Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752294AbdHRNxV (ORCPT ); Fri, 18 Aug 2017 09:53:21 -0400 Received: from mail-yw0-f177.google.com ([209.85.161.177]:34162 "EHLO mail-yw0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753473AbdHRNxS (ORCPT ); Fri, 18 Aug 2017 09:53:18 -0400 MIME-Version: 1.0 In-Reply-To: References: From: Eric Dumazet Date: Fri, 18 Aug 2017 06:53:16 -0700 Message-ID: Subject: Re: [PATCH 3.16 119/134] ipv4: restore rt->fi for reference counting To: Ben Hutchings Cc: LKML , stable@vger.kernel.org, Andrew Morton , "David S. Miller" , Andrey Konovalov , WANG Cong Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4178 Lines: 110 On Fri, Aug 18, 2017 at 6:13 AM, Ben Hutchings wrote: > 3.16.47-rc1 review patch. If anyone has any objections, please let me know. > > ------------------ > > From: WANG Cong > > commit 82486aa6f1b9bc8145e6d0fa2bc0b44307f3b875 upstream. > > IPv4 dst could use fi->fib_metrics to store metrics but fib_info > itself is refcnt'ed, so without taking a refcnt fi and > fi->fib_metrics could be freed while dst metrics still points to > it. This triggers use-after-free as reported by Andrey twice. > > This patch reverts commit 2860583fe840 ("ipv4: Kill rt->fi") to > restore this reference counting. It is a quick fix for -net and > -stable, for -net-next, as Eric suggested, we can consider doing > reference counting for metrics itself instead of relying on fib_info. > > IPv6 is very different, it copies or steals the metrics from mx6_config > in fib6_commit_metrics() so probably doesn't need a refcnt. > > Decnet has already done the refcnt'ing, see dn_fib_semantic_match(). > > Fixes: 2860583fe840 ("ipv4: Kill rt->fi") > Reported-by: Andrey Konovalov > Tested-by: Andrey Konovalov > Signed-off-by: Cong Wang > Acked-by: Eric Dumazet > Signed-off-by: David S. Miller > [bwh: Backported to 3.16: > - Update all 5 places where rtable is initialised > - Open-code fib_info_hold() > - Adjust context] > Signed-off-by: Ben Hutchings > --- I thought we refined this later with : commit 3fb07daff8e99243366a081e5129560734de4ada Author: Eric Dumazet Date: Thu May 25 14:27:35 2017 -0700 ipv4: add reference counting to metrics Andrey Konovalov reported crashes in ipv4_mtu() I could reproduce the issue with KASAN kernels, between 10.246.7.151 and 10.246.7.152 : 1) 20 concurrent netperf -t TCP_RR -H 10.246.7.152 -l 1000 & 2) At the same time run following loop : while : do ip ro add 10.246.7.152 dev eth0 src 10.246.7.151 mtu 1500 ip ro del 10.246.7.152 dev eth0 src 10.246.7.151 mtu 1500 done Cong Wang attempted to add back rt->fi in commit 82486aa6f1b9 ("ipv4: restore rt->fi for reference counting") but this proved to add some issues that were complex to solve. Instead, I suggested to add a refcount to the metrics themselves, being a standalone object (in particular, no reference to other objects) I tried to make this patch as small as possible to ease its backport, instead of being super clean. Note that we believe that only ipv4 dst need to take care of the metric refcount. But if this is wrong, this patch adds the basic infrastructure to extend this to other families. Many thanks to Julian Anastasov for reviewing this patch, and Cong Wang for his efforts on this problem. Fixes: 2860583fe840 ("ipv4: Kill rt->fi") Signed-off-by: Eric Dumazet Reported-by: Andrey Konovalov Reviewed-by: Julian Anastasov Acked-by: Cong Wang Signed-off-by: David S. Miller And then : commit 187e5b3ac84d3421d2de3aca949b2791fbcad554 Author: Eric Dumazet Date: Tue Aug 15 05:26:17 2017 -0700 ipv4: fix NULL dereference in free_fib_info_rcu() If fi->fib_metrics could not be allocated in fib_create_info() we attempt to dereference a NULL pointer in free_fib_info_rcu() : m = fi->fib_metrics; if (m != &dst_default_metrics && atomic_dec_and_test(&m->refcnt)) kfree(m); Before my recent patch, we used to call kfree(NULL) and nothing wrong happened. Instead of using RCU to defer freeing while we are under memory stress, it seems better to take immediate action. This was reported by syzkaller team. Fixes: 3fb07daff8e9 ("ipv4: add reference counting to metrics") Signed-off-by: Eric Dumazet Reported-by: Dmitry Vyukov Signed-off-by: David S. Miller