original_kernel/net/ipv6
Nir Dotan 146820cc24 ip6mr: Fix notifiers call on mroute_clean_tables()
When the MC route socket is closed, mroute_clean_tables() is called to
cleanup existing routes. Mistakenly notifiers call was put on the cleanup
of the unresolved MC route entries cache.
In a case where the MC socket closes before an unresolved route expires,
the notifier call leads to a crash, caused by the driver trying to
increment a non initialized refcount_t object [1] and then when handling
is done, to decrement it [2]. This was detected by a test recently added in
commit 6d4efada3b ("selftests: forwarding: Add multicast routing test").

Fix that by putting notifiers call on the resolved entries traversal,
instead of on the unresolved entries traversal.

[1]

[  245.748967] refcount_t: increment on 0; use-after-free.
[  245.754829] WARNING: CPU: 3 PID: 3223 at lib/refcount.c:153 refcount_inc_checked+0x2b/0x30
...
[  245.802357] Hardware name: Mellanox Technologies Ltd. MSN2740/SA001237, BIOS 5.6.5 06/07/2016
[  245.811873] RIP: 0010:refcount_inc_checked+0x2b/0x30
...
[  245.907487] Call Trace:
[  245.910231]  mlxsw_sp_router_fib_event.cold.181+0x42/0x47 [mlxsw_spectrum]
[  245.917913]  notifier_call_chain+0x45/0x7
[  245.922484]  atomic_notifier_call_chain+0x15/0x20
[  245.927729]  call_fib_notifiers+0x15/0x30
[  245.932205]  mroute_clean_tables+0x372/0x3f
[  245.936971]  ip6mr_sk_done+0xb1/0xc0
[  245.940960]  ip6_mroute_setsockopt+0x1da/0x5f0
...

[2]

[  246.128487] refcount_t: underflow; use-after-free.
[  246.133859] WARNING: CPU: 0 PID: 7 at lib/refcount.c:187 refcount_sub_and_test_checked+0x4c/0x60
[  246.183521] Hardware name: Mellanox Technologies Ltd. MSN2740/SA001237, BIOS 5.6.5 06/07/2016
...
[  246.193062] Workqueue: mlxsw_core_ordered mlxsw_sp_router_fibmr_event_work [mlxsw_spectrum]
[  246.202394] RIP: 0010:refcount_sub_and_test_checked+0x4c/0x60
...
[  246.298889] Call Trace:
[  246.301617]  refcount_dec_and_test_checked+0x11/0x20
[  246.307170]  mlxsw_sp_router_fibmr_event_work.cold.196+0x47/0x78 [mlxsw_spectrum]
[  246.315531]  process_one_work+0x1fa/0x3f0
[  246.320005]  worker_thread+0x2f/0x3e0
[  246.324083]  kthread+0x118/0x130
[  246.327683]  ? wq_update_unbound_numa+0x1b0/0x1b0
[  246.332926]  ? kthread_park+0x80/0x80
[  246.337013]  ret_from_fork+0x1f/0x30

Fixes: 088aa3eec2 ("ip6mr: Support fib notifications")
Signed-off-by: Nir Dotan <nird@mellanox.com>
Reviewed-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-27 23:16:07 -08:00
..
ila
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2018-12-20 18:20:26 -08:00
Kconfig
Makefile
addrconf.c net/ipv6: lower the level of "link is not ready" messages 2019-01-22 20:42:39 -08:00
addrconf_core.c
addrlabel.c
af_inet6.c ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses 2019-01-05 14:17:07 -08:00
ah6.c
anycast.c
calipso.c
datagram.c ipv6: fix kernel-infoleak in ipv6_local_error() 2019-01-10 09:36:41 -05:00
esp6.c net: use skb_sec_path helper in more places 2018-12-19 11:21:37 -08:00
esp6_offload.c net: use skb_sec_path helper in more places 2018-12-19 11:21:37 -08:00
exthdrs.c
exthdrs_core.c
exthdrs_offload.c
fib6_notifier.c
fib6_rules.c
fou6.c fou, fou6: do not assume linear skbs 2019-01-15 22:01:31 -08:00
icmp.c ipv6: make icmp6_send() robust against null skb->dev 2019-01-04 13:40:03 -08:00
inet6_connection_sock.c
inet6_hashtables.c
ip6_checksum.c
ip6_fib.c ipv6: Fix dump of specific table with strict checking 2019-01-02 20:15:43 -08:00
ip6_flowlabel.c
ip6_gre.c net: ip_gre: use erspan key field for tunnel lookup 2019-01-22 11:52:17 -08:00
ip6_icmp.c
ip6_input.c
ip6_offload.c
ip6_offload.h
ip6_output.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-12-20 11:53:36 -08:00
ip6_tunnel.c ip: validate header length on virtual device xmit 2019-01-01 12:05:02 -08:00
ip6_udp_tunnel.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-12-20 11:53:36 -08:00
ip6_vti.c ip: validate header length on virtual device xmit 2019-01-01 12:05:02 -08:00
ip6mr.c ip6mr: Fix notifiers call on mroute_clean_tables() 2019-01-27 23:16:07 -08:00
ipcomp6.c
ipv6_sockglue.c
mcast.c
mcast_snoop.c
mip6.c
ndisc.c
netfilter.c
output_core.c
ping.c
proc.c
protocol.c
raw.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-12-20 11:53:36 -08:00
reassembly.c ipv6: fix typo in net/ipv6/reassembly.c 2018-12-30 13:02:46 -08:00
route.c ipv6: route: place a warning with duplicated string with correct extack 2019-01-16 14:06:34 -08:00
seg6.c
seg6_hmac.c
seg6_iptunnel.c
seg6_local.c
sit.c ip: validate header length on virtual device xmit 2019-01-01 12:05:02 -08:00
syncookies.c
sysctl_net_ipv6.c
tcp_ipv6.c
tcpv6_offload.c
tunnel6.c
udp.c udp6: add missing rehash callback to udplite 2019-01-17 15:01:08 -08:00
udp_impl.h udp6: add missing rehash callback to udplite 2019-01-17 15:01:08 -08:00
udp_offload.c
udplite.c udp6: add missing rehash callback to udplite 2019-01-17 15:01:08 -08:00
xfrm6_input.c net: use skb_sec_path helper in more places 2018-12-19 11:21:37 -08:00
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c
xfrm6_output.c
xfrm6_policy.c
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi 2018-12-19 12:33:17 +01:00