From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jiri Pirko <jiri@mellanox.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.2 21/56] net: fix ifindex collision during namespace removal
Date: Thu, 8 Aug 2019 21:04:47 +0200 [thread overview]
Message-ID: <20190808190453.725834754@linuxfoundation.org> (raw)
In-Reply-To: <20190808190452.867062037@linuxfoundation.org>
From: Jiri Pirko <jiri@mellanox.com>
[ Upstream commit 55b40dbf0e76b4bfb9d8b3a16a0208640a9a45df ]
Commit aca51397d014 ("netns: Fix arbitrary net_device-s corruptions
on net_ns stop.") introduced a possibility to hit a BUG in case device
is returning back to init_net and two following conditions are met:
1) dev->ifindex value is used in a name of another "dev%d"
device in init_net.
2) dev->name is used by another device in init_net.
Under real life circumstances this is hard to get. Therefore this has
been present happily for over 10 years. To reproduce:
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 86:89:3f:86:61:29 brd ff:ff:ff:ff:ff:ff
3: enp0s2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
$ ip netns add ns1
$ ip -n ns1 link add dummy1ns1 type dummy
$ ip -n ns1 link add dummy2ns1 type dummy
$ ip link set enp0s2 netns ns1
$ ip -n ns1 link set enp0s2 name dummy0
[ 100.858894] virtio_net virtio0 dummy0: renamed from enp0s2
$ ip link add dev4 type dummy
$ ip -n ns1 a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: dummy1ns1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 16:63:4c:38:3e:ff brd ff:ff:ff:ff:ff:ff
3: dummy2ns1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether aa:9e:86:dd:6b:5d brd ff:ff:ff:ff:ff:ff
4: dummy0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 86:89:3f:86:61:29 brd ff:ff:ff:ff:ff:ff
4: dev4: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 5a:e1:4a:b6:ec:f8 brd ff:ff:ff:ff:ff:ff
$ ip netns del ns1
[ 158.717795] default_device_exit: failed to move dummy0 to init_net: -17
[ 158.719316] ------------[ cut here ]------------
[ 158.720591] kernel BUG at net/core/dev.c:9824!
[ 158.722260] invalid opcode: 0000 [#1] SMP KASAN PTI
[ 158.723728] CPU: 0 PID: 56 Comm: kworker/u2:1 Not tainted 5.3.0-rc1+ #18
[ 158.725422] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
[ 158.727508] Workqueue: netns cleanup_net
[ 158.728915] RIP: 0010:default_device_exit.cold+0x1d/0x1f
[ 158.730683] Code: 84 e8 18 c9 3e fe 0f 0b e9 70 90 ff ff e8 36 e4 52 fe 89 d9 4c 89 e2 48 c7 c6 80 d6 25 84 48 c7 c7 20 c0 25 84 e8 f4 c8 3e
[ 158.736854] RSP: 0018:ffff8880347e7b90 EFLAGS: 00010282
[ 158.738752] RAX: 000000000000003b RBX: 00000000ffffffef RCX: 0000000000000000
[ 158.741369] RDX: 0000000000000000 RSI: ffffffff8128013d RDI: ffffed10068fcf64
[ 158.743418] RBP: ffff888033550170 R08: 000000000000003b R09: fffffbfff0b94b9c
[ 158.745626] R10: fffffbfff0b94b9b R11: ffffffff85ca5cdf R12: ffff888032f28000
[ 158.748405] R13: dffffc0000000000 R14: ffff8880335501b8 R15: 1ffff110068fcf72
[ 158.750638] FS: 0000000000000000(0000) GS:ffff888036000000(0000) knlGS:0000000000000000
[ 158.752944] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 158.755245] CR2: 00007fe8b45d21d0 CR3: 00000000340b4005 CR4: 0000000000360ef0
[ 158.757654] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 158.760012] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 158.762758] Call Trace:
[ 158.763882] ? dev_change_net_namespace+0xbb0/0xbb0
[ 158.766148] ? devlink_nl_cmd_set_doit+0x520/0x520
[ 158.768034] ? dev_change_net_namespace+0xbb0/0xbb0
[ 158.769870] ops_exit_list.isra.0+0xa8/0x150
[ 158.771544] cleanup_net+0x446/0x8f0
[ 158.772945] ? unregister_pernet_operations+0x4a0/0x4a0
[ 158.775294] process_one_work+0xa1a/0x1740
[ 158.776896] ? pwq_dec_nr_in_flight+0x310/0x310
[ 158.779143] ? do_raw_spin_lock+0x11b/0x280
[ 158.780848] worker_thread+0x9e/0x1060
[ 158.782500] ? process_one_work+0x1740/0x1740
[ 158.784454] kthread+0x31b/0x420
[ 158.786082] ? __kthread_create_on_node+0x3f0/0x3f0
[ 158.788286] ret_from_fork+0x3a/0x50
[ 158.789871] ---[ end trace defd6c657c71f936 ]---
[ 158.792273] RIP: 0010:default_device_exit.cold+0x1d/0x1f
[ 158.795478] Code: 84 e8 18 c9 3e fe 0f 0b e9 70 90 ff ff e8 36 e4 52 fe 89 d9 4c 89 e2 48 c7 c6 80 d6 25 84 48 c7 c7 20 c0 25 84 e8 f4 c8 3e
[ 158.804854] RSP: 0018:ffff8880347e7b90 EFLAGS: 00010282
[ 158.807865] RAX: 000000000000003b RBX: 00000000ffffffef RCX: 0000000000000000
[ 158.811794] RDX: 0000000000000000 RSI: ffffffff8128013d RDI: ffffed10068fcf64
[ 158.816652] RBP: ffff888033550170 R08: 000000000000003b R09: fffffbfff0b94b9c
[ 158.820930] R10: fffffbfff0b94b9b R11: ffffffff85ca5cdf R12: ffff888032f28000
[ 158.825113] R13: dffffc0000000000 R14: ffff8880335501b8 R15: 1ffff110068fcf72
[ 158.829899] FS: 0000000000000000(0000) GS:ffff888036000000(0000) knlGS:0000000000000000
[ 158.834923] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 158.838164] CR2: 00007fe8b45d21d0 CR3: 00000000340b4005 CR4: 0000000000360ef0
[ 158.841917] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 158.845149] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Fix this by checking if a device with the same name exists in init_net
and fallback to original code - dev%d to allocate name - in case it does.
This was found using syzkaller.
Fixes: aca51397d014 ("netns: Fix arbitrary net_device-s corruptions on net_ns stop.")
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/dev.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -9711,6 +9711,8 @@ static void __net_exit default_device_ex
/* Push remaining network devices to init_net */
snprintf(fb_name, IFNAMSIZ, "dev%d", dev->ifindex);
+ if (__dev_get_by_name(&init_net, fb_name))
+ snprintf(fb_name, IFNAMSIZ, "dev%%d");
err = dev_change_net_namespace(dev, &init_net, fb_name);
if (err) {
pr_emerg("%s: failed to move %s to init_net: %d\n",
next prev parent reply other threads:[~2019-08-08 19:06 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-08 19:04 [PATCH 5.2 00/56] 5.2.8-stable review Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 01/56] scsi: fcoe: Embed fc_rport_priv in fcoe_rport structure Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 02/56] libnvdimm/bus: Prepare the nd_ioctl() path to be re-entrant Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 03/56] libnvdimm/bus: Fix wait_nvdimm_bus_probe_idle() ABBA deadlock Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 04/56] ALSA: usb-audio: Sanity checks for each pipe and EP types Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 05/56] ALSA: usb-audio: Fix gpf in snd_usb_pipe_sanity_check Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 06/56] HID: wacom: fix bit shift for Cintiq Companion 2 Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 07/56] HID: Add quirk for HP X1200 PIXART OEM mouse Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 08/56] atm: iphase: Fix Spectre v1 vulnerability Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 09/56] bnx2x: Disable multi-cos feature Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 10/56] drivers/net/ethernet/marvell/mvmdio.c: Fix non OF case Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 11/56] ife: error out when nla attributes are empty Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 12/56] ip6_gre: reload ipv6h in prepare_ip6gre_xmit_ipv6 Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 13/56] ip6_tunnel: fix possible use-after-free on xmit Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 14/56] ipip: validate header length in ipip_tunnel_xmit Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 15/56] mlxsw: spectrum: Fix error path in mlxsw_sp_module_init() Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 16/56] mvpp2: fix panic on module removal Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 17/56] mvpp2: refactor MTU change code Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 18/56] net: bridge: delete local fdb on device init failure Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 19/56] net: bridge: mcast: dont delete permanent entries when fast leave is enabled Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 20/56] net: bridge: move default pvid init/deinit to NETDEV_REGISTER/UNREGISTER Greg Kroah-Hartman
2019-08-08 19:04 ` Greg Kroah-Hartman [this message]
2019-08-08 19:04 ` [PATCH 5.2 22/56] net/mlx5e: always initialize frag->last_in_page Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 23/56] net/mlx5: Use reversed order when unregister devices Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 24/56] net: phy: fixed_phy: print gpio error only if gpio node is present Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 25/56] net: phylink: dont start and stop SGMII PHYs in SFP modules twice Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 26/56] net: phylink: Fix flow control for fixed-link Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 27/56] net: phy: mscc: initialize stats array Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 28/56] net: qualcomm: rmnet: Fix incorrect UL checksum offload logic Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 29/56] net: sched: Fix a possible null-pointer dereference in dequeue_func() Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 30/56] net sched: update vlan action for batched events operations Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 31/56] net: sched: use temporary variable for actions indexes Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 32/56] net/smc: do not schedule tx_work in SMC_CLOSED state Greg Kroah-Hartman
2019-08-08 19:04 ` [PATCH 5.2 33/56] net: stmmac: Use netif_tx_napi_add() for TX polling function Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 34/56] NFC: nfcmrvl: fix gpio-handling regression Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 35/56] ocelot: Cancel delayed work before wq destruction Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 36/56] tipc: compat: allow tipc commands without arguments Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 37/56] tipc: fix unitilized skb list crash Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 38/56] tun: mark small packets as owned by the tap sock Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 39/56] net/mlx5: Fix modify_cq_in alignment Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 40/56] net/mlx5e: Prevent encap flow counter update async to user query Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 41/56] r8169: dont use MSI before RTL8168d Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 42/56] bpf: fix XDP vlan selftests test_xdp_vlan.sh Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 43/56] selftests/bpf: add wrapper scripts for test_xdp_vlan.sh Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 44/56] selftests/bpf: reduce time to execute test_xdp_vlan.sh Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 45/56] net: fix bpf_xdp_adjust_head regression for generic-XDP Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 46/56] hv_sock: Fix hang when a connection is closed Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 47/56] net: phy: fix race in genphy_update_link Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 48/56] net/smc: avoid fallback in case of non-blocking connect Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 49/56] rocker: fix memory leaks of fib_work on two error return paths Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 50/56] mlxsw: spectrum_buffers: Further reduce pool size on Spectrum-2 Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 51/56] net/mlx5: Add missing RDMA_RX capabilities Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 52/56] net/mlx5e: Fix matching of speed to PRM link modes Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 53/56] compat_ioctl: pppoe: fix PPPOEIOCSFWD handling Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 54/56] drm/i915/vbt: Fix VBT parsing for the PSR section Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 55/56] Revert "mac80211: set NETIF_F_LLTX when using intermediate tx queues" Greg Kroah-Hartman
2019-08-08 19:05 ` [PATCH 5.2 56/56] spi: bcm2835: Fix 3-wire mode if DMA is enabled Greg Kroah-Hartman
2019-08-09 0:36 ` [PATCH 5.2 00/56] 5.2.8-stable review shuah
2019-08-09 6:30 ` Greg Kroah-Hartman
2019-08-09 7:45 ` Naresh Kamboju
2019-08-09 8:42 ` Greg Kroah-Hartman
2019-08-09 14:48 ` Thierry Reding
2019-08-09 14:48 ` Thierry Reding
2019-08-09 15:49 ` Greg Kroah-Hartman
2019-08-09 15:37 ` Guenter Roeck
2019-08-09 15:48 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190808190453.725834754@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=jiri@mellanox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.