Received: by 10.223.185.116 with SMTP id b49csp4152705wrg;
        Mon, 19 Feb 2018 12:07:11 -0800 (PST)
X-Google-Smtp-Source: AH8x226hTQwT6d4h9te9sc+q0jK/bRXgkz4jGZcjASs3AUm/4d9Cmj/c8KGwr55jgiOrQegO1vh1
X-Received: by 10.98.60.144 with SMTP id b16mr15229259pfk.61.1519070831458;
        Mon, 19 Feb 2018 12:07:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1519070831; cv=none;
        d=google.com; s=arc-20160816;
        b=HATIM0dVKVgeY2WNFfECaN39h8izv1ISMtgoXfjI8VeXz7HE8ZFpe6s3M5/7uHmYnE
         0aCmpbZpn8xoXctguyX+rZzvs7duvjTAjn+y1ZwaBItlfuic4LoPdCS6YHg+0D5NvBEi
         reeF1JkfwoCYcI9Fn3AaQ066gO6wLfx86OvRylQXfxgFT51ofJ+ENblbw7QTuxfr5+a5
         qDsubnmjcUzqCAxsKUNeINc6peY7fL3aJCt+o33lQ0/TckXM5TJYSzRJ9TCqlTpzASaa
         JJACTOqJUJ5ckuTn6mjCzj1xjDkp55tEP1JAaTow3U5qNHoHQi3suSg5MgdU+RTcHzGO
         MVew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=AXiRN/ZojQ8ULmzhxuCartAuo0trE7Et/TgeSpQdHS0=;
        b=BO/I0jV1fkKFZv9qlbJWUsJuJUM6b4SjvX+LjFH/Xqm0/AZgfyy7wzj5IrYf86+sbD
         o9A9+0DY1+y+ey6y/XnhAxRGWUlZdloUZR0nDlyQWFL7nub9oPNmmTe3BIPex0RGmry2
         BT79CMRh1KLVmZwKfc833rdPy24Mu6p27vQBeYqXP+TjxLC7OeAIsP+afxBVmBUBp0oX
         KM0FRW47CI65NnmFZ4lyYDpJQYl+/AbXuJ0tgYUBOfaDeDTl/m/wyjTo1z0vx0dAbW0+
         jHDVCSbZGmh0QFiJ+D5aKu6mmiWK52yDrKHfIvl5EY5vD9DnUhrPaxLKUUZTA+miFls/
         6WXQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=j8x04ENk;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p5-v6si4870753plo.32.2018.02.19.12.06.57;
        Mon, 19 Feb 2018 12:07:11 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=j8x04ENk;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932102AbeBSUGX (ORCPT <rfc822;yuankui.zhao@gmail.com>
        + 99 others); Mon, 19 Feb 2018 15:06:23 -0500
Received: from mail-wm0-f67.google.com ([74.125.82.67]:36604 "EHLO
        mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753609AbeBSUGW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 19 Feb 2018 15:06:22 -0500
Received: by mail-wm0-f67.google.com with SMTP id f3so17268910wmc.1
        for <linux-kernel@vger.kernel.org>; Mon, 19 Feb 2018 12:06:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=AXiRN/ZojQ8ULmzhxuCartAuo0trE7Et/TgeSpQdHS0=;
        b=j8x04ENkLLqZdpk6eZ6pXz+Next8qeOGhBVWYns3OpwGX6X32IW4OHEaUJM38nvQva
         mC0VCXiOjeym/xOg7lrrEjWD56HyY172rkxjGIpCynOLh/IFmdcpV7jxTA7wPb//FQwy
         xtT3w5LI1abH1j13gBUsUamaDqT1NgW7rWb3ZzE+xzCsrxQU+0gzXgwmJxl02f916uSz
         ZWtc6FOK7Ad9cuAaso0OCgXMbYQrwKHADqnlb1DELHgZDGNh1Re2EhS4SfTFnwxA2T7q
         FlaK9arXl7dJqv4hGL7hcc62gM2mBR1UMPR6Yprl26/n0ORO7EW41RShMowlbXpcJqWb
         lIzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=AXiRN/ZojQ8ULmzhxuCartAuo0trE7Et/TgeSpQdHS0=;
        b=h/uYXDnXMLPtHvm71mfadnWP9z3R4N75bCb5mNq3vuVmRYet+x8owdvVtomq26gdV4
         AjFgUe2JkHQ/zH6T0W5JWvBJcUoJJwa6bJ3zsnSk2ePlr7wBh1xGYrV0n6f5MXl1hYZ5
         j7adPjqn2lezuOgjYkPKtYe00LXTcR5dfg3FUOZStjVaB+XFi60ZEhbnXwni+ABwJp3H
         VwUDnGqgRg/1QuTVf+yCCLzY4uIS+P2N8vKVQjzLrW3zbdKFBN6D3c/QbOm+HsdbU5/G
         rMruc2FZjMyBsT9YNYN8O0zovgonRWjL30qvn/aHtrz1QpuMxvxdFspXnIVIA25U0o3t
         4STw==
X-Gm-Message-State: APf1xPAQm8kKgaMt8VNEsjmBT4sS7XtGPo/Aedt8CjcWkwoL0rGGfTN9
        NwHnsqwZD5Mr3xHlgx6asj47kLMgzhm5iAe8mVDsgA==
X-Received: by 10.28.9.18 with SMTP id 18mr12008263wmj.37.1519070780495; Mon,
 19 Feb 2018 12:06:20 -0800 (PST)
MIME-Version: 1.0
Received: by 10.28.147.15 with HTTP; Mon, 19 Feb 2018 12:06:19 -0800 (PST)
In-Reply-To: <1519069941.3422.65.camel@codethink.co.uk>
References: <20180129123847.507563674@linuxfoundation.org> <20180129123850.261403857@linuxfoundation.org>
 <1519069573.3422.63.camel@codethink.co.uk> <1519069941.3422.65.camel@codethink.co.uk>
From:   Eric Dumazet <edumazet@google.com>
Date:   Mon, 19 Feb 2018 12:06:19 -0800
Message-ID: <CANn89iL=8vgByOoJ5bbFVF+DJN2-QrMn4ihE6cM42WaSxSwz4Q@mail.gmail.com>
Subject: Re: [PATCH 4.4 60/74] ipv6: fix udpv6 sendmsg crash caused by too
 small MTU
To:     Ben Hutchings <ben.hutchings@codethink.co.uk>
Cc:     Mike Maloney <maloney@google.com>, stable@vger.kernel.org,
        syzbot <syzkaller@googlegroups.com>,
        "David S. Miller" <davem@davemloft.net>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Feb 19, 2018 at 11:52 AM, Ben Hutchings
<ben.hutchings@codethink.co.uk> wrote:
> On Mon, 2018-02-19 at 20:46 +0100, Ben Hutchings wrote:
>> On Mon, 2018-01-29 at 13:57 +0100, Greg Kroah-Hartman wrote:
>> > 4.4-stable review patch.  If anyone has any objections, please let me know.
>> >
>> > ------------------
>> >
>> > From: Mike Maloney <maloney@google.com>
>> >
>> >
>> > [ Upstream commit 749439bfac6e1a2932c582e2699f91d329658196 ]
>>
>> [...]
>> > --- a/net/ipv6/ip6_output.c
>> > +++ b/net/ipv6/ip6_output.c
>> > @@ -1246,14 +1246,16 @@ static int ip6_setup_cork(struct sock *s
>> >     v6_cork->tclass = tclass;
>> >     if (rt->dst.flags & DST_XFRM_TUNNEL)
>> >             mtu = np->pmtudisc >= IPV6_PMTUDISC_PROBE ?
>> > -                 rt->dst.dev->mtu : dst_mtu(&rt->dst);
>> > +                 READ_ONCE(rt->dst.dev->mtu) : dst_mtu(&rt->dst);
>> >     else
>> >             mtu = np->pmtudisc >= IPV6_PMTUDISC_PROBE ?
>> > -                 rt->dst.dev->mtu : dst_mtu(rt->dst.path);
>> > +                 READ_ONCE(rt->dst.dev->mtu) : dst_mtu(rt->dst.path);
>> >     if (np->frag_size < mtu) {
>> >             if (np->frag_size)
>> >                     mtu = np->frag_size;
>> >     }
>> > +   if (mtu < IPV6_MIN_MTU)
>> > +           return -EINVAL;
>>
>> This error path appears to leak a reference to rt->dst.
>
> Never mind, I see that the callers release it.

Yes, I agree this is quite confusing :/