From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ido Schimmel <idosch@idosch.org>
Subject: Re: [PATCH net] ipv6: don't let tb6_root node share routes with
 other node
Date: Sat, 20 Jan 2018 00:17:12 +0200
Message-ID: <20180119221712.GA16926@splinter>
References: <20180118184003.82818-1-tracywwnj@gmail.com>
 <20180118224631.72rxcu72purfsmy7@kafai-mbp.dhcp.thefacebook.com>
 <CAEA6p_BB3Ny03XqfewpwmRMSMYZ=eZP3_dzt-6OePJj3vnAnaA@mail.gmail.com>
 <20180119211337.GA11334@splinter>
 <CAEA6p_C4ctnTJWSQtnCPhRm48AhaqVLV4eQhfdP+Owv_SVVRLw@mail.gmail.com>
 <CAEA6p_BiWek-4Bu9fOs1wM+Ohc3uKc7ifAJL60UONMTgV8u6VQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: Martin KaFai Lau <kafai@fb.com>,
        David Miller <davem@davemloft.net>,
        Linux Kernel Network Developers <netdev@vger.kernel.org>,
        Eric Dumazet <edumazet@google.com>
To: Wei Wang <weiwan@google.com>
Return-path: <netdev-owner@vger.kernel.org>
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:47569 "EHLO
        out1-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1756492AbeASWRQ (ORCPT
        <rfc822;netdev@vger.kernel.org>); Fri, 19 Jan 2018 17:17:16 -0500
Content-Disposition: inline
In-Reply-To: <CAEA6p_BiWek-4Bu9fOs1wM+Ohc3uKc7ifAJL60UONMTgV8u6VQ@mail.gmail.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

On Fri, Jan 19, 2018 at 01:46:02PM -0800, Wei Wang wrote:
> On Fri, Jan 19, 2018 at 1:36 PM, Wei Wang <weiwan@google.com> wrote:
> >
> >
> > On Fri, Jan 19, 2018 at 1:13 PM, Ido Schimmel <idosch@idosch.org> wrote:
> >> Hi Wei, Martin,
> >>
> >> On Thu, Jan 18, 2018 at 03:31:29PM -0800, Wei Wang wrote:
> >>> On Thu, Jan 18, 2018 at 2:47 PM, Martin KaFai Lau <kafai@fb.com> wrote:
> >>> > On Thu, Jan 18, 2018 at 10:40:03AM -0800, Wei Wang wrote:
> >>> >> From: Wei Wang <weiwan@google.com>
> >>> >>
> >>> >> After commit 4512c43eac7e, if we add a route to the subtree of
> >>> >> tb6_root
> >>> >> which does not have any route attached to it yet, the current code
> >>> >> will
> >>> >> let tb6_root and the node in the subtree share the same route.
> >>> >> This could cause problem cause tb6_root has RTN_INFO flag marked and
> >>> >> the
> >>> > You meant the RTN_RTINFO check in fib6_purge_rt()?
> >>> >
> >>> Yes. Exactly.
> >>
> >> The check in fib6_purge_rt() is indeed problematic as tb6_root will not
> >> release its reference on the deleted route. I can easily reproduce that
> >> on my system. However, I don't understand how come we end up with a
> >> use-after-free given tb6_root takes a reference on the route?
> >>
> 
> (Resending with plain txt format)
> 
> Hi Ido,
> 
> I think the use-after-free does not really happen on the route that is being
> falsely shared, but on the route which that route's rt6i_next is pointing to.
> Nothing could prevent rt->rt6i_next from being released.

Yep, I considered it, then confused myself and disqualified the
possibility, but you're right. FWIW, here's the reproducer:

ip -6 route add default from 2001:db8::/64 dev dummy0 metric 1
ip -6 route append default from 2001:db8::/64 dev dummy0 metric 2
ip -6 route del default from 2001:db8::/64 dev dummy0 metric 1
ip -6 route del default from 2001:db8::/64 dev dummy0 metric 2
ip -6 route show

Thanks!