From: Ido Schimmel <idosch@idosch.org>
To: Wei Wang <weiwan@google.com>
Cc: Martin KaFai Lau <kafai@fb.com>,
David Miller <davem@davemloft.net>,
Linux Kernel Network Developers <netdev@vger.kernel.org>,
Eric Dumazet <edumazet@google.com>
Subject: Re: [PATCH net] ipv6: don't let tb6_root node share routes with other node
Date: Sat, 20 Jan 2018 00:17:12 +0200 [thread overview]
Message-ID: <20180119221712.GA16926@splinter> (raw)
In-Reply-To: <CAEA6p_BiWek-4Bu9fOs1wM+Ohc3uKc7ifAJL60UONMTgV8u6VQ@mail.gmail.com>
On Fri, Jan 19, 2018 at 01:46:02PM -0800, Wei Wang wrote:
> On Fri, Jan 19, 2018 at 1:36 PM, Wei Wang <weiwan@google.com> wrote:
> >
> >
> > On Fri, Jan 19, 2018 at 1:13 PM, Ido Schimmel <idosch@idosch.org> wrote:
> >> Hi Wei, Martin,
> >>
> >> On Thu, Jan 18, 2018 at 03:31:29PM -0800, Wei Wang wrote:
> >>> On Thu, Jan 18, 2018 at 2:47 PM, Martin KaFai Lau <kafai@fb.com> wrote:
> >>> > On Thu, Jan 18, 2018 at 10:40:03AM -0800, Wei Wang wrote:
> >>> >> From: Wei Wang <weiwan@google.com>
> >>> >>
> >>> >> After commit 4512c43eac7e, if we add a route to the subtree of
> >>> >> tb6_root
> >>> >> which does not have any route attached to it yet, the current code
> >>> >> will
> >>> >> let tb6_root and the node in the subtree share the same route.
> >>> >> This could cause problem cause tb6_root has RTN_INFO flag marked and
> >>> >> the
> >>> > You meant the RTN_RTINFO check in fib6_purge_rt()?
> >>> >
> >>> Yes. Exactly.
> >>
> >> The check in fib6_purge_rt() is indeed problematic as tb6_root will not
> >> release its reference on the deleted route. I can easily reproduce that
> >> on my system. However, I don't understand how come we end up with a
> >> use-after-free given tb6_root takes a reference on the route?
> >>
>
> (Resending with plain txt format)
>
> Hi Ido,
>
> I think the use-after-free does not really happen on the route that is being
> falsely shared, but on the route which that route's rt6i_next is pointing to.
> Nothing could prevent rt->rt6i_next from being released.
Yep, I considered it, then confused myself and disqualified the
possibility, but you're right. FWIW, here's the reproducer:
ip -6 route add default from 2001:db8::/64 dev dummy0 metric 1
ip -6 route append default from 2001:db8::/64 dev dummy0 metric 2
ip -6 route del default from 2001:db8::/64 dev dummy0 metric 1
ip -6 route del default from 2001:db8::/64 dev dummy0 metric 2
ip -6 route show
Thanks!
next prev parent reply other threads:[~2018-01-19 22:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-18 18:40 [PATCH net] ipv6: don't let tb6_root node share routes with other node Wei Wang
2018-01-18 22:47 ` Martin KaFai Lau
2018-01-18 23:31 ` Wei Wang
2018-01-18 23:43 ` Martin KaFai Lau
2018-01-19 21:13 ` Ido Schimmel
[not found] ` <CAEA6p_C4ctnTJWSQtnCPhRm48AhaqVLV4eQhfdP+Owv_SVVRLw@mail.gmail.com>
2018-01-19 21:46 ` Wei Wang
2018-01-19 22:17 ` Ido Schimmel [this message]
2018-01-19 2:14 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180119221712.GA16926@splinter \
--to=idosch@idosch.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kafai@fb.com \
--cc=netdev@vger.kernel.org \
--cc=weiwan@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.