Received: by 2002:ac0:e34a:0:0:0:0:0 with SMTP id g10csp632187imn;
        Tue, 26 Jul 2022 05:33:11 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1sFsUcujYFaTFyRFIspgCfciFVvg5hyDLuKm/RhwnTsVgtTRRQyLQ2SgqNNNIIciIUvmY6S
X-Received: by 2002:a17:907:2855:b0:72b:700e:21eb with SMTP id el21-20020a170907285500b0072b700e21ebmr14066544ejc.270.1658838791297;
        Tue, 26 Jul 2022 05:33:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1658838791; cv=none;
        d=google.com; s=arc-20160816;
        b=KxseDz8XVlvooHAyX0kxZvRaUQ0670Jo0X/nv02gLNS0MAWeB4eKTruvww6PGkcZHD
         Ly1FtBjsYu9dw0mDiWWaX/mt3Rv1ChxMJOpZAqhkoObO6r2MdoLbtr+riQNhlPeGVS6/
         rQCCBJ3ZZ0JxkduZ/ToZnwSDwNLPPJvo38Zg9Edu+Qz/LmJpwfZTsV+JIX8U09RigrMM
         UtR2ES/SH2nxPvp4GQtyJ1MJ3NGH/T3xGraei48BXle6o9BZ0qBwlVaOpmilKDcN21fv
         wPs+GGBAoTdYGV1sQNKD2AjR8Yn2Gl/l9zaccEvrUL55HZzrrblyIJ+v3fl0A02TJ3WM
         siFg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=SYVsTQz5iwpU0rHGKZZgCLqu05YE3tSgDiLqaqsQFZc=;
        b=c+BOxhtXxmaRurx0rGH9meKJYqOXcwva3KW0jZbVuCJjcwQQtGxzPi7Rv8zlQMA833
         D3/3ahGn8RMLEmtx3zFiX9uiorYQiB6M3HfUh4+O8/WBFtQ4WDpnZVIEakMGPlDOeLdC
         bmIJqLot2UOAr/ZNQeM00xmteKQSPfOlVfU9+mL8lyMhT5Uvau/1yqy961Zk8JXmln/Q
         6afy6QjMJg1vqh9uuLzs4gD1R++LQhbwQzuWD8oExKZvQD7Dn6UI0TPdjIGFfoOQVfHG
         YU0ejFfuOXasOJapfFONuYH4EJloWkPqomBdI+3+v4IjEV5ORVFA1iTrT5WqKMGbt5YS
         6CRg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=I4SIBzqy;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id hp2-20020a1709073e0200b0072af3e12493si17811918ejc.992.2022.07.26.05.32.46;
        Tue, 26 Jul 2022 05:33:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=I4SIBzqy;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238985AbiGZMNZ (ORCPT <rfc822;alizee.penel@gmail.com>
        + 99 others); Tue, 26 Jul 2022 08:13:25 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53534 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233025AbiGZMNY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 26 Jul 2022 08:13:24 -0400
Received: from mail-yw1-x112a.google.com (mail-yw1-x112a.google.com [IPv6:2607:f8b0:4864:20::112a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5568F2CCB5
        for <linux-kernel@vger.kernel.org>; Tue, 26 Jul 2022 05:13:23 -0700 (PDT)
Received: by mail-yw1-x112a.google.com with SMTP id 00721157ae682-31e47ac84daso140418417b3.0
        for <linux-kernel@vger.kernel.org>; Tue, 26 Jul 2022 05:13:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=SYVsTQz5iwpU0rHGKZZgCLqu05YE3tSgDiLqaqsQFZc=;
        b=I4SIBzqyPiJK44vXYIn9HzlkRiGAuDEjVXWCFZzL9W23tqMIPwDLFsRjQv+hLcH9L8
         lhkrI58QRuEKQX/3jfxD2Q2EqfObegRdPWkxJr4nBgE5ockTjO3P8M4cuvHxuhTOhzlR
         P9Z3t31P0nGlz9+v/gGkXr0LD9nhrKj3sKF/OMbYnCHLZJxZzllxwQ3lrBwho2yCZtAU
         G+hMEJkSvIiZaQgVwnnokGiMBMGISWp45NrZ9n2Ig1bRcfNpNWGXotv1+vpr4midaRNk
         cJNpehTh8rBj220IzjYZQJYH+UlSQmzEsAOeGPB0fhFKa4TkspP7CggSz+yT11XznJQG
         d2mg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=SYVsTQz5iwpU0rHGKZZgCLqu05YE3tSgDiLqaqsQFZc=;
        b=oE3noGwqOdLJlCnrFYQcgHu+u9BYjJq4IZp+boMzC2P/DrN2ZhCj1ol8++PExpDs0U
         Tl/7AD0UdzvP92BuM2+Gq+YfTPArpWSAHBXg9LXXJcc7k15h4nqJoRMovsyZmy8TL+pE
         NlfunvCNIjIWroPKGYVKHlDf1lNmt+vqCRQnHYqwhznVvgYyTa7Yvmpk2mqJd5osewQo
         sSg4tgduHNivY7Gm5g3LEdeUwsTLSvD7sv3JdfMWTq+4JGHOXVFHSDuEGo4LCir3qu8R
         dC8Ei36FkxdTxdVzevuy/tUJl3+c207bVQi14uVb92N9pVMrfIkqa2k8kySVkz4ZBX7w
         ZE4w==
X-Gm-Message-State: AJIora8giF7IwbKzMVRsxNSSNm3YlnSroSbjTKe1EeGQks5yLjHST7sd
        G3XYJYjehsMJpeDYmHSmjhxpQCRxZbGlfc/RUQ0HMg==
X-Received: by 2002:a0d:f104:0:b0:31f:268a:43da with SMTP id
 a4-20020a0df104000000b0031f268a43damr5960083ywf.332.1658837602287; Tue, 26
 Jul 2022 05:13:22 -0700 (PDT)
MIME-Version: 1.0
References: <20220726115028.3055296-1-william.xuanziyang@huawei.com>
In-Reply-To: <20220726115028.3055296-1-william.xuanziyang@huawei.com>
From:   Eric Dumazet <edumazet@google.com>
Date:   Tue, 26 Jul 2022 14:13:10 +0200
Message-ID: <CANn89iJNHhq9zbmL2DF-up_hBRHuwkPiNUpMS+LHoumy5ohQZA@mail.gmail.com>
Subject: Re: [PATCH net v2] ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr
To:     Ziyang Xuan <william.xuanziyang@huawei.com>
Cc:     David Miller <davem@davemloft.net>,
        Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
        David Ahern <dsahern@kernel.org>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>,
        netdev <netdev@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,
        USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jul 26, 2022 at 1:50 PM Ziyang Xuan
<william.xuanziyang@huawei.com> wrote:
>
> Change net device's MTU to smaller than IPV6_MIN_MTU or unregister
> device while matching route. That may trigger null-ptr-deref bug
> for ip6_ptr probability as following.
>
> =========================================================
> BUG: KASAN: null-ptr-deref in find_match.part.0+0x70/0x134
> Read of size 4 at addr 0000000000000308 by task ping6/263
>
> CPU: 2 PID: 263 Comm: ping6 Not tainted 5.19.0-rc7+ #14
> Call trace:
>  dump_backtrace+0x1a8/0x230
>  show_stack+0x20/0x70
>  dump_stack_lvl+0x68/0x84
>  print_report+0xc4/0x120
>  kasan_report+0x84/0x120
>  __asan_load4+0x94/0xd0
>  find_match.part.0+0x70/0x134
>  __find_rr_leaf+0x408/0x470
>  fib6_table_lookup+0x264/0x540
>  ip6_pol_route+0xf4/0x260
>  ip6_pol_route_output+0x58/0x70
>  fib6_rule_lookup+0x1a8/0x330
>  ip6_route_output_flags_noref+0xd8/0x1a0
>  ip6_route_output_flags+0x58/0x160
>  ip6_dst_lookup_tail+0x5b4/0x85c
>  ip6_dst_lookup_flow+0x98/0x120
>  rawv6_sendmsg+0x49c/0xc70
>  inet_sendmsg+0x68/0x94
>
> Reproducer as following:
> Firstly, prepare conditions:
> $ip netns add ns1
> $ip netns add ns2
> $ip link add veth1 type veth peer name veth2
> $ip link set veth1 netns ns1
> $ip link set veth2 netns ns2
> $ip netns exec ns1 ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1
> $ip netns exec ns2 ip -6 addr add 2001:0db8:0:f101::2/64 dev veth2
> $ip netns exec ns1 ifconfig veth1 up
> $ip netns exec ns2 ifconfig veth2 up
> $ip netns exec ns1 ip -6 route add 2000::/64 dev veth1 metric 1
> $ip netns exec ns2 ip -6 route add 2001::/64 dev veth2 metric 1
>
> Secondly, execute the following two commands in two ssh windows
> respectively:
> $ip netns exec ns1 sh
> $while true; do ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1; ip -6 route add 2000::/64 dev veth1 metric 1; ping6 2000::2; done
>
> $ip netns exec ns1 sh
> $while true; do ip link set veth1 mtu 1000; ip link set veth1 mtu 1500; sleep 5; done
>
> It is because ip6_ptr has been assigned to NULL in addrconf_ifdown() firstly,
> then ip6_ignore_linkdown() accesses ip6_ptr directly without NULL check.
>
>         cpu0                    cpu1
> fib6_table_lookup
> __find_rr_leaf
>                         addrconf_notify [ NETDEV_CHANGEMTU ]
>                         addrconf_ifdown
>                         RCU_INIT_POINTER(dev->ip6_ptr, NULL)
> find_match
> ip6_ignore_linkdown
>
> So we can add NULL check for ip6_ptr before using in ip6_ignore_linkdown() to
> fix the null-ptr-deref bug.
>
> Fixes: 6d3d07b45c86 ("ipv6: Refactor fib6_ignore_linkdown")

If we need to backport, I guess dcd1f572954f ("net/ipv6: Remove fib6_idev")
already had the bug.

> Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
>
> ---
> v2:
>   - Use NULL check in ip6_ignore_linkdown() but synchronize_net() in
>     addrconf_ifdown()
>   - Add timing analysis of the problem
>
> ---
>  include/net/addrconf.h | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/include/net/addrconf.h b/include/net/addrconf.h
> index f7506f08e505..c04f359655b8 100644
> --- a/include/net/addrconf.h
> +++ b/include/net/addrconf.h
> @@ -405,6 +405,9 @@ static inline bool ip6_ignore_linkdown(const struct net_device *dev)
>  {
>         const struct inet6_dev *idev = __in6_dev_get(dev);
>
> +       if (unlikely(!idev))
> +               return true;
> +

Note that we might read a non NULL pointer here, but read it again
later in rt6_score_route(),
since another thread could switch the pointer under us ?

>         return !!idev->cnf.ignore_routes_with_linkdown;
>  }
>
> --
> 2.25.1
>