Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1806192imm; Mon, 3 Sep 2018 09:55:58 -0700 (PDT) X-Google-Smtp-Source: ANB0Vdae9odc3U3XAR3aZt6+qUtr/O0TJVg+JLYcg8j6MZgunPluXjYzn6TH/qgfdMpeBOasyQp+ X-Received: by 2002:a62:5882:: with SMTP id m124-v6mr30385974pfb.249.1535993758094; Mon, 03 Sep 2018 09:55:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535993758; cv=none; d=google.com; s=arc-20160816; b=ZEteIGsB4t8M+C/jtckdbauLPFTjLbwH4idL/SiXYnpSFkEo3vHYPU3ucPm/I1pZcf +aKlhHynquBFd425xspBqeAICj1VxFPwLMx/CQNJTFaZgSTBPU7kRTyczXJeP4XHB5rt eQEY0MTuT7+REE2cR2J6JM7e8VnGdWqFRia49ln+nhuFi1eUH8fE1LMEvEvDkAegvvvG /2h+b0nqVU7MTC7i6eDKxGANc7lnk/yOzZ+A28H0c9r1iXeBn5iWLx6eqVzv1eqUFqq0 T0/j3zCYqvJG/de5ZjVmg0QQjr77QgzOIQxR6cunHjzmIUrQSIvhvsTTghbGGn+Z5Kd1 ZkSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=SNPLyTbMGjo0+rC02+L/Zviym6r9MS7kJ/CgYIvBVQQ=; b=02CXQq6LWaBXtsP5lChvYNyEqAGkCbKG2kVLaOn7k/UFkWd3Xf4Zzrlnj/vYlbWWOu 5QTKWygcjQXcqiWEHy7B6YnrhyZlOfurXqS2xoe9TVuqfUKw9MkO7jXapJDZ73QywhsF WHfId3HIjOe7f534z2b09qTOKKxUj2GOyQqJJ0FlVULP9n0AI72e05P6BTI9ABUhiwpp lbvxYVVSdhuTJkB7b2tfD635oZRi63skgc3NWxDlL7ZnpiGE24BxOxNBLcly1GJtq4is 3TV9fdexe/Jbs/4XhWGTl4/7V9GSvuJHu8MWV54kyNwQt+shOUE74ARJQmfGytYUXAad xRlQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p32-v6si18665796pgb.198.2018.09.03.09.55.43; Mon, 03 Sep 2018 09:55:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728894AbeICVOs (ORCPT + 99 others); Mon, 3 Sep 2018 17:14:48 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:38210 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727861AbeICVOs (ORCPT ); Mon, 3 Sep 2018 17:14:48 -0400 Received: from localhost (ip-213-127-74-90.ip.prioritytelecom.net [213.127.74.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id A250BCF8; Mon, 3 Sep 2018 16:53:50 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tommi Rantala , Steffen Klassert , Sasha Levin Subject: [PATCH 4.4 04/80] xfrm: fix missing dst_release() after policy blocking lbcast and multicast Date: Mon, 3 Sep 2018 18:48:42 +0200 Message-Id: <20180903164934.345950804@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180903164934.171677301@linuxfoundation.org> References: <20180903164934.171677301@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Tommi Rantala [ Upstream commit 8cc88773855f988d6a3bbf102bbd9dd9c828eb81 ] Fix missing dst_release() when local broadcast or multicast traffic is xfrm policy blocked. For IPv4 this results to dst leak: ip_route_output_flow() allocates dst_entry via __ip_route_output_key() and passes it to xfrm_lookup_route(). xfrm_lookup returns ERR_PTR(-EPERM) that is propagated. The dst that was allocated is never released. IPv4 local broadcast testcase: ping -b 192.168.1.255 & sleep 1 ip xfrm policy add src 0.0.0.0/0 dst 192.168.1.255/32 dir out action block IPv4 multicast testcase: ping 224.0.0.1 & sleep 1 ip xfrm policy add src 0.0.0.0/0 dst 224.0.0.1/32 dir out action block For IPv6 the missing dst_release() causes trouble e.g. when used in netns: ip netns add TEST ip netns exec TEST ip link set lo up ip link add dummy0 type dummy ip link set dev dummy0 netns TEST ip netns exec TEST ip addr add fd00::1111 dev dummy0 ip netns exec TEST ip link set dummy0 up ip netns exec TEST ping -6 -c 5 ff02::1%dummy0 & sleep 1 ip netns exec TEST ip xfrm policy add src ::/0 dst ff02::1 dir out action block wait ip netns del TEST After netns deletion we see: [ 258.239097] unregister_netdevice: waiting for lo to become free. Usage count = 2 [ 268.279061] unregister_netdevice: waiting for lo to become free. Usage count = 2 [ 278.367018] unregister_netdevice: waiting for lo to become free. Usage count = 2 [ 288.375259] unregister_netdevice: waiting for lo to become free. Usage count = 2 Fixes: ac37e2515c1a ("xfrm: release dst_orig in case of error in xfrm_lookup()") Signed-off-by: Tommi Rantala Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/xfrm/xfrm_policy.c | 3 +++ 1 file changed, 3 insertions(+) --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -2326,6 +2326,9 @@ struct dst_entry *xfrm_lookup_route(stru if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE) return make_blackhole(net, dst_orig->ops->family, dst_orig); + if (IS_ERR(dst)) + dst_release(dst_orig); + return dst; } EXPORT_SYMBOL(xfrm_lookup_route);