From: thinker.li@gmail.com
To: netdev@vger.kernel.org, martin.lau@linux.dev,
kernel-team@meta.com, davem@davemloft.net, kuba@kernel.org,
pabeni@redhat.com, dsahern@kernel.org, edumazet@google.com
Cc: sinquersw@gmail.com, kuifeng@meta.com,
Kui-Feng Lee <thinker.li@gmail.com>
Subject: [PATCH net-next v3 0/2] Fix dangling pointer at f6i->gc_link.
Date: Wed, 13 Dec 2023 13:37:33 -0800 [thread overview]
Message-ID: <20231213213735.434249-1-thinker.li@gmail.com> (raw)
From: Kui-Feng Lee <thinker.li@gmail.com>
According to a report [1], f6i->gc_link may point to a free block
causing use-after-free. According the stacktraces in the report, it is
very likely that a f6i was added to the GC list after being removed
from the tree of a fib6_table. The reason this can happen is the
current implementation determines if a f6i is on a tree in a wrong
way. It believes a f6i is on a tree if f6i->fib6_table is not NULL.
However, f6i->fib6_table is not reset when f6i is removed from a tree.
The new solution is to check if f6i->fib6_node is not NULL as well.
f6i->fib6_node is set/or reset when the f6i is added/or removed from
from a tree. It can be used to determines if a f6i is on a tree
reliably.
The other change is to determine if a f6i is on a GC list. The
current implementation relies on RTF_EXPIRES on fib6_flags. It needs
to consider if a f6i is on a tree as well. The new solution is
checking hlist_unhashed() on f6i->gc_link, a clear evidence, instead.
[1] https://lore.kernel.org/all/20231205173250.2982846-1-edumazet@google.com/
---
Major changes from v2:
- Ensure dependencies of checks in the test cases.
Major changes from v1:
- Split fib6_set_expires_locked() and fib6_clean_expires_locked()
- Use hlist_unhashed() on gc_link instead of checking RTF_EXPIRES to
determine if a f6i is on a GC list.
- Add tests on toggling routes between permanent and temporary.
v2: https://lore.kernel.org/all/20231208194523.312416-1-thinker.li@gmail.com/
v1: https://lore.kernel.org/all/20231207221627.746324-1-thinker.li@gmail.com/
Kui-Feng Lee (2):
net/ipv6: insert a f6i to a GC list only if the f6i is in a fib6_table
tree.
selftests: fib_tests: Add tests for toggling between w/ and w/o
expires.
include/net/ip6_fib.h | 46 +++++++++----
net/ipv6/route.c | 6 +-
tools/testing/selftests/net/fib_tests.sh | 82 +++++++++++++++++++++++-
3 files changed, 118 insertions(+), 16 deletions(-)
--
2.34.1
next reply other threads:[~2023-12-13 21:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-13 21:37 thinker.li [this message]
2023-12-13 21:37 ` [PATCH net-next v3 1/2] net/ipv6: insert a f6i to a GC list only if the f6i is in a fib6_table tree thinker.li
2023-12-14 6:11 ` David Ahern
2023-12-14 23:43 ` Kui-Feng Lee
2023-12-15 19:12 ` Kui-Feng Lee
2023-12-16 18:36 ` David Ahern
2023-12-18 1:05 ` Kui-Feng Lee
2023-12-18 1:16 ` Kui-Feng Lee
2023-12-13 21:37 ` [PATCH net-next v3 2/2] selftests: fib_tests: Add tests for toggling between w/ and w/o expires thinker.li
2023-12-14 3:32 ` Hangbin Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231213213735.434249-1-thinker.li@gmail.com \
--to=thinker.li@gmail.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=kernel-team@meta.com \
--cc=kuba@kernel.org \
--cc=kuifeng@meta.com \
--cc=martin.lau@linux.dev \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sinquersw@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.