From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jiri Pirko <jiri@mellanox.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 17/33] net: fix ifindex collision during namespace removal
Date: Thu, 8 Aug 2019 21:05:24 +0200 [thread overview]
Message-ID: <20190808190454.452428373@linuxfoundation.org> (raw)
In-Reply-To: <20190808190453.582417307@linuxfoundation.org>
From: Jiri Pirko <jiri@mellanox.com>
[ Upstream commit 55b40dbf0e76b4bfb9d8b3a16a0208640a9a45df ]
Commit aca51397d014 ("netns: Fix arbitrary net_device-s corruptions
on net_ns stop.") introduced a possibility to hit a BUG in case device
is returning back to init_net and two following conditions are met:
1) dev->ifindex value is used in a name of another "dev%d"
device in init_net.
2) dev->name is used by another device in init_net.
Under real life circumstances this is hard to get. Therefore this has
been present happily for over 10 years. To reproduce:
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 86:89:3f:86:61:29 brd ff:ff:ff:ff:ff:ff
3: enp0s2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
$ ip netns add ns1
$ ip -n ns1 link add dummy1ns1 type dummy
$ ip -n ns1 link add dummy2ns1 type dummy
$ ip link set enp0s2 netns ns1
$ ip -n ns1 link set enp0s2 name dummy0
[ 100.858894] virtio_net virtio0 dummy0: renamed from enp0s2
$ ip link add dev4 type dummy
$ ip -n ns1 a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: dummy1ns1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 16:63:4c:38:3e:ff brd ff:ff:ff:ff:ff:ff
3: dummy2ns1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether aa:9e:86:dd:6b:5d brd ff:ff:ff:ff:ff:ff
4: dummy0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 86:89:3f:86:61:29 brd ff:ff:ff:ff:ff:ff
4: dev4: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 5a:e1:4a:b6:ec:f8 brd ff:ff:ff:ff:ff:ff
$ ip netns del ns1
[ 158.717795] default_device_exit: failed to move dummy0 to init_net: -17
[ 158.719316] ------------[ cut here ]------------
[ 158.720591] kernel BUG at net/core/dev.c:9824!
[ 158.722260] invalid opcode: 0000 [#1] SMP KASAN PTI
[ 158.723728] CPU: 0 PID: 56 Comm: kworker/u2:1 Not tainted 5.3.0-rc1+ #18
[ 158.725422] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
[ 158.727508] Workqueue: netns cleanup_net
[ 158.728915] RIP: 0010:default_device_exit.cold+0x1d/0x1f
[ 158.730683] Code: 84 e8 18 c9 3e fe 0f 0b e9 70 90 ff ff e8 36 e4 52 fe 89 d9 4c 89 e2 48 c7 c6 80 d6 25 84 48 c7 c7 20 c0 25 84 e8 f4 c8 3e
[ 158.736854] RSP: 0018:ffff8880347e7b90 EFLAGS: 00010282
[ 158.738752] RAX: 000000000000003b RBX: 00000000ffffffef RCX: 0000000000000000
[ 158.741369] RDX: 0000000000000000 RSI: ffffffff8128013d RDI: ffffed10068fcf64
[ 158.743418] RBP: ffff888033550170 R08: 000000000000003b R09: fffffbfff0b94b9c
[ 158.745626] R10: fffffbfff0b94b9b R11: ffffffff85ca5cdf R12: ffff888032f28000
[ 158.748405] R13: dffffc0000000000 R14: ffff8880335501b8 R15: 1ffff110068fcf72
[ 158.750638] FS: 0000000000000000(0000) GS:ffff888036000000(0000) knlGS:0000000000000000
[ 158.752944] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 158.755245] CR2: 00007fe8b45d21d0 CR3: 00000000340b4005 CR4: 0000000000360ef0
[ 158.757654] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 158.760012] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 158.762758] Call Trace:
[ 158.763882] ? dev_change_net_namespace+0xbb0/0xbb0
[ 158.766148] ? devlink_nl_cmd_set_doit+0x520/0x520
[ 158.768034] ? dev_change_net_namespace+0xbb0/0xbb0
[ 158.769870] ops_exit_list.isra.0+0xa8/0x150
[ 158.771544] cleanup_net+0x446/0x8f0
[ 158.772945] ? unregister_pernet_operations+0x4a0/0x4a0
[ 158.775294] process_one_work+0xa1a/0x1740
[ 158.776896] ? pwq_dec_nr_in_flight+0x310/0x310
[ 158.779143] ? do_raw_spin_lock+0x11b/0x280
[ 158.780848] worker_thread+0x9e/0x1060
[ 158.782500] ? process_one_work+0x1740/0x1740
[ 158.784454] kthread+0x31b/0x420
[ 158.786082] ? __kthread_create_on_node+0x3f0/0x3f0
[ 158.788286] ret_from_fork+0x3a/0x50
[ 158.789871] ---[ end trace defd6c657c71f936 ]---
[ 158.792273] RIP: 0010:default_device_exit.cold+0x1d/0x1f
[ 158.795478] Code: 84 e8 18 c9 3e fe 0f 0b e9 70 90 ff ff e8 36 e4 52 fe 89 d9 4c 89 e2 48 c7 c6 80 d6 25 84 48 c7 c7 20 c0 25 84 e8 f4 c8 3e
[ 158.804854] RSP: 0018:ffff8880347e7b90 EFLAGS: 00010282
[ 158.807865] RAX: 000000000000003b RBX: 00000000ffffffef RCX: 0000000000000000
[ 158.811794] RDX: 0000000000000000 RSI: ffffffff8128013d RDI: ffffed10068fcf64
[ 158.816652] RBP: ffff888033550170 R08: 000000000000003b R09: fffffbfff0b94b9c
[ 158.820930] R10: fffffbfff0b94b9b R11: ffffffff85ca5cdf R12: ffff888032f28000
[ 158.825113] R13: dffffc0000000000 R14: ffff8880335501b8 R15: 1ffff110068fcf72
[ 158.829899] FS: 0000000000000000(0000) GS:ffff888036000000(0000) knlGS:0000000000000000
[ 158.834923] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 158.838164] CR2: 00007fe8b45d21d0 CR3: 00000000340b4005 CR4: 0000000000360ef0
[ 158.841917] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 158.845149] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Fix this by checking if a device with the same name exists in init_net
and fallback to original code - dev%d to allocate name - in case it does.
This was found using syzkaller.
Fixes: aca51397d014 ("netns: Fix arbitrary net_device-s corruptions on net_ns stop.")
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/dev.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -8652,6 +8652,8 @@ static void __net_exit default_device_ex
/* Push remaining network devices to init_net */
snprintf(fb_name, IFNAMSIZ, "dev%d", dev->ifindex);
+ if (__dev_get_by_name(&init_net, fb_name))
+ snprintf(fb_name, IFNAMSIZ, "dev%%d");
err = dev_change_net_namespace(dev, &init_net, fb_name);
if (err) {
pr_emerg("%s: failed to move %s to init_net: %d\n",
next prev parent reply other threads:[~2019-08-08 19:12 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-08 19:05 [PATCH 4.14 00/33] 4.14.138-stable review Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 01/33] scsi: fcoe: Embed fc_rport_priv in fcoe_rport structure Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 02/33] ARM: dts: Add pinmuxing for i2c2 and i2c3 for LogicPD SOM-LV Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 03/33] ARM: dts: Add pinmuxing for i2c2 and i2c3 for LogicPD torpedo Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 04/33] tcp: be more careful in tcp_fragment() Greg Kroah-Hartman
2019-08-20 16:45 ` Matthieu Baerts
2019-08-23 12:50 ` [PATCH] tcp: fix tcp_rtx_queue_tail in case of empty retransmit queue Tim Froidcoeur
2019-08-23 16:56 ` Christoph Paasch
2019-08-23 21:46 ` David Miller
2019-08-24 6:03 ` [PATCH 4.14] " Tim Froidcoeur
2019-08-24 22:05 ` Jonathan Lemon
2019-08-30 23:26 ` Christoph Paasch
2019-08-31 2:20 ` David Miller
2019-08-31 10:53 ` maowenan
2019-08-31 11:44 ` maowenan
[not found] ` <CAOj+RUsqTUF9fuetskRRw26Z=sBM-mELSMcV21Ch06007aP5yQ@mail.gmail.com>
[not found] ` <F95AC9340317A84688A5F0DF0246F3F21AAB8F82@dggeml512-mbx.china.huawei.com>
2019-09-03 6:58 ` Tim Froidcoeur
2019-09-03 8:55 ` maowenan
2019-08-31 12:20 ` Sasha Levin
2019-08-31 13:14 ` Matthieu Baerts
2019-09-01 0:07 ` Sasha Levin
2019-08-08 19:05 ` [PATCH 4.14 05/33] arm64: cpufeature: Fix feature comparison for CTR_EL0.{CWG,ERG} Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 06/33] HID: wacom: fix bit shift for Cintiq Companion 2 Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 07/33] HID: Add quirk for HP X1200 PIXART OEM mouse Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 08/33] RDMA: Directly cast the sockaddr union to sockaddr Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 09/33] [PATCH] IB: directly cast the sockaddr union to aockaddr Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 10/33] objtool: Add machine_real_restart() to the noreturn list Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 11/33] objtool: Add rewind_stack_do_exit() " Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 12/33] atm: iphase: Fix Spectre v1 vulnerability Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 13/33] ife: error out when nla attributes are empty Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 14/33] ip6_tunnel: fix possible use-after-free on xmit Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 15/33] net: bridge: delete local fdb on device init failure Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 16/33] net: bridge: mcast: dont delete permanent entries when fast leave is enabled Greg Kroah-Hartman
2019-08-08 19:05 ` Greg Kroah-Hartman [this message]
2019-08-08 19:05 ` [PATCH 4.14 18/33] net/mlx5: Use reversed order when unregister devices Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 19/33] net: phylink: Fix flow control for fixed-link Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 20/33] net: sched: Fix a possible null-pointer dereference in dequeue_func() Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 21/33] NFC: nfcmrvl: fix gpio-handling regression Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 22/33] tipc: compat: allow tipc commands without arguments Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 23/33] compat_ioctl: pppoe: fix PPPOEIOCSFWD handling Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 24/33] net/mlx5e: Prevent encap flow counter update async to user query Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 25/33] tun: mark small packets as owned by the tap sock Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 26/33] mvpp2: refactor MTU change code Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 27/33] bnx2x: Disable multi-cos feature Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 28/33] cgroup: Call cgroup_release() before __exit_signal() Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 29/33] cgroup: Implement css_task_iter_skip() Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 30/33] cgroup: Include dying leaders with live threads in PROCS iterations Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 31/33] cgroup: css_task_iter_skip()d iterators must be advanced before accessed Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 32/33] cgroup: Fix css_task_iter_advance_css_set() cset skip condition Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 4.14 33/33] spi: bcm2835: Fix 3-wire mode if DMA is enabled Greg Kroah-Hartman
2019-08-09 0:41 ` [PATCH 4.14 00/33] 4.14.138-stable review shuah
2019-08-09 3:16 ` Naresh Kamboju
2019-08-09 15:36 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190808190454.452428373@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=jiri@mellanox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).