Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1820972imm; Mon, 3 Sep 2018 10:17:16 -0700 (PDT) X-Google-Smtp-Source: ANB0VdaEBlDb9hzTlI6vp/OZNUULEUAHgWsPAiNzXejOf9B6xGFpVKY3yIPjrccJFOBEXD3tfK7x X-Received: by 2002:a63:f111:: with SMTP id f17-v6mr26606883pgi.87.1535995036479; Mon, 03 Sep 2018 10:17:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535995036; cv=none; d=google.com; s=arc-20160816; b=CI4QJyh0d0GXoezo3WQDNiuW2kDONadUvMkACvpD/ci5RhpuYFjbYZ8zRSRMXfjFvT +jLrE8u7PlyBvmCBNGMP40n6Ir3HA1XZlj7SoCU8Chw7mL68JdAYLMFx5WIBlRFl2299 tTjIWlNGBuT8uvPRlso6IedO82242s+sHZH+ZkYwOotjkV7dbePwsZhZ6JIIadDY/0Au TwvFfCJWUu/j7Z/u9A2CwtAfe8mTcA+Mb1mgJGZ1WgJRH2hgKiFSjaic6f6inxQsmBwF OssmWtKpCYLQ+Q4CB7UZW6TxHqX1FfHC5h/pfS0BaDy+InxsmkxuJfOk6C3nGqqRtI6c +BVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=W7iCrNo0WEToQ2nmCunHXQ+7gg2IlLAz1pCpjuopA74=; b=pt1SMWO9T3ZweGhq5Zmir2gJmU4FlZkugzQmo0aGW4xn6APPBBL4NilPkv3BxObLG+ HSGOLd7WCicV36g5w/hxSZl6M5QFuhvhrxQ/3x7dfb0+91LUYb8xd5DyxV5ohKXwnoSk Eewn7BDyz8TF6J6yXmiHPDEgnT6BhHoHKndRrD+rHkvheRFIyjcNp8j7qzxUEnQPD+3m 39+U2+F+8+piQkWqW8CkBwh2Jy8GcXLx3qZjBBD/Tim4Iv53cxmWoNWBIoSwvyX2xKkK WIL+z1nY66KUllJfzrGXAhsobf+4LmK8+UkGebVUgQ1+gzVIQnkxKQ/jvtAgEPwWJoo/ SKIQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i5-v6si17300943pgg.84.2018.09.03.10.17.01; Mon, 03 Sep 2018 10:17:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729793AbeICVhD (ORCPT + 99 others); Mon, 3 Sep 2018 17:37:03 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:42476 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727944AbeICVhC (ORCPT ); Mon, 3 Sep 2018 17:37:02 -0400 Received: from localhost (ip-213-127-74-90.ip.prioritytelecom.net [213.127.74.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id D00A0D09; Mon, 3 Sep 2018 17:15:57 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tommi Rantala , Steffen Klassert , Sasha Levin Subject: [PATCH 4.14 003/165] xfrm: fix missing dst_release() after policy blocking lbcast and multicast Date: Mon, 3 Sep 2018 18:54:49 +0200 Message-Id: <20180903165655.167770375@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180903165655.003605184@linuxfoundation.org> References: <20180903165655.003605184@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Tommi Rantala [ Upstream commit 8cc88773855f988d6a3bbf102bbd9dd9c828eb81 ] Fix missing dst_release() when local broadcast or multicast traffic is xfrm policy blocked. For IPv4 this results to dst leak: ip_route_output_flow() allocates dst_entry via __ip_route_output_key() and passes it to xfrm_lookup_route(). xfrm_lookup returns ERR_PTR(-EPERM) that is propagated. The dst that was allocated is never released. IPv4 local broadcast testcase: ping -b 192.168.1.255 & sleep 1 ip xfrm policy add src 0.0.0.0/0 dst 192.168.1.255/32 dir out action block IPv4 multicast testcase: ping 224.0.0.1 & sleep 1 ip xfrm policy add src 0.0.0.0/0 dst 224.0.0.1/32 dir out action block For IPv6 the missing dst_release() causes trouble e.g. when used in netns: ip netns add TEST ip netns exec TEST ip link set lo up ip link add dummy0 type dummy ip link set dev dummy0 netns TEST ip netns exec TEST ip addr add fd00::1111 dev dummy0 ip netns exec TEST ip link set dummy0 up ip netns exec TEST ping -6 -c 5 ff02::1%dummy0 & sleep 1 ip netns exec TEST ip xfrm policy add src ::/0 dst ff02::1 dir out action block wait ip netns del TEST After netns deletion we see: [ 258.239097] unregister_netdevice: waiting for lo to become free. Usage count = 2 [ 268.279061] unregister_netdevice: waiting for lo to become free. Usage count = 2 [ 278.367018] unregister_netdevice: waiting for lo to become free. Usage count = 2 [ 288.375259] unregister_netdevice: waiting for lo to become free. Usage count = 2 Fixes: ac37e2515c1a ("xfrm: release dst_orig in case of error in xfrm_lookup()") Signed-off-by: Tommi Rantala Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/xfrm/xfrm_policy.c | 3 +++ 1 file changed, 3 insertions(+) --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -2285,6 +2285,9 @@ struct dst_entry *xfrm_lookup_route(stru if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE) return make_blackhole(net, dst_orig->ops->family, dst_orig); + if (IS_ERR(dst)) + dst_release(dst_orig); + return dst; } EXPORT_SYMBOL(xfrm_lookup_route);