Received: by 2002:ac0:e34a:0:0:0:0:0 with SMTP id g10csp632187imn; Tue, 26 Jul 2022 05:33:11 -0700 (PDT) X-Google-Smtp-Source: AGRyM1sFsUcujYFaTFyRFIspgCfciFVvg5hyDLuKm/RhwnTsVgtTRRQyLQ2SgqNNNIIciIUvmY6S X-Received: by 2002:a17:907:2855:b0:72b:700e:21eb with SMTP id el21-20020a170907285500b0072b700e21ebmr14066544ejc.270.1658838791297; Tue, 26 Jul 2022 05:33:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658838791; cv=none; d=google.com; s=arc-20160816; b=KxseDz8XVlvooHAyX0kxZvRaUQ0670Jo0X/nv02gLNS0MAWeB4eKTruvww6PGkcZHD Ly1FtBjsYu9dw0mDiWWaX/mt3Rv1ChxMJOpZAqhkoObO6r2MdoLbtr+riQNhlPeGVS6/ rQCCBJ3ZZ0JxkduZ/ToZnwSDwNLPPJvo38Zg9Edu+Qz/LmJpwfZTsV+JIX8U09RigrMM UtR2ES/SH2nxPvp4GQtyJ1MJ3NGH/T3xGraei48BXle6o9BZ0qBwlVaOpmilKDcN21fv wPs+GGBAoTdYGV1sQNKD2AjR8Yn2Gl/l9zaccEvrUL55HZzrrblyIJ+v3fl0A02TJ3WM siFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=SYVsTQz5iwpU0rHGKZZgCLqu05YE3tSgDiLqaqsQFZc=; b=c+BOxhtXxmaRurx0rGH9meKJYqOXcwva3KW0jZbVuCJjcwQQtGxzPi7Rv8zlQMA833 D3/3ahGn8RMLEmtx3zFiX9uiorYQiB6M3HfUh4+O8/WBFtQ4WDpnZVIEakMGPlDOeLdC bmIJqLot2UOAr/ZNQeM00xmteKQSPfOlVfU9+mL8lyMhT5Uvau/1yqy961Zk8JXmln/Q 6afy6QjMJg1vqh9uuLzs4gD1R++LQhbwQzuWD8oExKZvQD7Dn6UI0TPdjIGFfoOQVfHG YU0ejFfuOXasOJapfFONuYH4EJloWkPqomBdI+3+v4IjEV5ORVFA1iTrT5WqKMGbt5YS 6CRg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=I4SIBzqy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hp2-20020a1709073e0200b0072af3e12493si17811918ejc.992.2022.07.26.05.32.46; Tue, 26 Jul 2022 05:33:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=I4SIBzqy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238985AbiGZMNZ (ORCPT + 99 others); Tue, 26 Jul 2022 08:13:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53534 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233025AbiGZMNY (ORCPT ); Tue, 26 Jul 2022 08:13:24 -0400 Received: from mail-yw1-x112a.google.com (mail-yw1-x112a.google.com [IPv6:2607:f8b0:4864:20::112a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5568F2CCB5 for ; Tue, 26 Jul 2022 05:13:23 -0700 (PDT) Received: by mail-yw1-x112a.google.com with SMTP id 00721157ae682-31e47ac84daso140418417b3.0 for ; Tue, 26 Jul 2022 05:13:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SYVsTQz5iwpU0rHGKZZgCLqu05YE3tSgDiLqaqsQFZc=; b=I4SIBzqyPiJK44vXYIn9HzlkRiGAuDEjVXWCFZzL9W23tqMIPwDLFsRjQv+hLcH9L8 lhkrI58QRuEKQX/3jfxD2Q2EqfObegRdPWkxJr4nBgE5ockTjO3P8M4cuvHxuhTOhzlR P9Z3t31P0nGlz9+v/gGkXr0LD9nhrKj3sKF/OMbYnCHLZJxZzllxwQ3lrBwho2yCZtAU G+hMEJkSvIiZaQgVwnnokGiMBMGISWp45NrZ9n2Ig1bRcfNpNWGXotv1+vpr4midaRNk cJNpehTh8rBj220IzjYZQJYH+UlSQmzEsAOeGPB0fhFKa4TkspP7CggSz+yT11XznJQG d2mg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SYVsTQz5iwpU0rHGKZZgCLqu05YE3tSgDiLqaqsQFZc=; b=oE3noGwqOdLJlCnrFYQcgHu+u9BYjJq4IZp+boMzC2P/DrN2ZhCj1ol8++PExpDs0U Tl/7AD0UdzvP92BuM2+Gq+YfTPArpWSAHBXg9LXXJcc7k15h4nqJoRMovsyZmy8TL+pE NlfunvCNIjIWroPKGYVKHlDf1lNmt+vqCRQnHYqwhznVvgYyTa7Yvmpk2mqJd5osewQo sSg4tgduHNivY7Gm5g3LEdeUwsTLSvD7sv3JdfMWTq+4JGHOXVFHSDuEGo4LCir3qu8R dC8Ei36FkxdTxdVzevuy/tUJl3+c207bVQi14uVb92N9pVMrfIkqa2k8kySVkz4ZBX7w ZE4w== X-Gm-Message-State: AJIora8giF7IwbKzMVRsxNSSNm3YlnSroSbjTKe1EeGQks5yLjHST7sd G3XYJYjehsMJpeDYmHSmjhxpQCRxZbGlfc/RUQ0HMg== X-Received: by 2002:a0d:f104:0:b0:31f:268a:43da with SMTP id a4-20020a0df104000000b0031f268a43damr5960083ywf.332.1658837602287; Tue, 26 Jul 2022 05:13:22 -0700 (PDT) MIME-Version: 1.0 References: <20220726115028.3055296-1-william.xuanziyang@huawei.com> In-Reply-To: <20220726115028.3055296-1-william.xuanziyang@huawei.com> From: Eric Dumazet Date: Tue, 26 Jul 2022 14:13:10 +0200 Message-ID: Subject: Re: [PATCH net v2] ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr To: Ziyang Xuan Cc: David Miller , Hideaki YOSHIFUJI , David Ahern , Jakub Kicinski , Paolo Abeni , netdev , LKML Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 26, 2022 at 1:50 PM Ziyang Xuan wrote: > > Change net device's MTU to smaller than IPV6_MIN_MTU or unregister > device while matching route. That may trigger null-ptr-deref bug > for ip6_ptr probability as following. > > ========================================================= > BUG: KASAN: null-ptr-deref in find_match.part.0+0x70/0x134 > Read of size 4 at addr 0000000000000308 by task ping6/263 > > CPU: 2 PID: 263 Comm: ping6 Not tainted 5.19.0-rc7+ #14 > Call trace: > dump_backtrace+0x1a8/0x230 > show_stack+0x20/0x70 > dump_stack_lvl+0x68/0x84 > print_report+0xc4/0x120 > kasan_report+0x84/0x120 > __asan_load4+0x94/0xd0 > find_match.part.0+0x70/0x134 > __find_rr_leaf+0x408/0x470 > fib6_table_lookup+0x264/0x540 > ip6_pol_route+0xf4/0x260 > ip6_pol_route_output+0x58/0x70 > fib6_rule_lookup+0x1a8/0x330 > ip6_route_output_flags_noref+0xd8/0x1a0 > ip6_route_output_flags+0x58/0x160 > ip6_dst_lookup_tail+0x5b4/0x85c > ip6_dst_lookup_flow+0x98/0x120 > rawv6_sendmsg+0x49c/0xc70 > inet_sendmsg+0x68/0x94 > > Reproducer as following: > Firstly, prepare conditions: > $ip netns add ns1 > $ip netns add ns2 > $ip link add veth1 type veth peer name veth2 > $ip link set veth1 netns ns1 > $ip link set veth2 netns ns2 > $ip netns exec ns1 ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1 > $ip netns exec ns2 ip -6 addr add 2001:0db8:0:f101::2/64 dev veth2 > $ip netns exec ns1 ifconfig veth1 up > $ip netns exec ns2 ifconfig veth2 up > $ip netns exec ns1 ip -6 route add 2000::/64 dev veth1 metric 1 > $ip netns exec ns2 ip -6 route add 2001::/64 dev veth2 metric 1 > > Secondly, execute the following two commands in two ssh windows > respectively: > $ip netns exec ns1 sh > $while true; do ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1; ip -6 route add 2000::/64 dev veth1 metric 1; ping6 2000::2; done > > $ip netns exec ns1 sh > $while true; do ip link set veth1 mtu 1000; ip link set veth1 mtu 1500; sleep 5; done > > It is because ip6_ptr has been assigned to NULL in addrconf_ifdown() firstly, > then ip6_ignore_linkdown() accesses ip6_ptr directly without NULL check. > > cpu0 cpu1 > fib6_table_lookup > __find_rr_leaf > addrconf_notify [ NETDEV_CHANGEMTU ] > addrconf_ifdown > RCU_INIT_POINTER(dev->ip6_ptr, NULL) > find_match > ip6_ignore_linkdown > > So we can add NULL check for ip6_ptr before using in ip6_ignore_linkdown() to > fix the null-ptr-deref bug. > > Fixes: 6d3d07b45c86 ("ipv6: Refactor fib6_ignore_linkdown") If we need to backport, I guess dcd1f572954f ("net/ipv6: Remove fib6_idev") already had the bug. > Signed-off-by: Ziyang Xuan > > --- > v2: > - Use NULL check in ip6_ignore_linkdown() but synchronize_net() in > addrconf_ifdown() > - Add timing analysis of the problem > > --- > include/net/addrconf.h | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/include/net/addrconf.h b/include/net/addrconf.h > index f7506f08e505..c04f359655b8 100644 > --- a/include/net/addrconf.h > +++ b/include/net/addrconf.h > @@ -405,6 +405,9 @@ static inline bool ip6_ignore_linkdown(const struct net_device *dev) > { > const struct inet6_dev *idev = __in6_dev_get(dev); > > + if (unlikely(!idev)) > + return true; > + Note that we might read a non NULL pointer here, but read it again later in rt6_score_route(), since another thread could switch the pointer under us ? > return !!idev->cnf.ignore_routes_with_linkdown; > } > > -- > 2.25.1 >