linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
To: Eric Dumazet <eric.dumazet@gmail.com>,
	"David S. Miller" <davem@davemloft.net>
Cc: David Ahern <dsahern@gmail.com>, Julian Anastasov <ja@ssi.bg>,
	Cong Wang <xiyou.wangcong@gmail.com>,
	syzbot <syzbot+30209ea299c09d8785c9@syzkaller.appspotmail.com>,
	ddstreet@ieee.org, dvyukov@google.com,
	linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	syzkaller-bugs@googlegroups.com,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Mahesh Bandewar <maheshb@google.com>
Subject: Re: [PATCH] ipv4: Delete uncached routes upon unregistration of loopback device.
Date: Sun, 5 May 2019 02:09:59 +0900	[thread overview]
Message-ID: <ab80de53-25b8-618b-4dcb-b732059f6f9c@i-love.sakura.ne.jp> (raw)
In-Reply-To: <f6f770a7-17af-d51f-3ffb-4edba9b28101@gmail.com>

On 2019/05/05 0:56, Eric Dumazet wrote:> 
> Well, you have not fixed a bug, you simply made sure that whatever cpu is using the
> routes you forcibly deleted is going to crash the host very soon (use-after-frees have
> undefined behavior, but KASAN should crash most of the times)

I confirmed that this patch survives "#syz test:" before submitting.
But you know that this patch is deleting the route entry too early. OK.

> 
> Please do not send patches like that with a huge CC list, keep networking patches
> to netdev mailing list.

If netdev people started working on this "minutely crashing bug" earlier,
I would not have written a patch...

> 
> Mahesh has an alternative patch, adding a fake device that can not be dismantled
> to make sure we fully intercept skbs sent through a dead route, instead of relying
> on loopback dropping them later at some point.

So, the reason to temporarily move the refcount is to give enough period
so that the route entry is no longer used. But moving the refcount to a
loopback device in a namespace was wrong. Is this understanding correct?

Compared to moving the refcount to the loopback device in the init namespace,
the fake device can somehow drop the refcount moved via rt_flush_dev(), can't it?

Anyway, I'll wait for Mahesh.


  reply	other threads:[~2019-05-04 17:15 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-08-15 18:50 unregister_netdevice: waiting for DEV to become free (2) syzbot
2018-08-15 20:28 ` syzbot
2018-08-15 20:41   ` Dmitry Vyukov
2018-08-20  4:31 ` syzbot
2018-08-20 12:55   ` Julian Anastasov
2018-08-21  5:40     ` Cong Wang
2018-08-22  4:11       ` Julian Anastasov
2019-04-15 13:36     ` Tetsuo Handa
2019-04-15 15:35       ` David Ahern
2019-04-21 20:41         ` Stephen Suryaputra
2019-04-22 14:58           ` David Ahern
2019-04-22 16:04             ` Eric Dumazet
2019-04-22 16:09               ` Eric Dumazet
2019-04-16 14:00       ` Tetsuo Handa
2019-04-26 13:43         ` Tetsuo Handa
2019-04-27 17:16           ` David Ahern
2019-04-27 22:33             ` Tetsuo Handa
2019-04-27 23:52               ` Eric Dumazet
2019-04-28  4:22                 ` Tetsuo Handa
2019-04-28 15:04                   ` Eric Dumazet
2019-04-29 18:34                   ` David Ahern
2019-04-29 18:43                     ` David Ahern
2019-05-01 13:38                       ` Tetsuo Handa
2019-05-01 14:52                         ` David Ahern
2019-05-01 16:16                           ` Tetsuo Handa
2019-05-04 14:52                             ` [PATCH] ipv4: Delete uncached routes upon unregistration of loopback device Tetsuo Handa
2019-05-04 15:56                               ` Eric Dumazet
2019-05-04 17:09                                 ` Tetsuo Handa [this message]
2019-05-04 17:24                                   ` Eric Dumazet
2019-05-04 20:13                               ` Julian Anastasov
2019-11-28  9:56     ` unregister_netdevice: waiting for DEV to become free (2) Tetsuo Handa
2019-11-29  5:54       ` Lukas Bulwahn
2019-11-29  6:51       ` Jouni Högander
2019-12-05 10:00       ` Jouni Högander
2019-12-05 11:00         ` Tetsuo Handa
2019-12-16 11:12           ` Tetsuo Handa
2019-12-17  7:08             ` Jouni Högander
2019-10-11 10:14   ` Tetsuo Handa
2019-10-11 15:12     ` Alexei Starovoitov
2019-10-16 10:34       ` Toke Høiland-Jørgensen
2019-11-15  9:43         ` Tetsuo Handa
2019-11-21 11:36           ` Toke Høiland-Jørgensen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ab80de53-25b8-618b-4dcb-b732059f6f9c@i-love.sakura.ne.jp \
    --to=penguin-kernel@i-love.sakura.ne.jp \
    --cc=davem@davemloft.net \
    --cc=ddstreet@ieee.org \
    --cc=dsahern@gmail.com \
    --cc=dvyukov@google.com \
    --cc=eric.dumazet@gmail.com \
    --cc=ja@ssi.bg \
    --cc=linux-kernel@vger.kernel.org \
    --cc=maheshb@google.com \
    --cc=netdev@vger.kernel.org \
    --cc=syzbot+30209ea299c09d8785c9@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=torvalds@linux-foundation.org \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).