Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755710AbdDFKtW (ORCPT ); Thu, 6 Apr 2017 06:49:22 -0400 Received: from mail-it0-f49.google.com ([209.85.214.49]:35196 "EHLO mail-it0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754302AbdDFKtN (ORCPT ); Thu, 6 Apr 2017 06:49:13 -0400 Message-ID: <1491475750.10124.72.camel@edumazet-glaptop3.roam.corp.google.com> Subject: Re: net/ipv4: use-after-free in ipv4_mtu From: Eric Dumazet To: Cong Wang Cc: Eric Dumazet , Andrey Konovalov , "David S. Miller" , netdev , LKML , Dmitry Vyukov , Kostya Serebryany , syzkaller Date: Thu, 06 Apr 2017 03:49:10 -0700 In-Reply-To: References: <1491360338.10124.39.camel@edumazet-glaptop3.roam.corp.google.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 644 Lines: 23 On Wed, 2017-04-05 at 15:33 -0700, Cong Wang wrote: > Good find! I missed the refcnt in rt_set_nexthop() before that commit. > > We need to revert that commit to restore the refcnt for fib_info. Well, there are other spots , in decnet and IPv6. This is why my original mail stated the problem was in the calls to : dst_init_metrics(&rt->dst, fi->fib_metrics, true); Lets do not think in "reverting" spirit, but adding the missing bits. The problem here is that the metrics should not be freed until last user is gone. So maybe a refcount should be added to metrics, and we do not have to add a fib pointer again in all dsts. Thanks.