From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753912Ab2HPSFG (ORCPT <rfc822;w@1wt.eu>);
	Thu, 16 Aug 2012 14:05:06 -0400
Received: from prod-mail-xrelay05.akamai.com ([96.6.114.97]:57633 "EHLO
	prod-mail-xrelay05.akamai.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1751822Ab2HPSFC convert rfc822-to-8bit
	(ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Thu, 16 Aug 2012 14:05:02 -0400
X-Greylist: delayed 378 seconds by postgrey-1.27 at vger.kernel.org; Thu, 16 Aug 2012 14:05:02 EDT
From: "Banerjee, Debabrata" <dbanerje@akamai.com>
To: "netdev@vger.kernel.org" <netdev@vger.kernel.org>
CC: "Hunt, Joshua" <johunt@akamai.com>,
        "dbavatar@gmail.com" <dbavatar@gmail.com>,
        "Lubashev, Igor" <ilubashe@akamai.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Date: Thu, 16 Aug 2012 13:58:41 -0400
Subject: IPv6 deadlock with CONFIG_IPV6_ROUTER_PREF
Thread-Topic: IPv6 deadlock with CONFIG_IPV6_ROUTER_PREF
Thread-Index: Ac172MVGKZVi5l1yQGSXjJZO2IAo3Q==
Message-ID: <CC52AD11.7CC2%dbanerje@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/14.2.3.120616
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 8BIT
MIME-Version: 1.0
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This code tries to send a neighbor discovery ICMPv6 packet for router
reachability while read_lock(tb6_lock) is held. The send may want to cause
a fib6_clean_all() garbage collection, which will try to take
write_lock(tb6_lock), resulting in deadlock. Garbage collection becomes
more likely under high load of cloned routes, so this is exploitable as a
DDOS attack, given enough attack hosts in relation max_size of the route
table (default of 4k). I checked from 3.6-rc1 back to 2.6.32, it is
present everywhere.

Stack trace below.

Thanks,
Debabrata

[46476.055009] Pid: 7963, comm: xxxx Not tainted 2.6.38-amd64
[46476.055009] RIP: 0010:[<ffffffff812878c9>]  [<ffffffff812878c9>]
__write_lock_failed+0x9/0x20
[46476.055009] RSP: 0018:ffff8801a099f8f0  EFLAGS: 00200287
[46476.055009] RAX: ffff8801a099ffd8 RBX: 0000000000000000 RCX:
0000000000000000
[46476.055009] RDX: 0000000000000000 RSI: ffffffffa0196e60 RDI:
ffff88020bc95454
[46476.055009] RBP: ffff8801a099f908 R08: ffff8801a099fb78 R09:
0000000000000003
[46476.055009] R10: ffff8801a099fa38 R11: ffff88020ebf1c00 R12:
ffffffff8100370e
[46476.055009] R13: 0000000000000000 R14: 0000000000000000 R15:
0000000000000000
[46476.055009] FS:  00007fa1f4a596d0(0000) GS:ffff8800e7c00000(0063)
knlGS:00000000f6a5fba0
[46476.055009] CS:  0010 DS: 002b ES: 002b CR0: 000000008005003b
[46476.055009] CR2: 00000000f7791000 CR3: 00000001a0bcc000 CR4:
00000000000006f0
[46476.055009] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[46476.055009] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
0000000000000400
[46476.055009] Process xxxx (pid: 7963, threadinfo ffff8801a099e000, task
ffff8801a099c880)
[46476.055009] Stack:
[46476.055009]  ffffffff81482c17 ffff8801a099f928 ffff88020bc95454
ffff8801a099f948
[46476.055009]  ffffffffa01972f9 ffffffffa0196e60 0000000000000200
ffffffff81960a80
[46476.055009]  0000000000000d80 000000000000ea60 00000001004cbccc
ffff8801a099f968
[46476.055009] Call Trace:
[46476.055009]  [<ffffffff81482c17>] ? _raw_write_lock_bh+0x27/0x30
(deadlock on write_lock tb6_lock)
[46476.055009]  [<ffffffffa01972f9>] fib6_clean_all+0x49/0x90 [ipv6]
[46476.055009]  [<ffffffffa0196e60>] ? fib6_age+0x0/0x80 [ipv6]
[46476.055009]  [<ffffffffa019744f>] fib6_run_gc+0x4f/0xe0 [ipv6]
[46476.055009]  [<ffffffffa0193547>] ip6_dst_gc+0x97/0x120 [ipv6]
[46476.055009]  [<ffffffff813d5515>] dst_alloc+0xa5/0xc0
[46476.055009]  [<ffffffffa0196c91>] icmp6_dst_alloc+0x51/0x170 [ipv6]
[46476.055009]  [<ffffffffa019ac3f>] ndisc_send_skb+0x6f/0x2c0 [ipv6]
[46476.055009]  [<ffffffff81481b2d>] ?
schedule_hrtimeout_range_clock+0xcd/0x110
[46476.055009]  [<ffffffffa019aef1>] __ndisc_send+0x61/0x80 [ipv6]
[46476.055009]  [<ffffffffa019afbc>] ndisc_send_ns+0x6c/0xa0 [ipv6]
[46476.055009]  [<ffffffffa0195459>] rt6_probe+0xc9/0xd0 [ipv6]
[46476.055009]  [<ffffffff81120e50>] ? __pollwait+0x0/0x100
[46476.055009]  [<ffffffffa0195575>] find_match+0x115/0x180 [ipv6]
[46476.055009]  [<ffffffffa01956b3>] ip6_pol_route+0xd3/0x2d0 [ipv6]
(read_lock tb6_lock)
[46476.055009]  [<ffffffffa01958c6>] ip6_pol_route_output+0x16/0x20 [ipv6]
[46476.055009]  [<ffffffffa0196dfe>] fib6_rule_lookup+0x1e/0x20 [ipv6]
[46476.055009]  [<ffffffffa01948c1>] ip6_route_output+0x61/0xa0 [ipv6]
[46476.055009]  [<ffffffffa0188232>] ip6_dst_lookup_tail+0xe2/0xf0 [ipv6]
[46476.055009]  [<ffffffffa0188255>] ip6_dst_lookup+0x15/0x20 [ipv6]
[46476.055009]  [<ffffffffa01aca8c>] tcp_v6_connect+0x26c/0x6e0 [ipv6]
[46476.055009]  [<ffffffff81235a36>] ? security_sk_alloc+0x16/0x20
[46476.055009]  [<ffffffff8142be49>] inet_stream_connect+0x2a9/0x300
[46476.055009]  [<ffffffff81482be4>] ? _raw_spin_unlock_bh+0x14/0x20
[46476.055009]  [<ffffffff813be329>] ? release_sock+0xd9/0x110
[46476.055009]  [<ffffffff813bc00f>] sys_connect+0xaf/0xd0
[46476.055009]  [<ffffffff813e4077>] ? compat_sys_setsockopt+0x87/0x220
[46476.055009]  [<ffffffff81150e28>] ? compat_sys_fcntl64+0x1d8/0x380
[46476.055009]  [<ffffffff813e4c93>] compat_sys_socketcall+0x93/0x1f0
[46476.055009]  [<ffffffff810354ec>] cstar_dispatch+0x7/0x32
[46476.055009] Code: 00 00 48 8b 5b 20 48 83 eb 07 48 39 d9 73 06 48 89 01
31 c0 c3 b8 f2 ff ff ff c3 90 90 90 90 90 90 90 f0 81 07 00 00 00 01 f3 90
<81> 3f 00 00 00 01 75 f6 f0 81 2f 00 00 00 01 0f 85 e2 ff ff ff