Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1238829imm; Wed, 1 Aug 2018 12:27:36 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcGfdTxv5IpLsBSJbSM2nutCPdpOFElqc3+PeO0uzV83zMErCKSU+EfS+dI360cMP7LlhA+ X-Received: by 2002:a63:6fcc:: with SMTP id k195-v6mr25963129pgc.135.1533151656730; Wed, 01 Aug 2018 12:27:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533151656; cv=none; d=google.com; s=arc-20160816; b=b7jQNAEbh6amgFFgpJofXrvW86ny7s4+oGp/bjUGDJyfnPWmbupKyWWe+fw3H9FmDg 7cVoGsMgDWxrWkIdDiZSW546Ao48j0jZMjYDGrNKgT/IzlOHgC880X3b3lNPtgSVPPRA KthysK4gDF3TvqEROYtqG9EY+V9GzOtkKxV51Ps9eTDJtDC5KavYY7f3Ny9tDOnMzHdQ oVDYGmSG8CaYZs8e4foaipiUgsSJbGs0zC9Khn5L6HlFWPPWKTOk1ryWGcMPEJsLgJJu AQWII+ONknjnn+/uBoVrjTI1peBr2ed/14ZHsnpim3VVVhgB88R3E5fqknGzDeya/zud rpLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=UmdxzyANjHXG5Q70K/PcBYN++DatbluXDgmDpaMSNBw=; b=fbMJQGo3pzeuTBfacsBZxV/QefiqmuwHQhHZhqO59dMWMUZHc/dnpSxYIS/ucrWG6+ Om+t7FU0nu+rL4y5eqefMFM0UP21uNGqUDm7WtUtHLKdogFI5igZy4iNWQtXu3ar+YiF kOQiK/3mrcwtktjnKSNEgS39OZ3uoS9K3JGwf450i4cpV2gHHabOlwSU9X7+rAGX/pgz YlvDvhC6Rsp+g5ZlLxbVDa0PwJqzbRwN6VWswY/5bQqAG4SR2ebIusnsepmTM485/4dF UNt/zqGUxFRCtlxW9VrageE1SCZUZmkyBsXog60v8vRjizMAM6giaAc6RzqjAg0Hqhn9 YWQw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l26-v6si16667591pfo.325.2018.08.01.12.27.21; Wed, 01 Aug 2018 12:27:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732230AbeHAVNt (ORCPT + 99 others); Wed, 1 Aug 2018 17:13:49 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:43656 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727608AbeHAVNs (ORCPT ); Wed, 1 Aug 2018 17:13:48 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 37C759BA9A; Wed, 1 Aug 2018 19:26:31 +0000 (UTC) Received: from bistromath.localdomain (ovpn-204-30.brq.redhat.com [10.40.204.30]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1F03C215670D; Wed, 1 Aug 2018 19:26:27 +0000 (UTC) Date: Wed, 1 Aug 2018 21:26:39 +0200 From: Sabrina Dubroca To: David Miller Cc: xiyou.wangcong@gmail.com, eric.dumazet@gmail.com, syzbot+41f9c04b50ef70c66947@syzkaller.appspotmail.com, christian.brauner@ubuntu.com, dsahern@gmail.com, fw@strlen.de, jbenc@redhat.com, ktkhai@virtuozzo.com, linux-kernel@vger.kernel.org, lucien.xin@gmail.com, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: KASAN: use-after-free Read in rtnetlink_put_metrics Message-ID: <20180801192639.GA30287@bistromath.localdomain> References: <20180731134014.GA32114@bistromath.localdomain> <20180801.114636.279269263935333136.davem@davemloft.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20180801.114636.279269263935333136.davem@davemloft.net> User-Agent: Mutt/1.10.1 (2018-07-13) X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Wed, 01 Aug 2018 19:26:31 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Wed, 01 Aug 2018 19:26:31 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'sd@queasysnail.net' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 2018-08-01, 11:46:36 -0700, David Miller wrote: > From: Cong Wang > Date: Tue, 31 Jul 2018 16:03:13 -0700 > > > Looks like this commit is completely unnecessary, > > fib6_drop_pcpu_from() calls fib6_info_release() > > which calls fib6_info_destroy_rcu(), so this metrics > > will be released twice... > > And even if there was a leak here, it's illegal to free this > metrics memory synchronously since it is RCU protected. Yeah, I noticed that today, but I don't think that's the problem we're seeing here. > That's why it normally goes through fib6_info_destroy_rcu(). > > Sabrina, I'm going to revert your changes unless I see some > progress here by the end of today. Yeah, I'm fine with a revert, we can fix the leak later. syzbot hasn't found a reproducer so I'm not sure it's the same issue, but I ran into this: we can create a route, start using it, and then give it some metrics. In that case, we'll hit rt6_set_from() with the default metrics, so we don't refcount them. Then fib6_metric_set() will assign the new metrics to the parent route. Then fib6_drop_pcpu_from will see that the parent route has non-default metrics, and try to release this, but the percpu copy doesn't actually hold a reference. Bandaid would be to put a DST_METRICS_REFCOUNTED check in fib6_drop_pcpu_from(). Looking at rt6_set_from(), it seems we can also do dst_init_metrics with the old metrics, then refcount the new metrics. And I'm not sure whether the refcount_set in fib6_metric_set() can't be reordered so that rt6_set_from() might see the new metrics pointer, increment the refcount, then fib6_metric_set() would do its refcount_set, stepping over the previous increment. -- Sabrina