From patchwork Wed Dec 13 21:37:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kui-Feng Lee X-Patchwork-Id: 13491898 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="LxzMRTwR" Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com [IPv6:2607:f8b0:4864:20::112e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2F58AD5 for ; Wed, 13 Dec 2023 13:37:46 -0800 (PST) Received: by mail-yw1-x112e.google.com with SMTP id 00721157ae682-5e2ce5c8f04so6311287b3.2 for ; Wed, 13 Dec 2023 13:37:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702503465; x=1703108265; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=GZ4uDSraq0BBD7j/N6mIkrZYDwYff5O8outlW8gejn8=; b=LxzMRTwRP38A7yrkxSy84KcOSHUg9w/7/AeX9YIBNa8+ScFn/g3UORX4dcfKHTcIAt 6GjeimJdoRQshWFx6TwbgDdOMJJJydkcCteJK0sdsuNfNstVmMIHJif9lkYP7W/QxKGI v7Hke6NQb9I+ctFx5bpvrGPFKD7nT7/bfHUssLhgJkc05OjrskHulSgmI3klZ8pl+TyI L4sA+Jv715G6h/6iNpvuiRG9oTL9QEvFY2x/w441oeMgrEJtwQriHfLeyvZHNS3HVqY2 V/PzoYpVpW/WhMQD2PlL1N+9FjOKpAYhtgIzEVPmICaM30utMn1LVnAg1YFDLLp9qnF7 pe/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702503465; x=1703108265; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GZ4uDSraq0BBD7j/N6mIkrZYDwYff5O8outlW8gejn8=; b=PvCGFLuJRPXyfx84oz1E2fU3z4wfcegEoqUZGN1QbU3ZL/OPVl+hyUUGVa3jHJts1j 2xQsTLun4pFJ2O6yP5ymFAb44Wac+a/SWicNuo3BXu+Wx1Y5i+dPAJDts14O/nVludBD t8dlgAMBzOYdEIfgW8dlot6Tmn3TXsQ+J7PfMkGNF6Gf6QnIbw3hYKqh5xbxe/fG7egT SBrpG5758sZf5H7unOahJPb8CPsoIQcDagD41yARTy9uZszOmLVA1uRDI8p2GasdEt+y Mfz5XZZD25JcgsGnI0HIT1NvfJYER1UunLrtqqi/h9zFDuMWF98nJbA6s3XBFrBJ164s HBvQ== X-Gm-Message-State: AOJu0Yz1IrePRVMsKZurHYU/9qW38iyG5E3iMnF7L/2KPqUl8OIIJtIa DQn+vgWE/KWUFDZ4lQbR+zWbSInAOjk= X-Google-Smtp-Source: AGHT+IEN0dh1F9mnJCBZsxEt3WvoIpGnaaX78EIPjCBkEwmoAJ7WWIkiBmxOXgkFUEtyMtLyGl/mtw== X-Received: by 2002:a0d:db0e:0:b0:5e2:c1d3:1bf7 with SMTP id d14-20020a0ddb0e000000b005e2c1d31bf7mr832282ywe.32.1702503464865; Wed, 13 Dec 2023 13:37:44 -0800 (PST) Received: from kickker.attlocal.net ([2600:1700:6cf8:1240:180e:8c9:1628:87e1]) by smtp.gmail.com with ESMTPSA id t190-20020a0deac7000000b005e3175fc655sm496799ywe.55.2023.12.13.13.37.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Dec 2023 13:37:44 -0800 (PST) From: thinker.li@gmail.com To: netdev@vger.kernel.org, martin.lau@linux.dev, kernel-team@meta.com, davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, dsahern@kernel.org, edumazet@google.com Cc: sinquersw@gmail.com, kuifeng@meta.com, Kui-Feng Lee Subject: [PATCH net-next v3 0/2] Fix dangling pointer at f6i->gc_link. Date: Wed, 13 Dec 2023 13:37:33 -0800 Message-Id: <20231213213735.434249-1-thinker.li@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Kui-Feng Lee According to a report [1], f6i->gc_link may point to a free block causing use-after-free. According the stacktraces in the report, it is very likely that a f6i was added to the GC list after being removed from the tree of a fib6_table. The reason this can happen is the current implementation determines if a f6i is on a tree in a wrong way. It believes a f6i is on a tree if f6i->fib6_table is not NULL. However, f6i->fib6_table is not reset when f6i is removed from a tree. The new solution is to check if f6i->fib6_node is not NULL as well. f6i->fib6_node is set/or reset when the f6i is added/or removed from from a tree. It can be used to determines if a f6i is on a tree reliably. The other change is to determine if a f6i is on a GC list. The current implementation relies on RTF_EXPIRES on fib6_flags. It needs to consider if a f6i is on a tree as well. The new solution is checking hlist_unhashed() on f6i->gc_link, a clear evidence, instead. [1] https://lore.kernel.org/all/20231205173250.2982846-1-edumazet@google.com/ --- Major changes from v2: - Ensure dependencies of checks in the test cases. Major changes from v1: - Split fib6_set_expires_locked() and fib6_clean_expires_locked() - Use hlist_unhashed() on gc_link instead of checking RTF_EXPIRES to determine if a f6i is on a GC list. - Add tests on toggling routes between permanent and temporary. v2: https://lore.kernel.org/all/20231208194523.312416-1-thinker.li@gmail.com/ v1: https://lore.kernel.org/all/20231207221627.746324-1-thinker.li@gmail.com/ Kui-Feng Lee (2): net/ipv6: insert a f6i to a GC list only if the f6i is in a fib6_table tree. selftests: fib_tests: Add tests for toggling between w/ and w/o expires. include/net/ip6_fib.h | 46 +++++++++---- net/ipv6/route.c | 6 +- tools/testing/selftests/net/fib_tests.sh | 82 +++++++++++++++++++++++- 3 files changed, 118 insertions(+), 16 deletions(-)