diff mbox series

[net] xfrm6: fix inet6_dev refcount underflow problem

Message ID 1694776841-30837-1-git-send-email-zhangchangzhong@huawei.com (mailing list archive)
State Not Applicable
Delegated to: Netdev Maintainers
Headers show
Series [net] xfrm6: fix inet6_dev refcount underflow problem | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1340 this patch: 1340
netdev/cc_maintainers success CCed 9 of 9 maintainers
netdev/build_clang success Errors and warnings before: 1363 this patch: 1363
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 1363 this patch: 1363
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 12 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Zhang Changzhong Sept. 15, 2023, 11:20 a.m. UTC 
There are race conditions that may lead to inet6_dev refcount underflow
in xfrm6_dst_destroy() and rt6_uncached_list_flush_dev().

One of the refcount underflow bugs is shown below:
	(cpu 1)                	|	(cpu 2)
xfrm6_dst_destroy()             |
  ...                           |
  in6_dev_put()                 |
				|  rt6_uncached_list_flush_dev()
  ...				|    ...
				|    in6_dev_put()
  rt6_uncached_list_del()       |    ...
  ...                           |

xfrm6_dst_destroy() calls rt6_uncached_list_del() after in6_dev_put(),
so rt6_uncached_list_flush_dev() has a chance to call in6_dev_put()
again for the same inet6_dev.

Fix it by moving in6_dev_put() after rt6_uncached_list_del() in
xfrm6_dst_destroy().

Fixes: 510c321b5571 ("xfrm: reuse uncached_list to track xdsts")
Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
---
 net/ipv6/xfrm6_policy.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Xin Long Sept. 15, 2023, 6:51 p.m. UTC | #1 
On Fri, Sep 15, 2023 at 6:54 AM Zhang Changzhong
<zhangchangzhong@huawei.com> wrote:
>
> There are race conditions that may lead to inet6_dev refcount underflow
> in xfrm6_dst_destroy() and rt6_uncached_list_flush_dev().
>
> One of the refcount underflow bugs is shown below:
>         (cpu 1)                 |       (cpu 2)
> xfrm6_dst_destroy()             |
>   ...                           |
>   in6_dev_put()                 |
>                                 |  rt6_uncached_list_flush_dev()
>   ...                           |    ...
>                                 |    in6_dev_put()
>   rt6_uncached_list_del()       |    ...
>   ...                           |
>
> xfrm6_dst_destroy() calls rt6_uncached_list_del() after in6_dev_put(),
> so rt6_uncached_list_flush_dev() has a chance to call in6_dev_put()
> again for the same inet6_dev.
>
> Fix it by moving in6_dev_put() after rt6_uncached_list_del() in
> xfrm6_dst_destroy().
>
> Fixes: 510c321b5571 ("xfrm: reuse uncached_list to track xdsts")
> Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
> ---
>  net/ipv6/xfrm6_policy.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
> index 41a680c..42fb6996 100644
> --- a/net/ipv6/xfrm6_policy.c
> +++ b/net/ipv6/xfrm6_policy.c
> @@ -117,10 +117,10 @@ static void xfrm6_dst_destroy(struct dst_entry *dst)
>  {
>         struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
>
> -       if (likely(xdst->u.rt6.rt6i_idev))
> -               in6_dev_put(xdst->u.rt6.rt6i_idev);
>         dst_destroy_metrics_generic(dst);
>         rt6_uncached_list_del(&xdst->u.rt6);
> +       if (likely(xdst->u.rt6.rt6i_idev))
> +               in6_dev_put(xdst->u.rt6.rt6i_idev);
>         xfrm_dst_destroy(xdst);
>  }
>
> --
> 2.9.5
>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Thanks.
Steffen Klassert Sept. 25, 2023, 5:41 a.m. UTC | #2 
On Fri, Sep 15, 2023 at 07:20:41PM +0800, Zhang Changzhong wrote:
> There are race conditions that may lead to inet6_dev refcount underflow
> in xfrm6_dst_destroy() and rt6_uncached_list_flush_dev().
> 
> One of the refcount underflow bugs is shown below:
> 	(cpu 1)                	|	(cpu 2)
> xfrm6_dst_destroy()             |
>   ...                           |
>   in6_dev_put()                 |
> 				|  rt6_uncached_list_flush_dev()
>   ...				|    ...
> 				|    in6_dev_put()
>   rt6_uncached_list_del()       |    ...
>   ...                           |
> 
> xfrm6_dst_destroy() calls rt6_uncached_list_del() after in6_dev_put(),
> so rt6_uncached_list_flush_dev() has a chance to call in6_dev_put()
> again for the same inet6_dev.
> 
> Fix it by moving in6_dev_put() after rt6_uncached_list_del() in
> xfrm6_dst_destroy().
> 
> Fixes: 510c321b5571 ("xfrm: reuse uncached_list to track xdsts")
> Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>

Applied, thanks a lot!
diff mbox series

Patch

diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 41a680c..42fb6996 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -117,10 +117,10 @@  static void xfrm6_dst_destroy(struct dst_entry *dst)
 {
 	struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
 
-	if (likely(xdst->u.rt6.rt6i_idev))
-		in6_dev_put(xdst->u.rt6.rt6i_idev);
 	dst_destroy_metrics_generic(dst);
 	rt6_uncached_list_del(&xdst->u.rt6);
+	if (likely(xdst->u.rt6.rt6i_idev))
+		in6_dev_put(xdst->u.rt6.rt6i_idev);
 	xfrm_dst_destroy(xdst);
 }