnhe from being
> > > > + * rebound with new dsts in rt_bind_exception().
> > > > + */
> > > > + oldest->fnhe_daddr = 0;
> > > > fnhe_flush_routes(oldest);
> > > > *oldest_p = oldest->fnhe_next;
> > > > kfree_rcu(oldest, rcu);
> > > > --
> > >
Powered by blists - more mailing lists