From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
To: Steven Rostedt <rostedt@goodmis.org>
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
stable <stable@vger.kernel.org>,
Clark Williams <williams@redhat.com>,
"Luis Claudio R. Goncalves" <lclaudio@uudg.org>,
John Kacur <jkacur@redhat.com>,
Willem de Bruijn <willemb@google.com>
Subject: Re: [PATCH 0/2] [BUG FIXES - 3.10.27] sit: More backports
Date: Thu, 30 Jan 2014 10:28:43 +0100 [thread overview]
Message-ID: <52EA1B4B.5080403@6wind.com> (raw)
In-Reply-To: <20140129154811.27fbaf13@gandalf.local.home>
Le 29/01/2014 21:48, Steven Rostedt a écrit :
> On Wed, 29 Jan 2014 17:04:12 +0100
> Nicolas Dichtel <nicolas.dichtel@6wind.com> wrote:
>
>> Your patch serie seems to be the good way to go (note that patch 1/2 does not
>> compile) but I think the fix is smaller because we don't have x-netns.
>>
>> Here is my proposal, if you agree, I will send the same patch for ip6_tunnnel,
>> which have the netns leak.
>>
>
> Hold on. Seems that the kernels that were being tested in QA had more
> code than what I was testing. Clark had backported "sit: fix use after
> free of fb_tunnel_dev" and that was what was causing the
> unlist_netdevice() to be missed.
>
> When I started working on vanilla 3.10.27 as well, I first did my
> original patch (which just removes the call to
> unregister_netdevice_queue() from sit_exit_net()). I asked to have that
> added to our kernel for testing, and they told me it was already there
> via Clark's backport. Then I did the full backport as well and looked
> for the leak. I'm now thinking that the full backport is not needed as
> that was what caused the leak.
>
> According to commit 9434266f2c645d4fcf62a03a8e36ad8075e37943 "sit: fix
> use after free of fb_tunnel_dev", it states:
>
> Bug: The fallback device is created in sit_init_net and assumed to
> be freed in sit_exit_net. First, it is dereferenced in that
> function, in sit_destroy_tunnels:
>
> struct net *net = dev_net(sitn->fb_tunnel_dev);
>
> Prior to this, rtnl_unlink_register has removed all devices that
> match rtnl_link_ops == sit_link_ops.
>
> Commit 205983c43700 added the line
>
> + sitn->fb_tunnel_dev->rtnl_link_ops = &sit_link_ops;
>
> which cases the fallback device to match here and be freed before it
> is last dereferenced.
>
> Commit 205983c43700 was backported to 3.10, but without commit
> 5e6700b3bf98 "sit: add support of x-netns" which was what added the
>
> net = dev_net(sitn->fb_tunnel_dev);
>
> Which looks to me that the only reason I need to port back commit
> 5e6700b3bf98 is if I add the full backport of 9434266f2c645d4f.
>
> Seems to me that my original patch may be good enough. The one that I
> said this series obsoletes.
>
> Note, I've talked with the people that are doing the testing, and I'm
> having them revert all changes except for that one fix and rerun the
> tests again. I should know the results by tomorrow.
>
> Let me know if "sit: fix use after free of fb_tunnel_dev" still needs
> to be backported due to some other way that the fallback device can be
> dereferenced after being freed.
Steve, I think the patch I sent yesterday is the good fix. At the end, it's
a backport of Willem's patch. Note that he also ack that patch.
The first version you sent (which removes
unregister_netdevice_queue(sitn->fb_tunnel_dev, &list)) will introduce a
memory leak when the user destroy a netns.
WARNING: multiple messages have this Message-ID (diff)
From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
To: Steven Rostedt <rostedt@goodmis.org>
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
stable <stable@vger.kernel.org>,
Clark Williams <williams@redhat.com>,
"Luis Claudio R. Goncalves" <lclaudio@uudg.org>,
John Kacur <jkacur@redhat.com>,
Willem de Bruijn <willemb@google.com>
Subject: Re: [PATCH 0/2] [BUG FIXES - 3.10.27] sit: More backports
Date: Thu, 30 Jan 2014 10:28:43 +0100 [thread overview]
Message-ID: <52EA1B4B.5080403@6wind.com> (raw)
In-Reply-To: <20140129154811.27fbaf13@gandalf.local.home>
Le 29/01/2014 21:48, Steven Rostedt a �crit :
> On Wed, 29 Jan 2014 17:04:12 +0100
> Nicolas Dichtel <nicolas.dichtel@6wind.com> wrote:
>
>> Your patch serie seems to be the good way to go (note that patch 1/2 does not
>> compile) but I think the fix is smaller because we don't have x-netns.
>>
>> Here is my proposal, if you agree, I will send the same patch for ip6_tunnnel,
>> which have the netns leak.
>>
>
> Hold on. Seems that the kernels that were being tested in QA had more
> code than what I was testing. Clark had backported "sit: fix use after
> free of fb_tunnel_dev" and that was what was causing the
> unlist_netdevice() to be missed.
>
> When I started working on vanilla 3.10.27 as well, I first did my
> original patch (which just removes the call to
> unregister_netdevice_queue() from sit_exit_net()). I asked to have that
> added to our kernel for testing, and they told me it was already there
> via Clark's backport. Then I did the full backport as well and looked
> for the leak. I'm now thinking that the full backport is not needed as
> that was what caused the leak.
>
> According to commit 9434266f2c645d4fcf62a03a8e36ad8075e37943 "sit: fix
> use after free of fb_tunnel_dev", it states:
>
> Bug: The fallback device is created in sit_init_net and assumed to
> be freed in sit_exit_net. First, it is dereferenced in that
> function, in sit_destroy_tunnels:
>
> struct net *net = dev_net(sitn->fb_tunnel_dev);
>
> Prior to this, rtnl_unlink_register has removed all devices that
> match rtnl_link_ops == sit_link_ops.
>
> Commit 205983c43700 added the line
>
> + sitn->fb_tunnel_dev->rtnl_link_ops = &sit_link_ops;
>
> which cases the fallback device to match here and be freed before it
> is last dereferenced.
>
> Commit 205983c43700 was backported to 3.10, but without commit
> 5e6700b3bf98 "sit: add support of x-netns" which was what added the
>
> net = dev_net(sitn->fb_tunnel_dev);
>
> Which looks to me that the only reason I need to port back commit
> 5e6700b3bf98 is if I add the full backport of 9434266f2c645d4f.
>
> Seems to me that my original patch may be good enough. The one that I
> said this series obsoletes.
>
> Note, I've talked with the people that are doing the testing, and I'm
> having them revert all changes except for that one fix and rerun the
> tests again. I should know the results by tomorrow.
>
> Let me know if "sit: fix use after free of fb_tunnel_dev" still needs
> to be backported due to some other way that the fallback device can be
> dereferenced after being freed.
Steve, I think the patch I sent yesterday is the good fix. At the end, it's
a backport of Willem's patch. Note that he also ack that patch.
The first version you sent (which removes
unregister_netdevice_queue(sitn->fb_tunnel_dev, &list)) will introduce a
memory leak when the user destroy a netns.
next prev parent reply other threads:[~2014-01-30 9:28 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-28 20:57 [PATCH 0/2] [BUG FIXES - 3.10.27] sit: More backports Steven Rostedt
2014-01-28 20:57 ` [PATCH 1/2] sit: Unregister sit devices with rtnl_link_ops Steven Rostedt
2014-01-28 20:57 ` [PATCH 2/2] sit: fix use after free of fb_tunnel_dev Steven Rostedt
2014-01-29 7:52 ` [PATCH 0/2] [BUG FIXES - 3.10.27] sit: More backports David Miller
2014-01-29 12:59 ` Steven Rostedt
2014-01-29 11:04 ` Nicolas Dichtel
2014-01-29 12:57 ` Steven Rostedt
2014-01-29 16:04 ` Nicolas Dichtel
2014-01-29 17:21 ` Willem de Bruijn
2014-01-29 20:48 ` Steven Rostedt
2014-01-30 9:28 ` Nicolas Dichtel [this message]
2014-01-30 9:28 ` Nicolas Dichtel
2014-01-30 10:09 ` [PATCH linux-3.10.y 1/3] sit: fix double free of fb_tunnel_dev on exit Nicolas Dichtel
2014-01-30 10:09 ` [PATCH linux-3.10.y 2/3] Revert "ip6tnl: fix use after free of fb_tnl_dev" Nicolas Dichtel
2014-01-30 10:09 ` [PATCH linux-3.10.y 3/3] ip6tnl: fix double free of fb_tnl_dev on exit Nicolas Dichtel
2014-01-30 13:31 ` [PATCH 0/2] [BUG FIXES - 3.10.27] sit: More backports Steven Rostedt
2014-01-30 13:42 ` Nicolas Dichtel
2014-01-30 13:42 ` Nicolas Dichtel
2014-01-30 22:10 ` Steven Rostedt
2014-01-31 8:24 ` [PATCH linux-3.10.y v2 1/3] sit: fix double free of fb_tunnel_dev on exit Nicolas Dichtel
2014-01-31 8:24 ` [PATCH linux-3.10.y v2 2/3] Revert "ip6tnl: fix use after free of fb_tnl_dev" Nicolas Dichtel
2014-01-31 8:24 ` [PATCH linux-3.10.y v2 3/3] ip6tnl: fix double free of fb_tnl_dev on exit Nicolas Dichtel
2014-01-31 17:19 ` [PATCH linux-3.10.y v2 1/3] sit: fix double free of fb_tunnel_dev " Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52EA1B4B.5080403@6wind.com \
--to=nicolas.dichtel@6wind.com \
--cc=jkacur@redhat.com \
--cc=lclaudio@uudg.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=rostedt@goodmis.org \
--cc=stable@vger.kernel.org \
--cc=willemb@google.com \
--cc=williams@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.