linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Tommi Rantala <tommi.t.rantala@nokia.com>,
	Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
	Neil Horman <nhorman@tuxdriver.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 27/36] sctp: fix dst refcnt leak in sctp_v4_get_dst
Date: Fri,  9 Mar 2018 16:18:43 -0800	[thread overview]
Message-ID: <20180310001808.854479450@linuxfoundation.org> (raw)
In-Reply-To: <20180310001807.213987241@linuxfoundation.org>

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tommi Rantala <tommi.t.rantala@nokia.com>


[ Upstream commit 4a31a6b19f9ddf498c81f5c9b089742b7472a6f8 ]

Fix dst reference count leak in sctp_v4_get_dst() introduced in commit
410f03831 ("sctp: add routing output fallback"):

When walking the address_list, successive ip_route_output_key() calls
may return the same rt->dst with the reference incremented on each call.

The code would not decrement the dst refcount when the dst pointer was
identical from the previous iteration, causing the dst refcnt leak.

Testcase:
  ip netns add TEST
  ip netns exec TEST ip link set lo up
  ip link add dummy0 type dummy
  ip link add dummy1 type dummy
  ip link add dummy2 type dummy
  ip link set dev dummy0 netns TEST
  ip link set dev dummy1 netns TEST
  ip link set dev dummy2 netns TEST
  ip netns exec TEST ip addr add 192.168.1.1/24 dev dummy0
  ip netns exec TEST ip link set dummy0 up
  ip netns exec TEST ip addr add 192.168.1.2/24 dev dummy1
  ip netns exec TEST ip link set dummy1 up
  ip netns exec TEST ip addr add 192.168.1.3/24 dev dummy2
  ip netns exec TEST ip link set dummy2 up
  ip netns exec TEST sctp_test -H 192.168.1.2 -P 20002 -h 192.168.1.1 -p 20000 -s -B 192.168.1.3
  ip netns del TEST

In 4.4 and 4.9 kernels this results to:
  [  354.179591] unregister_netdevice: waiting for lo to become free. Usage count = 1
  [  364.419674] unregister_netdevice: waiting for lo to become free. Usage count = 1
  [  374.663664] unregister_netdevice: waiting for lo to become free. Usage count = 1
  [  384.903717] unregister_netdevice: waiting for lo to become free. Usage count = 1
  [  395.143724] unregister_netdevice: waiting for lo to become free. Usage count = 1
  [  405.383645] unregister_netdevice: waiting for lo to become free. Usage count = 1
  ...

Fixes: 410f03831 ("sctp: add routing output fallback")
Fixes: 0ca50d12f ("sctp: fix src address selection if using secondary addresses")
Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sctp/protocol.c |   10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -508,22 +508,20 @@ static void sctp_v4_get_dst(struct sctp_
 		if (IS_ERR(rt))
 			continue;
 
-		if (!dst)
-			dst = &rt->dst;
-
 		/* Ensure the src address belongs to the output
 		 * interface.
 		 */
 		odev = __ip_dev_find(sock_net(sk), laddr->a.v4.sin_addr.s_addr,
 				     false);
 		if (!odev || odev->ifindex != fl4->flowi4_oif) {
-			if (&rt->dst != dst)
+			if (!dst)
+				dst = &rt->dst;
+			else
 				dst_release(&rt->dst);
 			continue;
 		}
 
-		if (dst != &rt->dst)
-			dst_release(dst);
+		dst_release(dst);
 		dst = &rt->dst;
 		break;
 	}

  parent reply	other threads:[~2018-03-10  0:18 UTC|newest]

Thread overview: 54+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-03-10  0:18 [PATCH 4.4 00/36] 4.4.121-stable review Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 01/36] tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the bus Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 02/36] tpm_i2c_infineon: " Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 03/36] tpm_i2c_nuvoton: " Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 04/36] ALSA: usb-audio: Add a quirck for B&W PX headphones Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 05/36] ALSA: hda: Add a power_save blacklist Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 06/36] cpufreq: s3c24xx: Fix broken s3c_cpufreq_init() Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 07/36] media: m88ds3103: dont call a non-initalized function Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 08/36] nospec: Allow index argument to have const-qualified type Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 09/36] ARM: mvebu: Fix broken PL310_ERRATA_753970 selects Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 10/36] KVM: mmu: Fix overlap between public and private memslots Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 11/36] x86/syscall: Sanitize syscall table de-references under speculation fix Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 12/36] btrfs: Dont clear SGID when inheriting ACLs Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 13/36] ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux Greg Kroah-Hartman
2018-03-12 23:29   ` Ben Hutchings
2018-03-14 21:31     ` Adam Ford
2018-03-16 12:32       ` Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 14/36] x86/apic/vector: Handle legacy irq data correctly Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 15/36] leds: do not overflow sysfs buffer in led_trigger_show Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 16/36] x86/spectre: Fix an error message Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 17/36] Revert "led: core: Fix brightness setting when setting delay_off=0" Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 18/36] bridge: check brport attr show in brport_show Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 19/36] fib_semantics: Dont match route with mismatching tclassid Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 20/36] hdlc_ppp: carrier detect ok, dont turn off negotiation Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 21/36] ipv6 sit: work around bogus gcc-8 -Wrestrict warning Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 22/36] net: fix race on decreasing number of TX queues Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 23/36] net: ipv4: dont allow setting net.ipv4.route.min_pmtu below 68 Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 24/36] netlink: ensure to loop over all netns in genlmsg_multicast_allns() Greg Kroah-Hartman
2018-03-13  0:04   ` Ben Hutchings
2018-03-14 17:06     ` Nicolas Dichtel
2018-03-14 20:10     ` [PATCH net] netlink: avoid a double skb free in genlmsg_mcast() Nicolas Dichtel
2018-03-16 16:36       ` David Miller
2018-03-10  0:18 ` [PATCH 4.4 25/36] ppp: prevent unregistered channels from connecting to PPP units Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 26/36] udplite: fix partial checksum initialization Greg Kroah-Hartman
2018-03-10  0:18 ` Greg Kroah-Hartman [this message]
2018-03-10  0:18 ` [PATCH 4.4 28/36] sctp: fix dst refcnt leak in sctp_v6_get_dst() Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 29/36] s390/qeth: fix SETIP command handling Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 30/36] s390/qeth: fix IPA command submission race Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 31/36] sctp: verify size of a new chunk in _sctp_make_chunk() Greg Kroah-Hartman
2018-03-13  0:46   ` Ben Hutchings
2018-03-13  9:56     ` Greg Kroah-Hartman
2018-03-14 16:23       ` Ben Hutchings
2018-03-10  0:18 ` [PATCH 4.4 32/36] net: mpls: Pull common label check into helper Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 33/36] mpls, nospec: Sanitize array index in mpls_label_ok() Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 34/36] dm io: fix duplicate bio completion due to missing ref count Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 35/36] bpf, x64: implement retpoline for tail call Greg Kroah-Hartman
2018-03-10  0:18 ` [PATCH 4.4 36/36] btrfs: preserve i_mode if __btrfs_set_acl() fails Greg Kroah-Hartman
2018-03-10  0:50 ` [PATCH 4.4 00/36] 4.4.121-stable review Nathan Chancellor
2018-03-10  1:03   ` Greg Kroah-Hartman
2018-03-10  1:07     ` Nathan Chancellor
2018-03-10  5:16 ` Shuah Khan
2018-03-10  7:19 ` kernelci.org bot
2018-03-10 15:43 ` Guenter Roeck
2018-03-12 11:39 ` Naresh Kamboju

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180310001808.854479450@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marcelo.leitner@gmail.com \
    --cc=nhorman@tuxdriver.com \
    --cc=stable@vger.kernel.org \
    --cc=tommi.t.rantala@nokia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).