From: Eric Dumazet <eric.dumazet@gmail.com>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
"David S. Miller" <davem@davemloft.net>
Cc: David Ahern <dsahern@gmail.com>,
Eric Dumazet <eric.dumazet@gmail.com>,
Julian Anastasov <ja@ssi.bg>,
Cong Wang <xiyou.wangcong@gmail.com>,
syzbot <syzbot+30209ea299c09d8785c9@syzkaller.appspotmail.com>,
ddstreet@ieee.org, dvyukov@google.com,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
syzkaller-bugs@googlegroups.com,
Linus Torvalds <torvalds@linux-foundation.org>,
Mahesh Bandewar <maheshb@google.com>
Subject: Re: [PATCH] ipv4: Delete uncached routes upon unregistration of loopback device.
Date: Sat, 4 May 2019 11:56:38 -0400 [thread overview]
Message-ID: <f6f770a7-17af-d51f-3ffb-4edba9b28101@gmail.com> (raw)
In-Reply-To: <519ea12b-4c24-9e8e-c5eb-ca02c9c7d264@i-love.sakura.ne.jp>
On 5/4/19 10:52 AM, Tetsuo Handa wrote:
> syzbot is hitting infinite loop when a loopback device in a namespace is
> unregistered [1]. This is because rt_flush_dev() is moving the refcount of
> "any device to unregister" to "a loopback device in that namespace" but
> nobody can drop the refcount moved from non loopback devices when the
> loopback device in that namespace is unregistered.
>
> This behavior was introduced by commit caacf05e5ad1abf0 ("ipv4: Properly
> purge netdev references on uncached routes.") but there is no description
> why we have to temporarily move the refcount to "a loopback device in that
> namespace" and why it is safe to do so, for rt_flush_dev() becomes a no-op
> when "a loopback device in that namespace" is about to be unregistered.
>
> Since I don't know the reason, this patch breaks the infinite loop by
> deleting the uncached route (which eventually drops the refcount via
> dst_destroy()) when "a loopback device in that namespace" is unregistered
> rather than when "non-loopback devices in that namespace" is unregistered.
Well, you have not fixed a bug, you simply made sure that whatever cpu is using the
routes you forcibly deleted is going to crash the host very soon (use-after-frees have
undefined behavior, but KASAN should crash most of the times)
Please do not send patches like that with a huge CC list, keep networking patches
to netdev mailing list.
Mahesh has an alternative patch, adding a fake device that can not be dismantled
to make sure we fully intercept skbs sent through a dead route, instead of relying
on loopback dropping them later at some point.
next prev parent reply other threads:[~2019-05-04 15:56 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-15 18:50 unregister_netdevice: waiting for DEV to become free (2) syzbot
2018-08-15 20:28 ` syzbot
2018-08-15 20:41 ` Dmitry Vyukov
2018-08-20 4:31 ` syzbot
2018-08-20 12:55 ` Julian Anastasov
2018-08-21 5:40 ` Cong Wang
2018-08-22 4:11 ` Julian Anastasov
2019-04-15 13:36 ` Tetsuo Handa
2019-04-15 15:35 ` David Ahern
2019-04-21 20:41 ` Stephen Suryaputra
2019-04-22 14:58 ` David Ahern
2019-04-22 16:04 ` Eric Dumazet
2019-04-22 16:09 ` Eric Dumazet
2019-04-16 14:00 ` Tetsuo Handa
2019-04-26 13:43 ` Tetsuo Handa
2019-04-27 17:16 ` David Ahern
2019-04-27 22:33 ` Tetsuo Handa
2019-04-27 23:52 ` Eric Dumazet
2019-04-28 4:22 ` Tetsuo Handa
2019-04-28 15:04 ` Eric Dumazet
2019-04-29 18:34 ` David Ahern
2019-04-29 18:43 ` David Ahern
2019-05-01 13:38 ` Tetsuo Handa
2019-05-01 14:52 ` David Ahern
2019-05-01 16:16 ` Tetsuo Handa
2019-05-04 14:52 ` [PATCH] ipv4: Delete uncached routes upon unregistration of loopback device Tetsuo Handa
2019-05-04 15:56 ` Eric Dumazet [this message]
2019-05-04 17:09 ` Tetsuo Handa
2019-05-04 17:24 ` Eric Dumazet
2019-05-04 20:13 ` Julian Anastasov
2019-11-28 9:56 ` unregister_netdevice: waiting for DEV to become free (2) Tetsuo Handa
2019-11-29 5:54 ` Lukas Bulwahn
2019-11-29 6:51 ` Jouni Högander
2019-12-05 10:00 ` Jouni Högander
2019-12-05 11:00 ` Tetsuo Handa
2019-12-16 11:12 ` Tetsuo Handa
2019-12-17 7:08 ` Jouni Högander
2019-10-11 10:14 ` Tetsuo Handa
2019-10-11 15:12 ` Alexei Starovoitov
2019-10-16 10:34 ` Toke Høiland-Jørgensen
2019-11-15 9:43 ` Tetsuo Handa
2019-11-21 11:36 ` Toke Høiland-Jørgensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f6f770a7-17af-d51f-3ffb-4edba9b28101@gmail.com \
--to=eric.dumazet@gmail.com \
--cc=davem@davemloft.net \
--cc=ddstreet@ieee.org \
--cc=dsahern@gmail.com \
--cc=dvyukov@google.com \
--cc=ja@ssi.bg \
--cc=linux-kernel@vger.kernel.org \
--cc=maheshb@google.com \
--cc=netdev@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=syzbot+30209ea299c09d8785c9@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=torvalds@linux-foundation.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).