Ido Schimmel 7387dbbcdb mlxsw: spectrum_router: Fix use-after-free in route replace ... While working on IPv6 route replace I realized we can have a use-after-free in IPv4 in case the replaced route is offloaded and the only one using its FIB info. The problem is that fib_table_insert() drops the reference on the FIB info of the replaced routes which is eventually freed via call_rcu(). Since the driver doesn't hold a reference on this FIB info it can cause a use-after-free when it tries to clear the RTNH_F_OFFLOAD flag stored in fi->fib_flags. After running the following commands in a loop for enough time with a KASAN enabled kernel I finally got the below trace. $ ip route add 192.168.50.0/24 via 192.168.200.1 dev enp3s0np3 $ ip route replace 192.168.50.0/24 dev enp3s0np5 $ ip route del 192.168.50.0/24 dev enp3s0np5 BUG: KASAN: use-after-free in mlxsw_sp_fib_entry_offload_unset+0xa7/0x120 [mlxsw_spectrum] Read of size 4 at addr ffff8803717d9820 by task kworker/u4:2/55 [...] ? mlxsw_sp_fib_entry_offload_unset+0xa7/0x120 [mlxsw_spectrum] ? mlxsw_sp_fib_entry_offload_unset+0xa7/0x120 [mlxsw_spectrum] ? mlxsw_sp_router_neighs_update_work+0x1cd0/0x1ce0 [mlxsw_spectrum] ? mlxsw_sp_fib_entry_offload_unset+0xa7/0x120 [mlxsw_spectrum] __asan_load4+0x61/0x80 mlxsw_sp_fib_entry_offload_unset+0xa7/0x120 [mlxsw_spectrum] mlxsw_sp_fib_entry_offload_refresh+0xb6/0x370 [mlxsw_spectrum] mlxsw_sp_router_fib_event_work+0xd1c/0x2780 [mlxsw_spectrum] [...] Freed by task 5131: save_stack_trace+0x16/0x20 save_stack+0x46/0xd0 kasan_slab_free+0x70/0xc0 kfree+0x144/0x570 free_fib_info_rcu+0x2e7/0x410 rcu_process_callbacks+0x4f8/0xe30 __do_softirq+0x1d3/0x9e2 Fix this by taking a reference on the FIB info when creating the nexthop group it represents and drop it when the group is destroyed. Fixes: 599cf8f95f ("mlxsw: spectrum_router: Add support for route replace") Signed-off-by: Ido Schimmel <idosch@mellanox.com> Signed-off-by: Jiri Pirko <jiri@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>		2017-07-12 08:15:52 -07:00
..
appletalk
arcnet	arcnet: com20020-pci: Fix an error handling path in 'com20020pci_probe()'	2017-07-07 09:29:10 +01:00
bonding	bonding: avoid NETDEV_CHANGEMTU event when unregistering slave	2017-07-08 11:23:29 +01:00
caif	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next	2017-07-05 12:31:59 -07:00
can	net: add netlink_ext_ack argument to rtnl_link_ops.validate	2017-06-26 23:13:22 -04:00
cris	net/{mii, smsc}: Make mii_ethtool_get_link_ksettings and smc_netdev_get_ecmd return void	2017-06-05 11:00:42 -04:00
dsa	net: dsa: mv88e6xxx: fix error code in mv88e6390_serdes_power()	2017-06-25 11:42:33 -04:00
ethernet	mlxsw: spectrum_router: Fix use-after-free in route replace	2017-07-12 08:15:52 -07:00
fddi
fjes	networking: introduce and use skb_put_data()	2017-06-16 11:48:37 -04:00
hamradio	networking: add and use skb_put_u8()	2017-06-16 11:48:40 -04:00
hippi	networking: make skb_push & __skb_push return void pointers	2017-06-16 11:48:40 -04:00
hyperv	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2017-06-30 12:43:08 -04:00
ieee802154	networking: introduce and use skb_put_data()	2017-06-16 11:48:37 -04:00
ipvlan	net: add netlink_ext_ack argument to rtnl_link_ops.validate	2017-06-26 23:13:22 -04:00
irda	networking: introduce and use skb_put_data()	2017-06-16 11:48:37 -04:00
phy	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next	2017-07-05 12:31:59 -07:00
plip
ppp	net: add netlink_ext_ack argument to rtnl_link_ops.validate	2017-06-26 23:13:22 -04:00
slip	networking: introduce and use skb_put_data()	2017-06-16 11:48:37 -04:00
team	net: add netlink_ext_ack argument to rtnl_link_ops.validate	2017-06-26 23:13:22 -04:00
usb	net: cdc_mbim: apply "NDP to end" quirk to HP lt4132	2017-07-03 02:19:36 -07:00
vmxnet3
wan	networking: make skb_pull & friends return void pointers	2017-06-16 11:48:39 -04:00
wimax	networking: make skb_push & __skb_push return void pointers	2017-06-16 11:48:40 -04:00
wireless	pci-v4.13-changes	2017-07-08 15:51:57 -07:00
xen-netback	xen-netback: correctly schedule rate-limited queues	2017-06-22 11:15:42 -04:00
dummy.c	net: add netlink_ext_ack argument to rtnl_link_ops.validate	2017-06-26 23:13:22 -04:00
eql.c
geneve.c	geneve: fix hlist corruption	2017-07-03 02:36:27 -07:00
gtp.c	net: add netlink_ext_ack argument to rtnl_link_ops.validate	2017-06-26 23:13:22 -04:00
ifb.c	net: add netlink_ext_ack argument to rtnl_link_ops.validate	2017-06-26 23:13:22 -04:00
Kconfig
LICENSE.SRC
loopback.c	net: Fix inconsistent teardown and release of private netdev state.	2017-06-07 15:53:24 -04:00
macsec.c	net: add netlink_ext_ack argument to rtnl_link_ops.validate	2017-06-26 23:13:22 -04:00
macvlan.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2017-06-30 12:43:08 -04:00
macvtap.c	net: add netlink_ext_ack argument to rtnl_link_ops.newlink	2017-06-26 23:13:21 -04:00
Makefile
mdio.c
mii.c	net/{mii, smsc}: Make mii_ethtool_get_link_ksettings and smc_netdev_get_ecmd return void	2017-06-05 11:00:42 -04:00
netconsole.c	netconsole: Remove duplicate "netconsole: " logging prefix	2017-06-13 12:57:40 -04:00
nlmon.c	net: add netlink_ext_ack argument to rtnl_link_ops.validate	2017-06-26 23:13:22 -04:00
ntb_netdev.c
rionet.c	net: convert sk_buff.users from atomic_t to refcount_t	2017-07-01 07:39:07 -07:00
sb1000.c
Space.c
sungem_phy.c	drivers/net/sungem: add const to mii_phy_ops structures	2017-06-08 15:32:47 -04:00
tap.c	tap: convert a mutex to a spinlock	2017-07-11 13:41:57 -07:00
tun.c	net: add netlink_ext_ack argument to rtnl_link_ops.validate	2017-06-26 23:13:22 -04:00
veth.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2017-06-30 12:43:08 -04:00
virtio_net.c	virtio-net: fix leaking of ctx array	2017-07-07 20:03:41 +01:00
vrf.c	vrf: fix bug_on triggered by rx when destroying a vrf	2017-07-06 16:46:07 +01:00
vsockmon.c	net: Fix inconsistent teardown and release of private netdev state.	2017-06-07 15:53:24 -04:00
vxlan.c	net, vxlan: convert vxlan_sock.refcnt from atomic_t to refcount_t	2017-07-04 22:35:15 +01:00
xen-netfront.c