From patchwork Tue Sep 24 07:36:15 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jason A. Donenfeld" X-Patchwork-Id: 174253 Delivered-To: patch@linaro.org Received: by 2002:a92:7e96:0:0:0:0:0 with SMTP id q22csp3802332ill; Tue, 24 Sep 2019 00:36:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqz5aur+6HQ9zm/SFOYDUKgDP3toNwbG0LLFOWWtAy43BdFtyy+/z/gAFoMHaV8G6p1zTnuu X-Received: by 2002:a50:ef02:: with SMTP id m2mr1210286eds.157.1569310587297; Tue, 24 Sep 2019 00:36:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569310587; cv=none; d=google.com; s=arc-20160816; b=iKKVB2sbTbNIfLsBs5YjaRfSfEqCyLTS0prIOlCLYxCcjroVERsbQ0Qo40UyNfnDlD 2onDr6d0I83v3F4Xx74jB/Fw0WaZT366fIvJznBu8r4KxfF/If7A8taxZeiZsHjs//cQ alwT+jIgyaCBu5z5uwc93kAa2D881+bWN8sUzU0eE//RyHJrKMKc6BtOqZTKwW+mmYKt s+EjClqqo1QVUZNNLdwC/hwWrRL8dO3Tu+7eBejpImsLJYf8H+MISMW4IaCSPMQZAW61 oOPubT/l+HzUbDxJjPIPK6kqLoh6H8FFgJBYkvu5J+ymVPoPLOZA875qzLXEtIKuHf4p v0aw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=+YhYy9Ib/ytTmfhmu93bMTv4oPejXKDp0bG0F+naB4A=; b=dCT2wpoz5CLkR70nJllQy3caY5DD9fp1MEqJmhgy9eX/qY4YJ2h1TjsODeKCvgeGkE TNjYc5tcOtV4zX5Q2XMUw/1lhYfKLzevSTHzQWg8eQDKhM/fXjZTunw8fXsz/Piu1qTg vRPIZ9A4gNXgv1cVNDyMRqO7PiLUo3zurbzRcisL2X0GrimrSZYD/uPD6+9csbBmOQ4/ HTYSlZFSrnziPSELnO4mmMh9c45N+5kznEWOgUmOQDg23aJoT2FsNylOjvAi1mQ+dwWJ jeD8PywyFPhfI+xNKcJrYmAJU4U3QQXIW9AfZAZaezUIw1xfcelBiDsn63LrR8LUEWGF 3zOQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=mail header.b="0K6Ytrl/"; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c10si566640edc.419.2019.09.24.00.36.26; Tue, 24 Sep 2019 00:36:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=mail header.b="0K6Ytrl/"; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390189AbfIXHgZ (ORCPT + 14 others); Tue, 24 Sep 2019 03:36:25 -0400 Received: from frisell.zx2c4.com ([192.95.5.64]:43049 "EHLO frisell.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388489AbfIXHgZ (ORCPT ); Tue, 24 Sep 2019 03:36:25 -0400 Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 6c2e1b8c; Tue, 24 Sep 2019 06:50:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=from:to:cc :subject:date:message-id:mime-version:content-transfer-encoding; s=mail; bh=sxkr1GjA+CsTQ6F9imEHmeQRp90=; b=0K6Ytrl/QEsiaO1QZr6s +K7CfH2DPbhur/Qy3RFbGxcJzXNW2ugJbMgIhVnUMpZxVpzTgMqxE3lXYyHe30ZL 4KbwsIEZthGw9zi+qowGGpxDkB2XsaictHzT8vnq1txFDdUHf/nT9QKr7V8L3xJW O9QCKE00gkivk1hykqNT3obEgyeLL4YtLg+YM4RZGecvyPQIpGVIlidG2eDQgj9a kWUEtrBG8ArIyDxwZBFv6orgP5PWAS+RoENJWt677BNh4I39wIxYmKceGrBgBaqQ HdUvSDMxb3jWLCaKfXbf67t61bGhEOLbuOA2uMXD9SBrIaNFsXS9Ua6vnLMMjfne Zw== Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 6493f950 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Tue, 24 Sep 2019 06:50:47 +0000 (UTC) From: "Jason A. Donenfeld" To: netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: "Jason A. Donenfeld" , stable@vger.kernel.org Subject: [PATCH] ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule Date: Tue, 24 Sep 2019 09:36:15 +0200 Message-Id: <20190924073615.31704-1-Jason@zx2c4.com> MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org Commit 7d9e5f422150 removed references from certain dsts, but accounting for this never translated down into the fib6 suppression code. This bug was triggered by WireGuard users who use wg-quick(8), which uses the "suppress-prefix" directive to ip-rule(8) for routing all of their internet traffic without routing loops. The test case in the link of this commit reliably triggers various crashes due to the use-after-free caused by the reference underflow. Cc: stable@vger.kernel.org Fixes: 7d9e5f422150 ("ipv6: convert major tx path to use RT6_LOOKUP_F_DST_NOREF") Test-case: https://git.zx2c4.com/WireGuard/commit/?id=ad66532000f7a20b149e47c5eb3a957362c8e161 Signed-off-by: Jason A. Donenfeld --- net/ipv6/fib6_rules.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- 2.21.0 diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c index d22b6c140f23..f9e8fe3ff0c5 100644 --- a/net/ipv6/fib6_rules.c +++ b/net/ipv6/fib6_rules.c @@ -287,7 +287,8 @@ static bool fib6_rule_suppress(struct fib_rule *rule, struct fib_lookup_arg *arg return false; suppress_route: - ip6_rt_put(rt); + if (!(arg->flags & FIB_LOOKUP_NOREF)) + ip6_rt_put(rt); return true; }