Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3324302imu; Sun, 11 Nov 2018 12:23:24 -0800 (PST) X-Google-Smtp-Source: AJdET5dx7dNocCy80XBlPIaESNlBRsfA7M/C01UxbK/ly2dou1jFydqG6jD67jyQ4eYJXtD9Myn+ X-Received: by 2002:a17:902:a516:: with SMTP id s22-v6mr17369025plq.255.1541967804088; Sun, 11 Nov 2018 12:23:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541967804; cv=none; d=google.com; s=arc-20160816; b=F5eJ/B9BYAICbGJwZdrlwflS9vPhL1bChHo9Y7BTuSLnmjDjXG82sdr+xUaFv6jP/y XtCahiYLOceDrr5utn+tzY4Z3wWIgELKW88Zj0VoX+Iix1zdY3LTGT5FeSvh5yHesMGZ PGlJPbZUmDC+sFbpuAKjo/X3Z6IN++Dw9MoF8iqTBBAyvo+veeEXEEvSKHXedATMjkYz HkTB1LLb0jxf28+dBd9KKZ+86L2iv1wYOG6rxcje204F3dmj2H1IcHj+hpvjw5exYndC zI7UqoNFZmt4AC8oUOG2hvkStgoJDR0zJnq4fFFvOYQKK27ceQfcNA5Q4+6dRpR0ZqTj PtFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=ZjNgFwDxeCU6Ni686L8V8MwuhUCNEADm3Djk1+OW7P8=; b=zUOBB96PDl3q2vrBWroJ3wldHA4IY26t0+CCAhFHlE/4d2FsMys+wAYLf5DrKIpL55 KVYY7oayHWlwG0n4wzs462qdWMlzuTwnEpQvWI1OMrJe0oh1JBeKjDk4cgmOhFHiJDDz J2oYJ+p5RMtyv432/KiLqxwoRQ1JRXUvD+Sf/Kujm1AIcwhP6XW8OKIPPVbMvPQqNNFW x5EEBV1lGDW6GPqECIAjipg9A7XUZcDclopWlFfn5qOHpwtT8HzpI5qKung47YDnBx4A cTFUHa2/PC2JJPGO09JXbo1Kj4HeZ0oDnYqFUZXI0TVe4IiKcaoZPwz8ZF1w4fXFc+UM u5yA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r2-v6si13209013pgj.139.2018.11.11.12.23.09; Sun, 11 Nov 2018 12:23:24 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731735AbeKLGJy (ORCPT + 99 others); Mon, 12 Nov 2018 01:09:54 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:53478 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726652AbeKLGJx (ORCPT ); Mon, 12 Nov 2018 01:09:53 -0500 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gLvsy-0000l9-77; Sun, 11 Nov 2018 19:59:08 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gLvsU-0001d4-3p; Sun, 11 Nov 2018 19:58:38 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Steffen Klassert" , "Tommi Rantala" Date: Sun, 11 Nov 2018 19:49:05 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 192/366] xfrm: fix missing dst_release() after policy blocking lbcast and multicast In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.61-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Tommi Rantala commit 8cc88773855f988d6a3bbf102bbd9dd9c828eb81 upstream. Fix missing dst_release() when local broadcast or multicast traffic is xfrm policy blocked. For IPv4 this results to dst leak: ip_route_output_flow() allocates dst_entry via __ip_route_output_key() and passes it to xfrm_lookup_route(). xfrm_lookup returns ERR_PTR(-EPERM) that is propagated. The dst that was allocated is never released. IPv4 local broadcast testcase: ping -b 192.168.1.255 & sleep 1 ip xfrm policy add src 0.0.0.0/0 dst 192.168.1.255/32 dir out action block IPv4 multicast testcase: ping 224.0.0.1 & sleep 1 ip xfrm policy add src 0.0.0.0/0 dst 224.0.0.1/32 dir out action block For IPv6 the missing dst_release() causes trouble e.g. when used in netns: ip netns add TEST ip netns exec TEST ip link set lo up ip link add dummy0 type dummy ip link set dev dummy0 netns TEST ip netns exec TEST ip addr add fd00::1111 dev dummy0 ip netns exec TEST ip link set dummy0 up ip netns exec TEST ping -6 -c 5 ff02::1%dummy0 & sleep 1 ip netns exec TEST ip xfrm policy add src ::/0 dst ff02::1 dir out action block wait ip netns del TEST After netns deletion we see: [ 258.239097] unregister_netdevice: waiting for lo to become free. Usage count = 2 [ 268.279061] unregister_netdevice: waiting for lo to become free. Usage count = 2 [ 278.367018] unregister_netdevice: waiting for lo to become free. Usage count = 2 [ 288.375259] unregister_netdevice: waiting for lo to become free. Usage count = 2 Fixes: ac37e2515c1a ("xfrm: release dst_orig in case of error in xfrm_lookup()") Signed-off-by: Tommi Rantala Signed-off-by: Steffen Klassert Signed-off-by: Ben Hutchings --- net/xfrm/xfrm_policy.c | 3 +++ 1 file changed, 3 insertions(+) --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -2176,6 +2176,9 @@ struct dst_entry *xfrm_lookup_route(stru if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE) return make_blackhole(net, dst_orig->ops->family, dst_orig); + if (IS_ERR(dst)) + dst_release(dst_orig); + return dst; } EXPORT_SYMBOL(xfrm_lookup_route);