Received: by 2002:ac0:e350:0:0:0:0:0 with SMTP id g16csp1951930imn; Mon, 1 Aug 2022 06:08:43 -0700 (PDT) X-Google-Smtp-Source: AA6agR4oIQ19KBU3Df7JqbOn2v3f8/fIpbP2qYq4jXIO/KEGmdL8iT79oSfW1+A3Eh2uYo/DfOHX X-Received: by 2002:a17:90b:350b:b0:1f0:23d9:57eb with SMTP id ls11-20020a17090b350b00b001f023d957ebmr18912582pjb.17.1659359322762; Mon, 01 Aug 2022 06:08:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1659359322; cv=none; d=google.com; s=arc-20160816; b=FVhsSK8wZ3qFEOwDR3TwvkAXKJsp9g/OzaJW8hFI3YAr0dsf9BOMuonEOWm8BtK7ja lh8mAgq89AcLcd5kGR/2dInH529cQT7okWDDxv1R3oT/eR5pS6yg5xawDq+t2mXjtD1Q de0NdLZgsD7A7iJmzMv7Vm8A+xrF2eyeJ9WzjgDTBIGggSwEmCyhH6BeM8p5Ex/KarOQ QbWcfhrEKYbt+8X6zNFGnrQd9NT8J99tE7yfit2Vxqmy2dq6PmBmjPL9uoQdO2nBEXYh vukr1fz/8Gx63wPCRuijoK3JFkGfylMz/s7VFSttRzsxQb5pFJmNrhLzgowiMCltnw4R 3o4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=KdnkgjAEUo1CqCWOiYVzB+pS9ckbwU2nihiwotemm/k=; b=dv+CbUkfT0Yq3sgRwbaT/TfLHzwpvdVLu69DeiV5c4/tjK0hkCaYBSeZySN/9CzQB5 DqUM3Pf1ifzvPaPcnvmrw4qUyjWU3i6IgVG6rgjlnxahRk4TDListDG2/MNJQAlgkpda JM7Ai2CWmzpsP0kuJlmWh+uX8warRddbyrUBJlIhALUZ1rTomd7Lh5W7NxKMvc+k0LPK qa+mm850Hv6ZdFGAJokhnApXfULWVmBU0Su/bS3fsKJCxUhCrZU7Y715XpEPlqnnPlDt gQb534HqV8zRapJwokiUrFG8OZff7haMSgX29iOlyTUlKVq9BHNY3yyInMZghlbpUPOp XnSQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Fm2OnKFt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i6-20020a170902c94600b0016f008f9071si157933pla.541.2022.08.01.06.08.27; Mon, 01 Aug 2022 06:08:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Fm2OnKFt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232289AbiHAMIc (ORCPT + 99 others); Mon, 1 Aug 2022 08:08:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42774 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233274AbiHAMIG (ORCPT ); Mon, 1 Aug 2022 08:08:06 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BB4B863915; Mon, 1 Aug 2022 04:55:39 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id A5FEB61354; Mon, 1 Aug 2022 11:55:37 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B2D42C433D6; Mon, 1 Aug 2022 11:55:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1659354937; bh=/7onE6s4mGX2NwJMW7RKS5TVN+YhEfVvY57cPQaN3Nc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Fm2OnKFt+Rmuq5RKyr6h5TLuZb2bkG+8jEVSxZek1wsioTnBKyf6uWkUa9OCZpl/Z MhQ7BdHAzj+SdLmaE2oEo4YLo5/Fk6MPtq6pg61zJIaMYtJexBW95yCIPQ2iVn0eKZ OcPClbx1rMN0xOT1ao+QJBId6bV+gaN8nUEdhH4o= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hangbin Liu , Taehee Yoo , Eric Dumazet , "David S. Miller" , Sasha Levin Subject: [PATCH 5.15 46/69] net: mld: fix reference count leak in mld_{query | report}_work() Date: Mon, 1 Aug 2022 13:47:10 +0200 Message-Id: <20220801114136.334615912@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220801114134.468284027@linuxfoundation.org> References: <20220801114134.468284027@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Taehee Yoo [ Upstream commit 3e7d18b9dca388940a19cae30bfc1f76dccd8c28 ] mld_{query | report}_work() processes queued events. If there are too many events in the queue, it re-queue a work. And then, it returns without in6_dev_put(). But if queuing is failed, it should call in6_dev_put(), but it doesn't. So, a reference count leak would occur. THREAD0 THREAD1 mld_report_work() spin_lock_bh() if (!mod_delayed_work()) in6_dev_hold(); spin_unlock_bh() spin_lock_bh() schedule_delayed_work() spin_unlock_bh() Script to reproduce(by Hangbin Liu): ip netns add ns1 ip netns add ns2 ip netns exec ns1 sysctl -w net.ipv6.conf.all.force_mld_version=1 ip netns exec ns2 sysctl -w net.ipv6.conf.all.force_mld_version=1 ip -n ns1 link add veth0 type veth peer name veth0 netns ns2 ip -n ns1 link set veth0 up ip -n ns2 link set veth0 up for i in `seq 50`; do for j in `seq 100`; do ip -n ns1 addr add 2021:${i}::${j}/64 dev veth0 ip -n ns2 addr add 2022:${i}::${j}/64 dev veth0 done done modprobe -r veth ip -a netns del splat looks like: unregister_netdevice: waiting for veth0 to become free. Usage count = 2 leaked reference. ipv6_add_dev+0x324/0xec0 addrconf_notify+0x481/0xd10 raw_notifier_call_chain+0xe3/0x120 call_netdevice_notifiers+0x106/0x160 register_netdevice+0x114c/0x16b0 veth_newlink+0x48b/0xa50 [veth] rtnl_newlink+0x11a2/0x1a40 rtnetlink_rcv_msg+0x63f/0xc00 netlink_rcv_skb+0x1df/0x3e0 netlink_unicast+0x5de/0x850 netlink_sendmsg+0x6c9/0xa90 ____sys_sendmsg+0x76a/0x780 __sys_sendmsg+0x27c/0x340 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Tested-by: Hangbin Liu Fixes: f185de28d9ae ("mld: add new workqueues for process mld events") Signed-off-by: Taehee Yoo Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/ipv6/mcast.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c index 7f695c39d9a8..87c699d57b36 100644 --- a/net/ipv6/mcast.c +++ b/net/ipv6/mcast.c @@ -1522,7 +1522,6 @@ static void mld_query_work(struct work_struct *work) if (++cnt >= MLD_MAX_QUEUE) { rework = true; - schedule_delayed_work(&idev->mc_query_work, 0); break; } } @@ -1533,8 +1532,10 @@ static void mld_query_work(struct work_struct *work) __mld_query_work(skb); mutex_unlock(&idev->mc_lock); - if (!rework) - in6_dev_put(idev); + if (rework && queue_delayed_work(mld_wq, &idev->mc_query_work, 0)) + return; + + in6_dev_put(idev); } /* called with rcu_read_lock() */ @@ -1624,7 +1625,6 @@ static void mld_report_work(struct work_struct *work) if (++cnt >= MLD_MAX_QUEUE) { rework = true; - schedule_delayed_work(&idev->mc_report_work, 0); break; } } @@ -1635,8 +1635,10 @@ static void mld_report_work(struct work_struct *work) __mld_report_work(skb); mutex_unlock(&idev->mc_lock); - if (!rework) - in6_dev_put(idev); + if (rework && queue_delayed_work(mld_wq, &idev->mc_report_work, 0)) + return; + + in6_dev_put(idev); } static bool is_in(struct ifmcaddr6 *pmc, struct ip6_sf_list *psf, int type, -- 2.35.1