From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "Jason A. Donenfeld" <Jason@zx2c4.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.4 50/70] ipv6: fix memory leak in fib6_rule_suppress
Date: Mon, 6 Dec 2021 15:56:54 +0100 [thread overview]
Message-ID: <20211206145553.654660102@linuxfoundation.org> (raw)
In-Reply-To: <20211206145551.909846023@linuxfoundation.org>
From: msizanoen1 <msizanoen@qtmlabs.xyz>
commit cdef485217d30382f3bf6448c54b4401648fe3f1 upstream.
The kernel leaks memory when a `fib` rule is present in IPv6 nftables
firewall rules and a suppress_prefix rule is present in the IPv6 routing
rules (used by certain tools such as wg-quick). In such scenarios, every
incoming packet will leak an allocation in `ip6_dst_cache` slab cache.
After some hours of `bpftrace`-ing and source code reading, I tracked
down the issue to ca7a03c41753 ("ipv6: do not free rt if
FIB_LOOKUP_NOREF is set on suppress rule").
The problem with that change is that the generic `args->flags` always have
`FIB_LOOKUP_NOREF` set[1][2] but the IPv6-specific flag
`RT6_LOOKUP_F_DST_NOREF` might not be, leading to `fib6_rule_suppress` not
decreasing the refcount when needed.
How to reproduce:
- Add the following nftables rule to a prerouting chain:
meta nfproto ipv6 fib saddr . mark . iif oif missing drop
This can be done with:
sudo nft create table inet test
sudo nft create chain inet test test_chain '{ type filter hook prerouting priority filter + 10; policy accept; }'
sudo nft add rule inet test test_chain meta nfproto ipv6 fib saddr . mark . iif oif missing drop
- Run:
sudo ip -6 rule add table main suppress_prefixlength 0
- Watch `sudo slabtop -o | grep ip6_dst_cache` to see memory usage increase
with every incoming ipv6 packet.
This patch exposes the protocol-specific flags to the protocol
specific `suppress` function, and check the protocol-specific `flags`
argument for RT6_LOOKUP_F_DST_NOREF instead of the generic
FIB_LOOKUP_NOREF when decreasing the refcount, like this.
[1]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L71
[2]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L99
Link: https://bugzilla.kernel.org/show_bug.cgi?id=215105
Fixes: ca7a03c41753 ("ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule")
Cc: stable@vger.kernel.org
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/fib_rules.h | 2 +-
net/core/fib_rules.c | 2 +-
net/ipv4/fib_rules.c | 2 +-
net/ipv6/fib6_rules.c | 5 ++---
4 files changed, 5 insertions(+), 6 deletions(-)
--- a/include/net/fib_rules.h
+++ b/include/net/fib_rules.h
@@ -68,7 +68,7 @@ struct fib_rules_ops {
int (*action)(struct fib_rule *,
struct flowi *, int,
struct fib_lookup_arg *);
- bool (*suppress)(struct fib_rule *,
+ bool (*suppress)(struct fib_rule *, int,
struct fib_lookup_arg *);
int (*match)(struct fib_rule *,
struct flowi *, int);
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -300,7 +300,7 @@ jumped:
else
err = ops->action(rule, fl, flags, arg);
- if (!err && ops->suppress && ops->suppress(rule, arg))
+ if (!err && ops->suppress && ops->suppress(rule, flags, arg))
continue;
if (err != -EAGAIN) {
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -137,7 +137,7 @@ static int fib4_rule_action(struct fib_r
return err;
}
-static bool fib4_rule_suppress(struct fib_rule *rule, struct fib_lookup_arg *arg)
+static bool fib4_rule_suppress(struct fib_rule *rule, int flags, struct fib_lookup_arg *arg)
{
struct fib_result *result = (struct fib_result *) arg->result;
struct net_device *dev = NULL;
--- a/net/ipv6/fib6_rules.c
+++ b/net/ipv6/fib6_rules.c
@@ -260,7 +260,7 @@ static int fib6_rule_action(struct fib_r
return __fib6_rule_action(rule, flp, flags, arg);
}
-static bool fib6_rule_suppress(struct fib_rule *rule, struct fib_lookup_arg *arg)
+static bool fib6_rule_suppress(struct fib_rule *rule, int flags, struct fib_lookup_arg *arg)
{
struct fib6_result *res = arg->result;
struct rt6_info *rt = res->rt6;
@@ -287,8 +287,7 @@ static bool fib6_rule_suppress(struct fi
return false;
suppress_route:
- if (!(arg->flags & FIB_LOOKUP_NOREF))
- ip6_rt_put(rt);
+ ip6_rt_put_flags(rt, flags);
return true;
}
next prev parent reply other threads:[~2021-12-06 15:23 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-06 14:56 [PATCH 5.4 00/70] 5.4.164-rc1 review Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 01/70] NFSv42: Fix pagecache invalidation after COPY/CLONE Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 02/70] of: clk: Make <linux/of_clk.h> self-contained Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 03/70] arm64: dts: mcbin: support 2W SFP modules Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 04/70] can: j1939: j1939_tp_cmd_recv(): check the dst address of TP.CM_BAM Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 05/70] gfs2: Fix length of holes reported at end-of-file Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 06/70] drm/sun4i: fix unmet dependency on RESET_CONTROLLER for PHY_SUN6I_MIPI_DPHY Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 07/70] mac80211: do not access the IV when it was stripped Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 08/70] net/smc: Transfer remaining wait queue entries during fallback Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 09/70] atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 10/70] net: return correct error code Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 11/70] platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 12/70] s390/setup: avoid using memblock_enforce_memory_limit Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 13/70] btrfs: check-integrity: fix a warning on write caching disabled disk Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 14/70] thermal: core: Reset previous low and high trip during thermal zone init Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 15/70] scsi: iscsi: Unblock session then wake up error handler Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 16/70] ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 17/70] ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 18/70] net: tulip: de4x5: fix the problem that the array lp->phy[8] may be out of bound Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 19/70] net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 20/70] perf hist: Fix memory leak of a perf_hpp_fmt Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 21/70] perf report: Fix memory leaks around perf_tip() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 22/70] net/smc: Avoid warning of possible recursive locking Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 23/70] vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 24/70] kprobes: Limit max data_size of the kretprobe instances Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 25/70] rt2x00: do not mark device gone on EPROTO errors during start Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 26/70] ipmi: Move remove_work to dedicated workqueue Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 27/70] cpufreq: Fix get_cpu_device() failure in add_cpu_dev_symlink() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 28/70] s390/pci: move pseudo-MMIO to prevent MIO overlap Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 29/70] fget: check that the fd still exists after getting a ref to it Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 30/70] sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 31/70] sata_fsl: fix warning in remove_proc_entry " Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 32/70] i2c: stm32f7: flush TX FIFO upon transfer errors Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 33/70] i2c: stm32f7: recover the bus on access timeout Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 34/70] i2c: stm32f7: stop dma transfer in case of NACK Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 35/70] i2c: cbus-gpio: set atomic transfer callback Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 36/70] natsemi: xtensa: fix section mismatch warnings Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 37/70] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 38/70] net: mpls: Fix notifications when deleting a device Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 39/70] siphash: use _unaligned version by default Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 40/70] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 41/70] selftests: net: Correct case name Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 42/70] rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 43/70] net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ is available Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 44/70] net: marvell: mvpp2: Fix the computation of shared CPUs Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 45/70] net: annotate data-races on txq->xmit_lock_owner Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 46/70] ipv4: convert fib_num_tclassid_users to atomic_t Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 47/70] net/rds: correct socket tunable error in rds_tcp_tune() Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 48/70] net/smc: Keep smc_close_final rc during active close Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 49/70] drm/msm: Do hw_init() before capturing GPU state Greg Kroah-Hartman
2021-12-06 14:56 ` Greg Kroah-Hartman [this message]
2021-12-06 14:56 ` [PATCH 5.4 51/70] KVM: x86/pmu: Fix reserved bits for AMD PerfEvtSeln register Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 52/70] sched/uclamp: Fix rq->uclamp_max not set on first enqueue Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 53/70] parisc: Fix KBUILD_IMAGE for self-extracting kernel Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 54/70] parisc: Fix "make install" on newer debian releases Greg Kroah-Hartman
2021-12-06 14:56 ` [PATCH 5.4 55/70] vgacon: Propagate console boot parameters before calling `vc_resize Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 56/70] xhci: Fix commad ring abort, write all 64 bits to CRCR register Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 57/70] USB: NO_LPM quirk Lenovo Powered USB-C Travel Hub Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 58/70] usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 59/70] x86/tsc: Add a timer to make sure TSC_adjust is always checked Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 60/70] x86/tsc: Disable clocksource watchdog for TSC on qualified platorms Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 61/70] x86/64/mm: Map all kernel memory into trampoline_pgd Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 62/70] tty: serial: msm_serial: Deactivate RX DMA for polling support Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 63/70] serial: pl011: Add ACPI SBSA UART match id Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 64/70] serial: core: fix transmit-buffer reset and memleak Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 65/70] serial: 8250_pci: Fix ACCES entries in pci_serial_quirks array Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 66/70] serial: 8250_pci: rewrite pericom_do_set_divisor() Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 67/70] iwlwifi: mvm: retry init flow if failed Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 68/70] parisc: Mark cr16 CPU clocksource unstable on all SMP machines Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 69/70] net/tls: Fix authentication failure in CCM mode Greg Kroah-Hartman
2021-12-06 14:57 ` [PATCH 5.4 70/70] ipmi: msghandler: Make symbol remove_work_wq static Greg Kroah-Hartman
2021-12-06 18:57 ` [PATCH 5.4 00/70] 5.4.164-rc1 review Florian Fainelli
2021-12-06 21:57 ` Shuah Khan
2021-12-07 2:19 ` Samuel Zou
2021-12-07 9:16 ` Naresh Kamboju
2021-12-07 20:41 ` Guenter Roeck
2021-12-08 10:29 ` Sudip Mukherjee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211206145553.654660102@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=Jason@zx2c4.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox