diff mbox series

[net] ipv4: drop dst in multicast routing path

Message ID 20220505020017.3111846-1-chris.packham@alliedtelesis.co.nz (mailing list archive)
State Accepted
Commit 9e6c6d17d1d6a3f1515ce399f9a011629ec79aa0
Delegated to: Netdev Maintainers
Headers show
Series [net] ipv4: drop dst in multicast routing path | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 3 this patch: 3
netdev/cc_maintainers success CCed 8 of 8 maintainers
netdev/build_clang success Errors and warnings before: 9 this patch: 9
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 3 this patch: 3
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 7 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Chris Packham May 5, 2022, 2 a.m. UTC 
From: Lokesh Dhoundiyal <lokesh.dhoundiyal@alliedtelesis.co.nz>

kmemleak reports the following when routing multicast traffic over an
ipsec tunnel.

Kmemleak output:
unreferenced object 0x8000000044bebb00 (size 256):
  comm "softirq", pid 0, jiffies 4294985356 (age 126.810s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 80 00 00 00 05 13 74 80  ..............t.
    80 00 00 00 04 9b bf f9 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000f83947e0>] __kmalloc+0x1e8/0x300
    [<00000000b7ed8dca>] metadata_dst_alloc+0x24/0x58
    [<0000000081d32c20>] __ipgre_rcv+0x100/0x2b8
    [<00000000824f6cf1>] gre_rcv+0x178/0x540
    [<00000000ccd4e162>] gre_rcv+0x7c/0xd8
    [<00000000c024b148>] ip_protocol_deliver_rcu+0x124/0x350
    [<000000006a483377>] ip_local_deliver_finish+0x54/0x68
    [<00000000d9271b3a>] ip_local_deliver+0x128/0x168
    [<00000000bd4968ae>] xfrm_trans_reinject+0xb8/0xf8
    [<0000000071672a19>] tasklet_action_common.isra.16+0xc4/0x1b0
    [<0000000062e9c336>] __do_softirq+0x1fc/0x3e0
    [<00000000013d7914>] irq_exit+0xc4/0xe0
    [<00000000a4d73e90>] plat_irq_dispatch+0x7c/0x108
    [<000000000751eb8e>] handle_int+0x16c/0x178
    [<000000001668023b>] _raw_spin_unlock_irqrestore+0x1c/0x28

The metadata dst is leaked when ip_route_input_mc() updates the dst for
the skb. Commit f38a9eb1f77b ("dst: Metadata destinations") correctly
handled dropping the dst in ip_route_input_slow() but missed the
multicast case which is handled by ip_route_input_mc(). Drop the dst in
ip_route_input_mc() avoiding the leak.

Fixes: f38a9eb1f77b ("dst: Metadata destinations")
Signed-off-by: Lokesh Dhoundiyal <lokesh.dhoundiyal@alliedtelesis.co.nz>
Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
---

Notes:
    We started seeing this leak in our scenario after commit c0d59da79534
    ("ip_gre: Make none-tun-dst gre tunnel store tunnel info as metadat_dst
    in recv") but there may be other paths that hit the leak so I've set the
    fixes tag as f38a9eb1f77b ("dst: Metadata destinations").

 net/ipv4/route.c | 1 +
 1 file changed, 1 insertion(+)

Comments

David Ahern May 6, 2022, 3:28 a.m. UTC | #1 
On 5/4/22 7:00 PM, Chris Packham wrote:
> From: Lokesh Dhoundiyal <lokesh.dhoundiyal@alliedtelesis.co.nz>
> 
> kmemleak reports the following when routing multicast traffic over an
> ipsec tunnel.
> 
> Kmemleak output:
> unreferenced object 0x8000000044bebb00 (size 256):
>   comm "softirq", pid 0, jiffies 4294985356 (age 126.810s)
>   hex dump (first 32 bytes):
>     00 00 00 00 00 00 00 00 80 00 00 00 05 13 74 80  ..............t.
>     80 00 00 00 04 9b bf f9 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<00000000f83947e0>] __kmalloc+0x1e8/0x300
>     [<00000000b7ed8dca>] metadata_dst_alloc+0x24/0x58
>     [<0000000081d32c20>] __ipgre_rcv+0x100/0x2b8
>     [<00000000824f6cf1>] gre_rcv+0x178/0x540
>     [<00000000ccd4e162>] gre_rcv+0x7c/0xd8
>     [<00000000c024b148>] ip_protocol_deliver_rcu+0x124/0x350
>     [<000000006a483377>] ip_local_deliver_finish+0x54/0x68
>     [<00000000d9271b3a>] ip_local_deliver+0x128/0x168
>     [<00000000bd4968ae>] xfrm_trans_reinject+0xb8/0xf8
>     [<0000000071672a19>] tasklet_action_common.isra.16+0xc4/0x1b0
>     [<0000000062e9c336>] __do_softirq+0x1fc/0x3e0
>     [<00000000013d7914>] irq_exit+0xc4/0xe0
>     [<00000000a4d73e90>] plat_irq_dispatch+0x7c/0x108
>     [<000000000751eb8e>] handle_int+0x16c/0x178
>     [<000000001668023b>] _raw_spin_unlock_irqrestore+0x1c/0x28
> 
> The metadata dst is leaked when ip_route_input_mc() updates the dst for
> the skb. Commit f38a9eb1f77b ("dst: Metadata destinations") correctly
> handled dropping the dst in ip_route_input_slow() but missed the
> multicast case which is handled by ip_route_input_mc(). Drop the dst in
> ip_route_input_mc() avoiding the leak.
> 
> Fixes: f38a9eb1f77b ("dst: Metadata destinations")
> Signed-off-by: Lokesh Dhoundiyal <lokesh.dhoundiyal@alliedtelesis.co.nz>
> Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
> ---
> 
> Notes:
>     We started seeing this leak in our scenario after commit c0d59da79534
>     ("ip_gre: Make none-tun-dst gre tunnel store tunnel info as metadat_dst
>     in recv") but there may be other paths that hit the leak so I've set the
>     fixes tag as f38a9eb1f77b ("dst: Metadata destinations").
> 
>  net/ipv4/route.c | 1 +
>  1 file changed, 1 insertion(+)
> 

Reviewed-by: David Ahern <dsahern@kernel.org>
patchwork-bot+netdevbpf@kernel.org May 6, 2022, 7:50 p.m. UTC | #2 
Hello:

This patch was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Thu,  5 May 2022 14:00:17 +1200 you wrote:
> From: Lokesh Dhoundiyal <lokesh.dhoundiyal@alliedtelesis.co.nz>
> 
> kmemleak reports the following when routing multicast traffic over an
> ipsec tunnel.
> 
> Kmemleak output:
> unreferenced object 0x8000000044bebb00 (size 256):
>   comm "softirq", pid 0, jiffies 4294985356 (age 126.810s)
>   hex dump (first 32 bytes):
>     00 00 00 00 00 00 00 00 80 00 00 00 05 13 74 80  ..............t.
>     80 00 00 00 04 9b bf f9 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<00000000f83947e0>] __kmalloc+0x1e8/0x300
>     [<00000000b7ed8dca>] metadata_dst_alloc+0x24/0x58
>     [<0000000081d32c20>] __ipgre_rcv+0x100/0x2b8
>     [<00000000824f6cf1>] gre_rcv+0x178/0x540
>     [<00000000ccd4e162>] gre_rcv+0x7c/0xd8
>     [<00000000c024b148>] ip_protocol_deliver_rcu+0x124/0x350
>     [<000000006a483377>] ip_local_deliver_finish+0x54/0x68
>     [<00000000d9271b3a>] ip_local_deliver+0x128/0x168
>     [<00000000bd4968ae>] xfrm_trans_reinject+0xb8/0xf8
>     [<0000000071672a19>] tasklet_action_common.isra.16+0xc4/0x1b0
>     [<0000000062e9c336>] __do_softirq+0x1fc/0x3e0
>     [<00000000013d7914>] irq_exit+0xc4/0xe0
>     [<00000000a4d73e90>] plat_irq_dispatch+0x7c/0x108
>     [<000000000751eb8e>] handle_int+0x16c/0x178
>     [<000000001668023b>] _raw_spin_unlock_irqrestore+0x1c/0x28
> 
> [...]

Here is the summary with links:
  - [net] ipv4: drop dst in multicast routing path
    https://git.kernel.org/netdev/net/c/9e6c6d17d1d6

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 98c6f3429593..57abd27e842c 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1753,6 +1753,7 @@  static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr,
 #endif
 	RT_CACHE_STAT_INC(in_slow_mc);
 
+	skb_dst_drop(skb);
 	skb_dst_set(skb, &rth->dst);
 	return 0;
 }