* [PATCH net] ipv6: A few fixes on dereferencing rt->from
@ 2019-04-30 17:45 Martin KaFai Lau
2019-04-30 18:26 ` Wei Wang
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Martin KaFai Lau @ 2019-04-30 17:45 UTC (permalink / raw)
To: netdev; +Cc: David Ahern, David Miller, Jonathan Lemon, kernel-team, Wei Wang
It is a followup after the fix in
commit 9c69a1320515 ("route: Avoid crash from dereferencing NULL rt->from")
rt6_do_redirect():
1. NULL checking is needed on rt->from because a parallel
fib6_info delete could happen that sets rt->from to NULL.
(e.g. rt6_remove_exception() and fib6_drop_pcpu_from()).
2. fib6_info_hold() is not enough. Same reason as (1).
Meaning, holding dst->__refcnt cannot ensure
rt->from is not NULL or rt->from->fib6_ref is not 0.
Instead of using fib6_info_hold_safe() which ip6_rt_cache_alloc()
is already doing, this patch chooses to extend the rcu section
to keep "from" dereference-able after checking for NULL.
inet6_rtm_getroute():
1. NULL checking is also needed on rt->from for a similar reason.
Note that inet6_rtm_getroute() is using RTNL_FLAG_DOIT_UNLOCKED.
Fixes: a68886a69180 ("net/ipv6: Make from in rt6_info rcu protected")
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
---
net/ipv6/route.c | 38 ++++++++++++++++++--------------------
1 file changed, 18 insertions(+), 20 deletions(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index b4899f0de0d0..73ef72c208af 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -3397,11 +3397,8 @@ static void rt6_do_redirect(struct dst_entry *dst, struct sock *sk, struct sk_bu
rcu_read_lock();
from = rcu_dereference(rt->from);
- /* This fib6_info_hold() is safe here because we hold reference to rt
- * and rt already holds reference to fib6_info.
- */
- fib6_info_hold(from);
- rcu_read_unlock();
+ if (!from)
+ goto out;
nrt = ip6_rt_cache_alloc(from, &msg->dest, NULL);
if (!nrt)
@@ -3413,10 +3410,7 @@ static void rt6_do_redirect(struct dst_entry *dst, struct sock *sk, struct sk_bu
nrt->rt6i_gateway = *(struct in6_addr *)neigh->primary_key;
- /* No need to remove rt from the exception table if rt is
- * a cached route because rt6_insert_exception() will
- * takes care of it
- */
+ /* rt6_insert_exception() will take care of duplicated exceptions */
if (rt6_insert_exception(nrt, from)) {
dst_release_immediate(&nrt->dst);
goto out;
@@ -3429,7 +3423,7 @@ static void rt6_do_redirect(struct dst_entry *dst, struct sock *sk, struct sk_bu
call_netevent_notifiers(NETEVENT_REDIRECT, &netevent);
out:
- fib6_info_release(from);
+ rcu_read_unlock();
neigh_release(neigh);
}
@@ -5028,16 +5022,20 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh,
rcu_read_lock();
from = rcu_dereference(rt->from);
-
- if (fibmatch)
- err = rt6_fill_node(net, skb, from, NULL, NULL, NULL, iif,
- RTM_NEWROUTE, NETLINK_CB(in_skb).portid,
- nlh->nlmsg_seq, 0);
- else
- err = rt6_fill_node(net, skb, from, dst, &fl6.daddr,
- &fl6.saddr, iif, RTM_NEWROUTE,
- NETLINK_CB(in_skb).portid, nlh->nlmsg_seq,
- 0);
+ if (from) {
+ if (fibmatch)
+ err = rt6_fill_node(net, skb, from, NULL, NULL, NULL,
+ iif, RTM_NEWROUTE,
+ NETLINK_CB(in_skb).portid,
+ nlh->nlmsg_seq, 0);
+ else
+ err = rt6_fill_node(net, skb, from, dst, &fl6.daddr,
+ &fl6.saddr, iif, RTM_NEWROUTE,
+ NETLINK_CB(in_skb).portid,
+ nlh->nlmsg_seq, 0);
+ } else {
+ err = -ENETUNREACH;
+ }
rcu_read_unlock();
if (err < 0) {
--
2.17.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net] ipv6: A few fixes on dereferencing rt->from
2019-04-30 17:45 [PATCH net] ipv6: A few fixes on dereferencing rt->from Martin KaFai Lau
@ 2019-04-30 18:26 ` Wei Wang
2019-05-01 15:44 ` David Ahern
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Wei Wang @ 2019-04-30 18:26 UTC (permalink / raw)
To: Martin KaFai Lau
Cc: Linux Kernel Network Developers, David Ahern, David Miller,
Jonathan Lemon, kernel-team
On Tue, Apr 30, 2019 at 10:45 AM Martin KaFai Lau <kafai@fb.com> wrote:
>
> It is a followup after the fix in
> commit 9c69a1320515 ("route: Avoid crash from dereferencing NULL rt->from")
>
> rt6_do_redirect():
> 1. NULL checking is needed on rt->from because a parallel
> fib6_info delete could happen that sets rt->from to NULL.
> (e.g. rt6_remove_exception() and fib6_drop_pcpu_from()).
>
> 2. fib6_info_hold() is not enough. Same reason as (1).
> Meaning, holding dst->__refcnt cannot ensure
> rt->from is not NULL or rt->from->fib6_ref is not 0.
>
> Instead of using fib6_info_hold_safe() which ip6_rt_cache_alloc()
> is already doing, this patch chooses to extend the rcu section
> to keep "from" dereference-able after checking for NULL.
>
> inet6_rtm_getroute():
> 1. NULL checking is also needed on rt->from for a similar reason.
> Note that inet6_rtm_getroute() is using RTNL_FLAG_DOIT_UNLOCKED.
>
> Fixes: a68886a69180 ("net/ipv6: Make from in rt6_info rcu protected")
> Signed-off-by: Martin KaFai Lau <kafai@fb.com>
> ---
Acked-by: Wei Wang <weiwan@google.com>
Nice fix. Thanks Martin.
> net/ipv6/route.c | 38 ++++++++++++++++++--------------------
> 1 file changed, 18 insertions(+), 20 deletions(-)
>
> diff --git a/net/ipv6/route.c b/net/ipv6/route.c
> index b4899f0de0d0..73ef72c208af 100644
> --- a/net/ipv6/route.c
> +++ b/net/ipv6/route.c
> @@ -3397,11 +3397,8 @@ static void rt6_do_redirect(struct dst_entry *dst, struct sock *sk, struct sk_bu
>
> rcu_read_lock();
> from = rcu_dereference(rt->from);
> - /* This fib6_info_hold() is safe here because we hold reference to rt
> - * and rt already holds reference to fib6_info.
> - */
> - fib6_info_hold(from);
> - rcu_read_unlock();
> + if (!from)
> + goto out;
>
> nrt = ip6_rt_cache_alloc(from, &msg->dest, NULL);
> if (!nrt)
> @@ -3413,10 +3410,7 @@ static void rt6_do_redirect(struct dst_entry *dst, struct sock *sk, struct sk_bu
>
> nrt->rt6i_gateway = *(struct in6_addr *)neigh->primary_key;
>
> - /* No need to remove rt from the exception table if rt is
> - * a cached route because rt6_insert_exception() will
> - * takes care of it
> - */
> + /* rt6_insert_exception() will take care of duplicated exceptions */
> if (rt6_insert_exception(nrt, from)) {
> dst_release_immediate(&nrt->dst);
> goto out;
> @@ -3429,7 +3423,7 @@ static void rt6_do_redirect(struct dst_entry *dst, struct sock *sk, struct sk_bu
> call_netevent_notifiers(NETEVENT_REDIRECT, &netevent);
>
> out:
> - fib6_info_release(from);
> + rcu_read_unlock();
> neigh_release(neigh);
> }
>
> @@ -5028,16 +5022,20 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh,
>
> rcu_read_lock();
> from = rcu_dereference(rt->from);
> -
> - if (fibmatch)
> - err = rt6_fill_node(net, skb, from, NULL, NULL, NULL, iif,
> - RTM_NEWROUTE, NETLINK_CB(in_skb).portid,
> - nlh->nlmsg_seq, 0);
> - else
> - err = rt6_fill_node(net, skb, from, dst, &fl6.daddr,
> - &fl6.saddr, iif, RTM_NEWROUTE,
> - NETLINK_CB(in_skb).portid, nlh->nlmsg_seq,
> - 0);
> + if (from) {
> + if (fibmatch)
> + err = rt6_fill_node(net, skb, from, NULL, NULL, NULL,
> + iif, RTM_NEWROUTE,
> + NETLINK_CB(in_skb).portid,
> + nlh->nlmsg_seq, 0);
> + else
> + err = rt6_fill_node(net, skb, from, dst, &fl6.daddr,
> + &fl6.saddr, iif, RTM_NEWROUTE,
> + NETLINK_CB(in_skb).portid,
> + nlh->nlmsg_seq, 0);
> + } else {
> + err = -ENETUNREACH;
> + }
> rcu_read_unlock();
>
> if (err < 0) {
> --
> 2.17.1
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net] ipv6: A few fixes on dereferencing rt->from
2019-04-30 17:45 [PATCH net] ipv6: A few fixes on dereferencing rt->from Martin KaFai Lau
2019-04-30 18:26 ` Wei Wang
@ 2019-05-01 15:44 ` David Ahern
2019-05-01 21:01 ` Eric Dumazet
2019-05-01 21:18 ` David Miller
3 siblings, 0 replies; 5+ messages in thread
From: David Ahern @ 2019-05-01 15:44 UTC (permalink / raw)
To: Martin KaFai Lau, netdev
Cc: David Miller, Jonathan Lemon, kernel-team, Wei Wang
On 4/30/19 11:45 AM, Martin KaFai Lau wrote:
> It is a followup after the fix in
> commit 9c69a1320515 ("route: Avoid crash from dereferencing NULL rt->from")
>
> rt6_do_redirect():
> 1. NULL checking is needed on rt->from because a parallel
> fib6_info delete could happen that sets rt->from to NULL.
> (e.g. rt6_remove_exception() and fib6_drop_pcpu_from()).
>
> 2. fib6_info_hold() is not enough. Same reason as (1).
> Meaning, holding dst->__refcnt cannot ensure
> rt->from is not NULL or rt->from->fib6_ref is not 0.
>
> Instead of using fib6_info_hold_safe() which ip6_rt_cache_alloc()
> is already doing, this patch chooses to extend the rcu section
> to keep "from" dereference-able after checking for NULL.
>
> inet6_rtm_getroute():
> 1. NULL checking is also needed on rt->from for a similar reason.
> Note that inet6_rtm_getroute() is using RTNL_FLAG_DOIT_UNLOCKED.
>
> Fixes: a68886a69180 ("net/ipv6: Make from in rt6_info rcu protected")
> Signed-off-by: Martin KaFai Lau <kafai@fb.com>
> ---
> net/ipv6/route.c | 38 ++++++++++++++++++--------------------
> 1 file changed, 18 insertions(+), 20 deletions(-)
>
Reviewed-by: David Ahern <dsahern@gmail.com>
Thanks, Martin.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net] ipv6: A few fixes on dereferencing rt->from
2019-04-30 17:45 [PATCH net] ipv6: A few fixes on dereferencing rt->from Martin KaFai Lau
2019-04-30 18:26 ` Wei Wang
2019-05-01 15:44 ` David Ahern
@ 2019-05-01 21:01 ` Eric Dumazet
2019-05-01 21:18 ` David Miller
3 siblings, 0 replies; 5+ messages in thread
From: Eric Dumazet @ 2019-05-01 21:01 UTC (permalink / raw)
To: Martin KaFai Lau, netdev
Cc: David Ahern, David Miller, Jonathan Lemon, kernel-team, Wei Wang
On 4/30/19 10:45 AM, Martin KaFai Lau wrote:
> It is a followup after the fix in
> commit 9c69a1320515 ("route: Avoid crash from dereferencing NULL rt->from")
>
> rt6_do_redirect():
> 1. NULL checking is needed on rt->from because a parallel
> fib6_info delete could happen that sets rt->from to NULL.
> (e.g. rt6_remove_exception() and fib6_drop_pcpu_from()).
>
> 2. fib6_info_hold() is not enough. Same reason as (1).
> Meaning, holding dst->__refcnt cannot ensure
> rt->from is not NULL or rt->from->fib6_ref is not 0.
>
> Instead of using fib6_info_hold_safe() which ip6_rt_cache_alloc()
> is already doing, this patch chooses to extend the rcu section
> to keep "from" dereference-able after checking for NULL.
>
> inet6_rtm_getroute():
> 1. NULL checking is also needed on rt->from for a similar reason.
> Note that inet6_rtm_getroute() is using RTNL_FLAG_DOIT_UNLOCKED.
>
> Fixes: a68886a69180 ("net/ipv6: Make from in rt6_info rcu protected")
> Signed-off-by: Martin KaFai Lau <kafai@fb.com>
> ---
>
Reviewed-by: Eric Dumazet <edumazet@google.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net] ipv6: A few fixes on dereferencing rt->from
2019-04-30 17:45 [PATCH net] ipv6: A few fixes on dereferencing rt->from Martin KaFai Lau
` (2 preceding siblings ...)
2019-05-01 21:01 ` Eric Dumazet
@ 2019-05-01 21:18 ` David Miller
3 siblings, 0 replies; 5+ messages in thread
From: David Miller @ 2019-05-01 21:18 UTC (permalink / raw)
To: kafai; +Cc: netdev, dsahern, bsd, kernel-team, weiwan
From: Martin KaFai Lau <kafai@fb.com>
Date: Tue, 30 Apr 2019 10:45:12 -0700
> It is a followup after the fix in
> commit 9c69a1320515 ("route: Avoid crash from dereferencing NULL rt->from")
>
> rt6_do_redirect():
> 1. NULL checking is needed on rt->from because a parallel
> fib6_info delete could happen that sets rt->from to NULL.
> (e.g. rt6_remove_exception() and fib6_drop_pcpu_from()).
>
> 2. fib6_info_hold() is not enough. Same reason as (1).
> Meaning, holding dst->__refcnt cannot ensure
> rt->from is not NULL or rt->from->fib6_ref is not 0.
>
> Instead of using fib6_info_hold_safe() which ip6_rt_cache_alloc()
> is already doing, this patch chooses to extend the rcu section
> to keep "from" dereference-able after checking for NULL.
>
> inet6_rtm_getroute():
> 1. NULL checking is also needed on rt->from for a similar reason.
> Note that inet6_rtm_getroute() is using RTNL_FLAG_DOIT_UNLOCKED.
>
> Fixes: a68886a69180 ("net/ipv6: Make from in rt6_info rcu protected")
> Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Applied and queued up for -stable, thanks.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-05-01 21:18 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-30 17:45 [PATCH net] ipv6: A few fixes on dereferencing rt->from Martin KaFai Lau
2019-04-30 18:26 ` Wei Wang
2019-05-01 15:44 ` David Ahern
2019-05-01 21:01 ` Eric Dumazet
2019-05-01 21:18 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.