Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp610902yba; Sat, 4 May 2019 08:59:55 -0700 (PDT) X-Google-Smtp-Source: APXvYqweunX7eruJGr7jdsy+nLoZzOVQJnMnQPhTs0Qb4XMdnRy9ray08qBoo+rSjgBHIK3Dy0n5 X-Received: by 2002:a17:902:4a:: with SMTP id 68mr4539951pla.235.1556985595340; Sat, 04 May 2019 08:59:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556985595; cv=none; d=google.com; s=arc-20160816; b=sVkfsjlUKaWdFSXg/SmeScaO8FckmbmP9gjnrsvONH0zdj4uxbMeWodT+ql0DQDTFe OZ6iqVU0pSY7NwIQOk5oSXsEC6UxpqS4aWEdCNQrvDm+MDi7aS2X+GRiHs5zSU8xl4i7 kVzSiBOAPSgQ2xnUV/nM6bHC9FVsCkOaYTh0PIw5v904xBM5OGGAfixBuNMWeH2EfYaj RRDhS3LUKKJpD0bIuPFbf9FiHp2V5iaWm+IRFDb5NfbxhGo0KkToHXP6Pu27WvpFZ2rh CoQGAi897/7eEk89329CIkeV2Gvgy/I3K7abP10zlqQPe90uf5mefv7Tp8PsSMY/pODf 6esw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=ozyZS/tA6cPkZB5Jf/QmfWhCYZ2taRWbsknV+2MnVY0=; b=upbPIzOh4qDjKJLRp72m7xAkzCkgJaRYkb5ET9PzRbiK7+K4G85aq7HRBohMpaB04x 2wtCaRBSv79Z15yAqdeHLgi/fx6OWxe0tAn9On9jAGQbUVN4OCbvEblyE43qkhSTEWWE z93KVzqiQ8nVdM0eeWa4Zo70f0zZYu2cvniQI4MImTF5l+YHrtEDtfnsHps+Duo6JNFh 596QQd3N3yn0G5MycR1F3qxlTFaEU0WDhhmCRdIMBLIZgoF6dQMjq+4AhYGEu1DJhtxj cdzh8EprepK5DemBydOzuSeuY7Po+emkpGanWZkYFnOol7RgNdvDsOD25vKLiNjo89T/ Rvcw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=qXaN7ziX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n1si6607391pgq.247.2019.05.04.08.59.39; Sat, 04 May 2019 08:59:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=qXaN7ziX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727053AbfEDP4l (ORCPT + 99 others); Sat, 4 May 2019 11:56:41 -0400 Received: from mail-pl1-f195.google.com ([209.85.214.195]:38699 "EHLO mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726230AbfEDP4l (ORCPT ); Sat, 4 May 2019 11:56:41 -0400 Received: by mail-pl1-f195.google.com with SMTP id a59so4183534pla.5; Sat, 04 May 2019 08:56:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=ozyZS/tA6cPkZB5Jf/QmfWhCYZ2taRWbsknV+2MnVY0=; b=qXaN7ziX/RFvjumvzdXQz3iz1c9JXLK8N0N4VT40SAUxsfkqI7LLMjYDff2vfwQRP4 wm6Q6O7wGCzMVnV/3xLLwwwsyHdpi05XBnPNWHhvW4eZxCqDm6BTczSQF8iE26a67WoE Odv1vJWtxKEkw5P2+rzlzIaKm03ynX0aJNnC1Jw5oTpV9ZYnIq4bixVcRkIBjwSXhoBZ uRtcXvhgjiPpgI375WOzG6ftz4yqE7IZFVt6oKnGQpDzkkfiVGBpZ0qv/mBfFJ5VlIx0 Yr/+ENFw0ZjhATQOsxtlqqsw9sXKICHOYRTRxit5iDyXdXCTvEff80QplCrutUxUgit9 +Akg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=ozyZS/tA6cPkZB5Jf/QmfWhCYZ2taRWbsknV+2MnVY0=; b=Lr1EfPNsjCXipDFZT45aYV/YJTN6rGelv0EYXzfTFQPrVJ6gXML5ZGsisYZxFxZq9Q iucVybdmdC/EHe8eFOTBqARiG//AN6owbDczKUycr+a4fmJGCt2m9Bo/xAfT5EJXayS4 4IVuXYp0FQuIy0pdaIOF2NyJPoLFJeBiSiDfaIo/zqc2gsdQ4gydhxUKs2qKIFo4hww2 KMoTUeKl3dzg6lPSooJfPJdut0qJJoALADUq5PkPVSyMiaEPPW09vMelt/Oo1UkvECo7 5DnU483Eqa/mHulgIoXrhTvJmzD6cdrMU3FM4Z6M1cOS1kyx8a54Wzxfl20pFm7gSkZ1 /arQ== X-Gm-Message-State: APjAAAXzZf49SFLJbJO/bTee+FDgcPBMf+1pM1krCOXm/8xHIUjVkY6N CizfBM7S8ty8/V8uzqglzMc= X-Received: by 2002:a17:902:84:: with SMTP id a4mr19706617pla.210.1556985400387; Sat, 04 May 2019 08:56:40 -0700 (PDT) Received: from [192.168.86.235] (c-73-241-150-70.hsd1.ca.comcast.net. [73.241.150.70]) by smtp.gmail.com with ESMTPSA id a129sm6993370pfa.152.2019.05.04.08.56.38 (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Sat, 04 May 2019 08:56:39 -0700 (PDT) Subject: Re: [PATCH] ipv4: Delete uncached routes upon unregistration of loopback device. To: Tetsuo Handa , "David S. Miller" Cc: David Ahern , Eric Dumazet , Julian Anastasov , Cong Wang , syzbot , ddstreet@ieee.org, dvyukov@google.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com, Linus Torvalds , Mahesh Bandewar References: <0000000000007d22100573d66078@google.com> <4684eef5-ea50-2965-86a0-492b8b1e4f52@I-love.SAKURA.ne.jp> <9d430543-33c3-0d9b-dc77-3a179a8e3919@I-love.SAKURA.ne.jp> <920ebaf1-ee87-0dbb-6805-660c1cbce3d0@I-love.SAKURA.ne.jp> <15b353e9-49a2-f08b-dc45-2e9bad3abfe2@i-love.sakura.ne.jp> <057735f0-4475-7a7b-815f-034b1095fa6c@gmail.com> <6e57bc11-1603-0898-dfd4-0f091901b422@i-love.sakura.ne.jp> <117fcc49-d389-c389-918f-86ccaef82e51@i-love.sakura.ne.jp> <70be7d61-a6fe-e703-978a-d17f544efb44@gmail.com> <40199494-8eb7-d861-2e3b-6e20fcebc0dc@i-love.sakura.ne.jp> <519ea12b-4c24-9e8e-c5eb-ca02c9c7d264@i-love.sakura.ne.jp> From: Eric Dumazet Message-ID: Date: Sat, 4 May 2019 11:56:38 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <519ea12b-4c24-9e8e-c5eb-ca02c9c7d264@i-love.sakura.ne.jp> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5/4/19 10:52 AM, Tetsuo Handa wrote: > syzbot is hitting infinite loop when a loopback device in a namespace is > unregistered [1]. This is because rt_flush_dev() is moving the refcount of > "any device to unregister" to "a loopback device in that namespace" but > nobody can drop the refcount moved from non loopback devices when the > loopback device in that namespace is unregistered. > > This behavior was introduced by commit caacf05e5ad1abf0 ("ipv4: Properly > purge netdev references on uncached routes.") but there is no description > why we have to temporarily move the refcount to "a loopback device in that > namespace" and why it is safe to do so, for rt_flush_dev() becomes a no-op > when "a loopback device in that namespace" is about to be unregistered. > > Since I don't know the reason, this patch breaks the infinite loop by > deleting the uncached route (which eventually drops the refcount via > dst_destroy()) when "a loopback device in that namespace" is unregistered > rather than when "non-loopback devices in that namespace" is unregistered. Well, you have not fixed a bug, you simply made sure that whatever cpu is using the routes you forcibly deleted is going to crash the host very soon (use-after-frees have undefined behavior, but KASAN should crash most of the times) Please do not send patches like that with a huge CC list, keep networking patches to netdev mailing list. Mahesh has an alternative patch, adding a fake device that can not be dismantled to make sure we fully intercept skbs sent through a dead route, instead of relying on loopback dropping them later at some point.