Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1587785pxb; Tue, 26 Oct 2021 11:46:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw16+pe/wvlkwsZeohOudOVSpWqLGRYUsA1J2OWBvq/slie5l6obh/dNxW3nD+xzWpLYD7j X-Received: by 2002:a17:906:1601:: with SMTP id m1mr32601786ejd.117.1635274017369; Tue, 26 Oct 2021 11:46:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635274017; cv=none; d=google.com; s=arc-20160816; b=rmviytfvNOuQEI9/T7Pd5lKlAsH/QhRHSjLNI1d+dTYPWdgN0gMLxdzXQhr7IgfX7r t+34Xq7PsM1twNQq8PlfsWQXvHGMmIYuKpbiegd76hDrGmvwu3PoBBfEWCFSne0EmnOT +nJJ93KisyxIgzbtGocS6K68grrTxxtnxmpHaXwTk2w4UkceVb7fm/bLirO/3iq/rxys 6QSRSYlO09+awHI3vcmYMyANKC73odiOs5x9S3Vo5A91y4VxGNh2o/4JwSanfeLl206P dbMBqQQnp8sa2dcvFEPQjer4hqLd1yxOMU9pWcHH12tC68BMFn7UetkENONdSKSVdmCL sVKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:subject:from:cc:to :content-language:user-agent:mime-version:date:message-id :dkim-signature; bh=Xv0gm2nvo9oj8B1zbj9L5t/DZvRs9gtu0orGPoXZIUY=; b=YAAVT93yIZL0U+i+EL8eeAH2OGw8caHG1werfgxvC3iQysQTnpW56BAw1YZwhmqNgQ stmKuF4Wt75HyT9VkcXfA2Yp7BMfq4nE84Zknyy2eXOpfeTQWPoIAls2qQpodNs2DMSb By+8qhLAAcUGI5AcTD0CIh3E5uH8YcFPtlaqXYza09vhiQNnm+mx/tKFolvd0jo0PsZS xxmtM7JkSGQjWOgZzZ+zEx0t8XZLQhW3V90Fbae2DNn7q2qHpKOOWrnS7Ex5YPvz0KIj 7r9dXOkg9i31Kix8k9SuZo+UEQOuFNtYuUQgTi53Cxg1Cl7kYCS8N+/Y9NUctX9r6cPA 8hgw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@qtmlabs.xyz header.s=syka header.b=rtuFhr1A; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=qtmlabs.xyz Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dr17si9226149ejc.345.2021.10.26.11.46.32; Tue, 26 Oct 2021 11:46:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@qtmlabs.xyz header.s=syka header.b=rtuFhr1A; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=qtmlabs.xyz Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236796AbhJZOjX (ORCPT + 99 others); Tue, 26 Oct 2021 10:39:23 -0400 Received: from hyperium.qtmlabs.xyz ([194.163.182.183]:48510 "EHLO hyperium.qtmlabs.xyz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236735AbhJZOjN (ORCPT ); Tue, 26 Oct 2021 10:39:13 -0400 X-Greylist: delayed 515 seconds by postgrey-1.27 at vger.kernel.org; Tue, 26 Oct 2021 10:39:12 EDT Received: from dong.kernal.eu (unknown [14.231.159.161]) by hyperium.qtmlabs.xyz (Postfix) with ESMTPSA id 019BB82000A; Tue, 26 Oct 2021 16:28:08 +0200 (CEST) Received: from [192.168.43.218] (unknown [27.78.4.72]) by dong.kernal.eu (Postfix) with ESMTPSA id 82DA9444968D; Tue, 26 Oct 2021 21:24:56 +0700 (+07) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qtmlabs.xyz; s=syka; t=1635258297; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Xv0gm2nvo9oj8B1zbj9L5t/DZvRs9gtu0orGPoXZIUY=; b=rtuFhr1Aifg8JtlsDemsoCMU2zj3Css6IUMXRKkd3aDmBtk/ibvmjt54JRk01A7mFrWPM7 dSwfhFguIHYT30ZGVsicVXeTrLDIgNdVuwZtdD03WsdB0vOaoLat+CMgCibg+DCfVzeaVl TPNisZZUsTy+KQ1xp3YKafJPnC2itS19+hzWS4dZfMc2OujUZDRwr/vYjOh0NqQbausPq9 Sxi4zMKlaJNC8V3u2QUTdPTiunpMbEWKvzdyWuskPxnCLXLtQL4UjrgNfly/EsAqd85E8y KsiTgNQj0NVRPjLJTb9JTatCyKH79dlCj1QI8ShNI5UECN87+2owbgVrT5AVPw== Message-ID: Date: Tue, 26 Oct 2021 21:24:50 +0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0 Content-Language: en-US To: davem@davemloft.net, yoshfuji@linux-ipv6.org, dsahern@kernel.org, kuba@kernel.org Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org From: msizanoen Subject: Kernel leaks memory in ip6_dst_cache when suppress_prefix is present in ipv6 routing rules and a `fib` rule is present in ipv6 nftables rules Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The kernel leaks memory when a `fib` rule is present in ipv6 nftables firewall rules and a suppress_prefix rule is present in the IPv6 routing rules (used by certain tools such as wg-quick). In such scenarios, every incoming packet will leak an allocation in ip6_dst_cache slab cache. After some hours of `bpftrace`-ing and source code reading, I tracked down the issue to this commit: https://github.com/torvalds/linux/commit/ca7a03c4175366a92cee0ccc4fec0038c3266e26 The problem with that patch is that the generic args->flags always have FIB_LOOKUP_NOREF set[1][2] but the ip6-specific flag RT6_LOOKUP_F_DST_NOREF might not be specified, leading to fib6_rule_suppress not decreasing the refcount when needed. This can be fixed by exposing the protocol-specific flags to the protocol specific `suppress` function, and check the protocol-specific `flags` argument for RT6_LOOKUP_F_DST_NOREF instead of the generic FIB_LOOKUP_NOREF when decreasing the refcount. How to reproduce: - Add the following nftables rule to a prerouting chain: `meta nfproto ipv6 fib saddr . mark . iif oif missing drop` - Run `sudo ip -6 rule add table main suppress_prefixlength 0` - Watch `sudo slabtop -o | grep ip6_dst_cache` memory usage increase with every incoming ipv6 packet Example patch:https://gist.github.com/msizanoen1/36a2853467a9bd34fadc5bb3783fde0f [1]:https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L71 [2]:https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L99