Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp2744485ybg; Mon, 28 Oct 2019 01:27:49 -0700 (PDT) X-Google-Smtp-Source: APXvYqxPEgjayuyhEqOJgq73MSsR8vnvsqclDjL+BOWXzuN+9LB85TNOfeQFS4Gfzar/9SKkWi1S X-Received: by 2002:a17:906:9504:: with SMTP id u4mr14807296ejx.317.1572251269880; Mon, 28 Oct 2019 01:27:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572251269; cv=none; d=google.com; s=arc-20160816; b=0mBScEPuDQv5ygEYeB47PgLLEzAg6U3FEo5f0zpiVPEsN7AxghApZNmwJlvW/x7wli EzGbOVDuoZUS4ftOqloajH7/G6wlQ18W7jkJeJ73PhH0o//hn20aoddear/sevHBscM5 Q2fafR0V8kx2fSlnXmVoNJiuU2SlT/2Iz3rrXKveqYwh/mL7yMxVC5Cr7CJ5BEBzCYzm qMmk6pDInrfa+duEgVzpCYA/YY7r2k+G0my056gOXQKTL8S5P4KxLV8GvTgU7YRmux7v usqpVLXSZJPpVfem1XxbPTtFPLSzad9yLu5dHiYp8ZyATlvfKZfAIwf9kf3F7CVSKRVP Xydw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=HSKnGQOh97t3cWsQZOZwupMOMZvdw9bP+d7LqM39Sx8=; b=UDsS5bsUhf8LoGfpFD4Ms+PcIWexkRT2mLOHEKsp4MOcecNHmGe1DIj35uOVYHVZPl 6XWQs8Y/OZ2MxEk4s65/VwPXu6YTFgYCkOOHgF3qRyQh7wjYgQw79P3Dke0cs4LBkWdt x7UoFX5vFZma2arHBesNQ1JWkM3H2clO68AFkty300WNIwr6qgB+aqQJyOKLdEBF4E+e 0zoJho5uIPbqH6Nl+O6DZIPgTcizt3XwmiwaGWo4bU+dNfJB1fnuq8bTqFQyhwOu4vtu 2qyJ9lzOm275/LxHFGOa0Mzx78xlNpRrHyAIowqp6YQ0bhN/7JyaHIfaLXQSv2MecY3q dnfQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=JaGPUeM7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d24si7171170eda.162.2019.10.28.01.27.26; Mon, 28 Oct 2019 01:27:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=JaGPUeM7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731646AbfJ0VUM (ORCPT + 99 others); Sun, 27 Oct 2019 17:20:12 -0400 Received: from mail.kernel.org ([198.145.29.99]:40626 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731622AbfJ0VUK (ORCPT ); Sun, 27 Oct 2019 17:20:10 -0400 Received: from localhost (100.50.158.77.rev.sfr.net [77.158.50.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4FC9F205C9; Sun, 27 Oct 2019 21:20:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1572211208; bh=x/NA11M+lOlNuOhGp8WHw4vTofgmxvwg0WMPXF6S4Zg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JaGPUeM75Kkmk1P6CzyaeadUECSTMWqmBNyEVoerOw5Sl1xhHHnAJQLTo33GWA3uv mwoEQ8mxB6m7kXE5tdACuzjp3RlqiJUSWHOwINwxgskGYgngX+C5VSSN7fm2cLG2q7 N4HrKx42O12Az5OQzCh7shm/QVdJPhAQg0dQ+q2A= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wei Wang , Ido Schimmel , Jesse Hathaway , Martin KaFai Lau , David Ahern , Ido Schimmel , "David S. Miller" Subject: [PATCH 5.3 069/197] ipv4: fix race condition between route lookup and invalidation Date: Sun, 27 Oct 2019 21:59:47 +0100 Message-Id: <20191027203355.379557651@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191027203351.684916567@linuxfoundation.org> References: <20191027203351.684916567@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Wei Wang [ Upstream commit 5018c59607a511cdee743b629c76206d9c9e6d7b ] Jesse and Ido reported the following race condition: - Received packet A is forwarded and cached dst entry is taken from the nexthop ('nhc->nhc_rth_input'). Calls skb_dst_set() - Given Jesse has busy routers ("ingesting full BGP routing tables from multiple ISPs"), route is added / deleted and rt_cache_flush() is called - Received packet B tries to use the same cached dst entry from t0, but rt_cache_valid() is no longer true and it is replaced in rt_cache_route() by the newer one. This calls dst_dev_put() on the original dst entry which assigns the blackhole netdev to 'dst->dev' - dst_input(skb) is called on packet A and it is dropped due to 'dst->dev' being the blackhole netdev There are 2 issues in the v4 routing code: 1. A per-netns counter is used to do the validation of the route. That means whenever a route is changed in the netns, users of all routes in the netns needs to redo lookup. v6 has an implementation of only updating fn_sernum for routes that are affected. 2. When rt_cache_valid() returns false, rt_cache_route() is called to throw away the current cache, and create a new one. This seems unnecessary because as long as this route does not change, the route cache does not need to be recreated. To fully solve the above 2 issues, it probably needs quite some code changes and requires careful testing, and does not suite for net branch. So this patch only tries to add the deleted cached rt into the uncached list, so user could still be able to use it to receive packets until it's done. Fixes: 95c47f9cf5e0 ("ipv4: call dst_dev_put() properly") Signed-off-by: Wei Wang Reported-by: Ido Schimmel Reported-by: Jesse Hathaway Tested-by: Jesse Hathaway Acked-by: Martin KaFai Lau Cc: David Ahern Reviewed-by: Ido Schimmel Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/route.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1482,7 +1482,7 @@ static bool rt_cache_route(struct fib_nh prev = cmpxchg(p, orig, rt); if (prev == orig) { if (orig) { - dst_dev_put(&orig->dst); + rt_add_uncached_list(orig); dst_release(&orig->dst); } } else {