<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-toradex.git/net/ipv6/ip6_fib.c, branch v4.4.148</title>
<subtitle>Linux kernel for Apalis and Colibri modules</subtitle>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/'/>
<entry>
<title>ipv6: fix typo in fib6_net_exit()</title>
<updated>2017-09-27T09:00:12+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2017-09-08T22:48:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=be9994817ad5717f64e07c19e5ec2f6b29aad4d0'/>
<id>be9994817ad5717f64e07c19e5ec2f6b29aad4d0</id>
<content type='text'>
[ Upstream commit 32a805baf0fb70b6dbedefcd7249ac7f580f9e3b ]

IPv6 FIB should use FIB6_TABLE_HASHSZ, not FIB_TABLE_HASHSZ.

Fixes: ba1cc08d9488 ("ipv6: fix memory leak with multiple tables during netns destruction")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 32a805baf0fb70b6dbedefcd7249ac7f580f9e3b ]

IPv6 FIB should use FIB6_TABLE_HASHSZ, not FIB_TABLE_HASHSZ.

Fixes: ba1cc08d9488 ("ipv6: fix memory leak with multiple tables during netns destruction")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: fix memory leak with multiple tables during netns destruction</title>
<updated>2017-09-27T09:00:11+00:00</updated>
<author>
<name>Sabrina Dubroca</name>
<email>sd@queasysnail.net</email>
</author>
<published>2017-09-08T08:26:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=70479eafe3d974c60a71718530a46f8ad3ce9c3f'/>
<id>70479eafe3d974c60a71718530a46f8ad3ce9c3f</id>
<content type='text'>
[ Upstream commit ba1cc08d9488c94cb8d94f545305688b72a2a300 ]

fib6_net_exit only frees the main and local tables. If another table was
created with fib6_alloc_table, we leak it when the netns is destroyed.

Fix this in the same way ip_fib_net_exit cleans up tables, by walking
through the whole hashtable of fib6_table's. We can get rid of the
special cases for local and main, since they're also part of the
hashtable.

Reproducer:
    ip netns add x
    ip -net x -6 rule add from 6003:1::/64 table 100
    ip netns del x

Reported-by: Jianlin Shi &lt;jishi@redhat.com&gt;
Fixes: 58f09b78b730 ("[NETNS][IPV6] ip6_fib - make it per network namespace")
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit ba1cc08d9488c94cb8d94f545305688b72a2a300 ]

fib6_net_exit only frees the main and local tables. If another table was
created with fib6_alloc_table, we leak it when the netns is destroyed.

Fix this in the same way ip_fib_net_exit cleans up tables, by walking
through the whole hashtable of fib6_table's. We can get rid of the
special cases for local and main, since they're also part of the
hashtable.

Reproducer:
    ip netns add x
    ip -net x -6 rule add from 6003:1::/64 table 100
    ip netns del x

Reported-by: Jianlin Shi &lt;jishi@redhat.com&gt;
Fixes: 58f09b78b730 ("[NETNS][IPV6] ip6_fib - make it per network namespace")
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: fix sparse warning on rt6i_node</title>
<updated>2017-09-27T09:00:10+00:00</updated>
<author>
<name>Wei Wang</name>
<email>weiwan@google.com</email>
</author>
<published>2017-08-25T22:03:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=354d36b746c3fdde7397409ce79ca89a2da2fbce'/>
<id>354d36b746c3fdde7397409ce79ca89a2da2fbce</id>
<content type='text'>
[ Upstream commit 4e587ea71bf924f7dac621f1351653bd41e446cb ]

Commit c5cff8561d2d adds rcu grace period before freeing fib6_node. This
generates a new sparse warning on rt-&gt;rt6i_node related code:
  net/ipv6/route.c:1394:30: error: incompatible types in comparison
  expression (different address spaces)
  ./include/net/ip6_fib.h:187:14: error: incompatible types in comparison
  expression (different address spaces)

This commit adds "__rcu" tag for rt6i_node and makes sure corresponding
rcu API is used for it.
After this fix, sparse no longer generates the above warning.

Fixes: c5cff8561d2d ("ipv6: add rcu grace period before freeing fib6_node")
Signed-off-by: Wei Wang &lt;weiwan@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Acked-by: Martin KaFai Lau &lt;kafai@fb.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 4e587ea71bf924f7dac621f1351653bd41e446cb ]

Commit c5cff8561d2d adds rcu grace period before freeing fib6_node. This
generates a new sparse warning on rt-&gt;rt6i_node related code:
  net/ipv6/route.c:1394:30: error: incompatible types in comparison
  expression (different address spaces)
  ./include/net/ip6_fib.h:187:14: error: incompatible types in comparison
  expression (different address spaces)

This commit adds "__rcu" tag for rt6i_node and makes sure corresponding
rcu API is used for it.
After this fix, sparse no longer generates the above warning.

Fixes: c5cff8561d2d ("ipv6: add rcu grace period before freeing fib6_node")
Signed-off-by: Wei Wang &lt;weiwan@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Acked-by: Martin KaFai Lau &lt;kafai@fb.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: add rcu grace period before freeing fib6_node</title>
<updated>2017-09-27T09:00:10+00:00</updated>
<author>
<name>Wei Wang</name>
<email>weiwan@google.com</email>
</author>
<published>2017-08-21T16:47:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=e51bf99be7cc95db97d9fa9031ab09ea037a5c7a'/>
<id>e51bf99be7cc95db97d9fa9031ab09ea037a5c7a</id>
<content type='text'>
[ Upstream commit c5cff8561d2d0006e972bd114afd51f082fee77c ]

We currently keep rt-&gt;rt6i_node pointing to the fib6_node for the route.
And some functions make use of this pointer to dereference the fib6_node
from rt structure, e.g. rt6_check(). However, as there is neither
refcount nor rcu taken when dereferencing rt-&gt;rt6i_node, it could
potentially cause crashes as rt-&gt;rt6i_node could be set to NULL by other
CPUs when doing a route deletion.
This patch introduces an rcu grace period before freeing fib6_node and
makes sure the functions that dereference it takes rcu_read_lock().

Note: there is no "Fixes" tag because this bug was there in a very
early stage.

Signed-off-by: Wei Wang &lt;weiwan@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Acked-by: Martin KaFai Lau &lt;kafai@fb.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit c5cff8561d2d0006e972bd114afd51f082fee77c ]

We currently keep rt-&gt;rt6i_node pointing to the fib6_node for the route.
And some functions make use of this pointer to dereference the fib6_node
from rt structure, e.g. rt6_check(). However, as there is neither
refcount nor rcu taken when dereferencing rt-&gt;rt6i_node, it could
potentially cause crashes as rt-&gt;rt6i_node could be set to NULL by other
CPUs when doing a route deletion.
This patch introduces an rcu grace period before freeing fib6_node and
makes sure the functions that dereference it takes rcu_read_lock().

Note: there is no "Fixes" tag because this bug was there in a very
early stage.

Signed-off-by: Wei Wang &lt;weiwan@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Acked-by: Martin KaFai Lau &lt;kafai@fb.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: repair fib6 tree in failure case</title>
<updated>2017-08-30T08:19:20+00:00</updated>
<author>
<name>Wei Wang</name>
<email>weiwan@google.com</email>
</author>
<published>2017-08-19T00:14:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=ece3ff173731fa87fec618fbf8734ca867eb8e42'/>
<id>ece3ff173731fa87fec618fbf8734ca867eb8e42</id>
<content type='text'>
[ Upstream commit 348a4002729ccab8b888b38cbc099efa2f2a2036 ]

In fib6_add(), it is possible that fib6_add_1() picks an intermediate
node and sets the node's fn-&gt;leaf to NULL in order to add this new
route. However, if fib6_add_rt2node() fails to add the new
route for some reason, fn-&gt;leaf will be left as NULL and could
potentially cause crash when fn-&gt;leaf is accessed in fib6_locate().
This patch makes sure fib6_repair_tree() is called to properly repair
fn-&gt;leaf in the above failure case.

Here is the syzkaller reported general protection fault in fib6_locate:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 40937 Comm: syz-executor3 Not tainted
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801d7d64100 ti: ffff8801d01a0000 task.ti: ffff8801d01a0000
RIP: 0010:[&lt;ffffffff82a3e0e1&gt;]  [&lt;ffffffff82a3e0e1&gt;] __ipv6_prefix_equal64_half include/net/ipv6.h:475 [inline]
RIP: 0010:[&lt;ffffffff82a3e0e1&gt;]  [&lt;ffffffff82a3e0e1&gt;] ipv6_prefix_equal include/net/ipv6.h:492 [inline]
RIP: 0010:[&lt;ffffffff82a3e0e1&gt;]  [&lt;ffffffff82a3e0e1&gt;] fib6_locate_1 net/ipv6/ip6_fib.c:1210 [inline]
RIP: 0010:[&lt;ffffffff82a3e0e1&gt;]  [&lt;ffffffff82a3e0e1&gt;] fib6_locate+0x281/0x3c0 net/ipv6/ip6_fib.c:1233
RSP: 0018:ffff8801d01a36a8  EFLAGS: 00010202
RAX: 0000000000000020 RBX: ffff8801bc790e00 RCX: ffffc90002983000
RDX: 0000000000001219 RSI: ffff8801d01a37a0 RDI: 0000000000000100
RBP: ffff8801d01a36f0 R08: 00000000000000ff R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000001
R13: dffffc0000000000 R14: ffff8801d01a37a0 R15: 0000000000000000
FS:  00007f6afd68c700(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004c6340 CR3: 00000000ba41f000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffff8801d01a37a8 ffff8801d01a3780 ffffed003a0346f5 0000000c82a23ea0
 ffff8800b7bd7700 ffff8801d01a3780 ffff8800b6a1c940 ffffffff82a23ea0
 ffff8801d01a3920 ffff8801d01a3748 ffffffff82a223d6 ffff8801d7d64988
Call Trace:
 [&lt;ffffffff82a223d6&gt;] ip6_route_del+0x106/0x570 net/ipv6/route.c:2109
 [&lt;ffffffff82a23f9d&gt;] inet6_rtm_delroute+0xfd/0x100 net/ipv6/route.c:3075
 [&lt;ffffffff82621359&gt;] rtnetlink_rcv_msg+0x549/0x7a0 net/core/rtnetlink.c:3450
 [&lt;ffffffff8274c1d1&gt;] netlink_rcv_skb+0x141/0x370 net/netlink/af_netlink.c:2281
 [&lt;ffffffff82613ddf&gt;] rtnetlink_rcv+0x2f/0x40 net/core/rtnetlink.c:3456
 [&lt;ffffffff8274ad38&gt;] netlink_unicast_kernel net/netlink/af_netlink.c:1206 [inline]
 [&lt;ffffffff8274ad38&gt;] netlink_unicast+0x518/0x750 net/netlink/af_netlink.c:1232
 [&lt;ffffffff8274b83e&gt;] netlink_sendmsg+0x8ce/0xc30 net/netlink/af_netlink.c:1778
 [&lt;ffffffff82564aff&gt;] sock_sendmsg_nosec net/socket.c:609 [inline]
 [&lt;ffffffff82564aff&gt;] sock_sendmsg+0xcf/0x110 net/socket.c:619
 [&lt;ffffffff82564d62&gt;] sock_write_iter+0x222/0x3a0 net/socket.c:834
 [&lt;ffffffff8178523d&gt;] new_sync_write+0x1dd/0x2b0 fs/read_write.c:478
 [&lt;ffffffff817853f4&gt;] __vfs_write+0xe4/0x110 fs/read_write.c:491
 [&lt;ffffffff81786c38&gt;] vfs_write+0x178/0x4b0 fs/read_write.c:538
 [&lt;ffffffff817892a9&gt;] SYSC_write fs/read_write.c:585 [inline]
 [&lt;ffffffff817892a9&gt;] SyS_write+0xd9/0x1b0 fs/read_write.c:577
 [&lt;ffffffff82c71e32&gt;] entry_SYSCALL_64_fastpath+0x12/0x17

Note: there is no "Fixes" tag as this seems to be a bug introduced
very early.

Signed-off-by: Wei Wang &lt;weiwan@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 348a4002729ccab8b888b38cbc099efa2f2a2036 ]

In fib6_add(), it is possible that fib6_add_1() picks an intermediate
node and sets the node's fn-&gt;leaf to NULL in order to add this new
route. However, if fib6_add_rt2node() fails to add the new
route for some reason, fn-&gt;leaf will be left as NULL and could
potentially cause crash when fn-&gt;leaf is accessed in fib6_locate().
This patch makes sure fib6_repair_tree() is called to properly repair
fn-&gt;leaf in the above failure case.

Here is the syzkaller reported general protection fault in fib6_locate:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 40937 Comm: syz-executor3 Not tainted
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801d7d64100 ti: ffff8801d01a0000 task.ti: ffff8801d01a0000
RIP: 0010:[&lt;ffffffff82a3e0e1&gt;]  [&lt;ffffffff82a3e0e1&gt;] __ipv6_prefix_equal64_half include/net/ipv6.h:475 [inline]
RIP: 0010:[&lt;ffffffff82a3e0e1&gt;]  [&lt;ffffffff82a3e0e1&gt;] ipv6_prefix_equal include/net/ipv6.h:492 [inline]
RIP: 0010:[&lt;ffffffff82a3e0e1&gt;]  [&lt;ffffffff82a3e0e1&gt;] fib6_locate_1 net/ipv6/ip6_fib.c:1210 [inline]
RIP: 0010:[&lt;ffffffff82a3e0e1&gt;]  [&lt;ffffffff82a3e0e1&gt;] fib6_locate+0x281/0x3c0 net/ipv6/ip6_fib.c:1233
RSP: 0018:ffff8801d01a36a8  EFLAGS: 00010202
RAX: 0000000000000020 RBX: ffff8801bc790e00 RCX: ffffc90002983000
RDX: 0000000000001219 RSI: ffff8801d01a37a0 RDI: 0000000000000100
RBP: ffff8801d01a36f0 R08: 00000000000000ff R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000001
R13: dffffc0000000000 R14: ffff8801d01a37a0 R15: 0000000000000000
FS:  00007f6afd68c700(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004c6340 CR3: 00000000ba41f000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffff8801d01a37a8 ffff8801d01a3780 ffffed003a0346f5 0000000c82a23ea0
 ffff8800b7bd7700 ffff8801d01a3780 ffff8800b6a1c940 ffffffff82a23ea0
 ffff8801d01a3920 ffff8801d01a3748 ffffffff82a223d6 ffff8801d7d64988
Call Trace:
 [&lt;ffffffff82a223d6&gt;] ip6_route_del+0x106/0x570 net/ipv6/route.c:2109
 [&lt;ffffffff82a23f9d&gt;] inet6_rtm_delroute+0xfd/0x100 net/ipv6/route.c:3075
 [&lt;ffffffff82621359&gt;] rtnetlink_rcv_msg+0x549/0x7a0 net/core/rtnetlink.c:3450
 [&lt;ffffffff8274c1d1&gt;] netlink_rcv_skb+0x141/0x370 net/netlink/af_netlink.c:2281
 [&lt;ffffffff82613ddf&gt;] rtnetlink_rcv+0x2f/0x40 net/core/rtnetlink.c:3456
 [&lt;ffffffff8274ad38&gt;] netlink_unicast_kernel net/netlink/af_netlink.c:1206 [inline]
 [&lt;ffffffff8274ad38&gt;] netlink_unicast+0x518/0x750 net/netlink/af_netlink.c:1232
 [&lt;ffffffff8274b83e&gt;] netlink_sendmsg+0x8ce/0xc30 net/netlink/af_netlink.c:1778
 [&lt;ffffffff82564aff&gt;] sock_sendmsg_nosec net/socket.c:609 [inline]
 [&lt;ffffffff82564aff&gt;] sock_sendmsg+0xcf/0x110 net/socket.c:619
 [&lt;ffffffff82564d62&gt;] sock_write_iter+0x222/0x3a0 net/socket.c:834
 [&lt;ffffffff8178523d&gt;] new_sync_write+0x1dd/0x2b0 fs/read_write.c:478
 [&lt;ffffffff817853f4&gt;] __vfs_write+0xe4/0x110 fs/read_write.c:491
 [&lt;ffffffff81786c38&gt;] vfs_write+0x178/0x4b0 fs/read_write.c:538
 [&lt;ffffffff817892a9&gt;] SYSC_write fs/read_write.c:585 [inline]
 [&lt;ffffffff817892a9&gt;] SyS_write+0xd9/0x1b0 fs/read_write.c:577
 [&lt;ffffffff82c71e32&gt;] entry_SYSCALL_64_fastpath+0x12/0x17

Note: there is no "Fixes" tag as this seems to be a bug introduced
very early.

Signed-off-by: Wei Wang &lt;weiwan@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: reset fn-&gt;rr_ptr when replacing route</title>
<updated>2017-08-30T08:19:20+00:00</updated>
<author>
<name>Wei Wang</name>
<email>weiwan@google.com</email>
</author>
<published>2017-08-16T18:18:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=6415a71ddf15b54939937581a5e35a4ab07883a0'/>
<id>6415a71ddf15b54939937581a5e35a4ab07883a0</id>
<content type='text'>
[ Upstream commit 383143f31d7d3525a1dbff733d52fff917f82f15 ]

syzcaller reported the following use-after-free issue in rt6_select():
BUG: KASAN: use-after-free in rt6_select net/ipv6/route.c:755 [inline] at addr ffff8800bc6994e8
BUG: KASAN: use-after-free in ip6_pol_route.isra.46+0x1429/0x1470 net/ipv6/route.c:1084 at addr ffff8800bc6994e8
Read of size 4 by task syz-executor1/439628
CPU: 0 PID: 439628 Comm: syz-executor1 Not tainted 4.3.5+ #8
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88018fe435b0 ffffffff81ca384d ffff8801d3588c00
 ffff8800bc699380 ffff8800bc699500 dffffc0000000000 ffff8801d40a47c0
 ffff88018fe435d8 ffffffff81735751 ffff88018fe43660 ffff8800bc699380
Call Trace:
 [&lt;ffffffff81ca384d&gt;] __dump_stack lib/dump_stack.c:15 [inline]
 [&lt;ffffffff81ca384d&gt;] dump_stack+0xc1/0x124 lib/dump_stack.c:51
sctp: [Deprecated]: syz-executor0 (pid 439615) Use of struct sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
 [&lt;ffffffff81735751&gt;] kasan_object_err+0x21/0x70 mm/kasan/report.c:158
 [&lt;ffffffff817359c4&gt;] print_address_description mm/kasan/report.c:196 [inline]
 [&lt;ffffffff817359c4&gt;] kasan_report_error+0x1b4/0x4a0 mm/kasan/report.c:285
 [&lt;ffffffff81735d93&gt;] kasan_report mm/kasan/report.c:305 [inline]
 [&lt;ffffffff81735d93&gt;] __asan_report_load4_noabort+0x43/0x50 mm/kasan/report.c:325
 [&lt;ffffffff82a28e39&gt;] rt6_select net/ipv6/route.c:755 [inline]
 [&lt;ffffffff82a28e39&gt;] ip6_pol_route.isra.46+0x1429/0x1470 net/ipv6/route.c:1084
 [&lt;ffffffff82a28fb1&gt;] ip6_pol_route_output+0x81/0xb0 net/ipv6/route.c:1203
 [&lt;ffffffff82ab0a50&gt;] fib6_rule_action+0x1f0/0x680 net/ipv6/fib6_rules.c:95
 [&lt;ffffffff8265cbb6&gt;] fib_rules_lookup+0x2a6/0x7a0 net/core/fib_rules.c:223
 [&lt;ffffffff82ab1430&gt;] fib6_rule_lookup+0xd0/0x250 net/ipv6/fib6_rules.c:41
 [&lt;ffffffff82a22006&gt;] ip6_route_output+0x1d6/0x2c0 net/ipv6/route.c:1224
 [&lt;ffffffff829e83d2&gt;] ip6_dst_lookup_tail+0x4d2/0x890 net/ipv6/ip6_output.c:943
 [&lt;ffffffff829e889a&gt;] ip6_dst_lookup_flow+0x9a/0x250 net/ipv6/ip6_output.c:1079
 [&lt;ffffffff82a9f7d8&gt;] ip6_datagram_dst_update+0x538/0xd40 net/ipv6/datagram.c:91
 [&lt;ffffffff82aa0978&gt;] __ip6_datagram_connect net/ipv6/datagram.c:251 [inline]
 [&lt;ffffffff82aa0978&gt;] ip6_datagram_connect+0x518/0xe50 net/ipv6/datagram.c:272
 [&lt;ffffffff82aa1313&gt;] ip6_datagram_connect_v6_only+0x63/0x90 net/ipv6/datagram.c:284
 [&lt;ffffffff8292f790&gt;] inet_dgram_connect+0x170/0x1f0 net/ipv4/af_inet.c:564
 [&lt;ffffffff82565547&gt;] SYSC_connect+0x1a7/0x2f0 net/socket.c:1582
 [&lt;ffffffff8256a649&gt;] SyS_connect+0x29/0x30 net/socket.c:1563
 [&lt;ffffffff82c72032&gt;] entry_SYSCALL_64_fastpath+0x12/0x17
Object at ffff8800bc699380, in cache ip6_dst_cache size: 384

The root cause of it is that in fib6_add_rt2node(), when it replaces an
existing route with the new one, it does not update fn-&gt;rr_ptr.
This commit resets fn-&gt;rr_ptr to NULL when it points to a route which is
replaced in fib6_add_rt2node().

Fixes: 27596472473a ("ipv6: fix ECMP route replacement")
Signed-off-by: Wei Wang &lt;weiwan@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 383143f31d7d3525a1dbff733d52fff917f82f15 ]

syzcaller reported the following use-after-free issue in rt6_select():
BUG: KASAN: use-after-free in rt6_select net/ipv6/route.c:755 [inline] at addr ffff8800bc6994e8
BUG: KASAN: use-after-free in ip6_pol_route.isra.46+0x1429/0x1470 net/ipv6/route.c:1084 at addr ffff8800bc6994e8
Read of size 4 by task syz-executor1/439628
CPU: 0 PID: 439628 Comm: syz-executor1 Not tainted 4.3.5+ #8
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88018fe435b0 ffffffff81ca384d ffff8801d3588c00
 ffff8800bc699380 ffff8800bc699500 dffffc0000000000 ffff8801d40a47c0
 ffff88018fe435d8 ffffffff81735751 ffff88018fe43660 ffff8800bc699380
Call Trace:
 [&lt;ffffffff81ca384d&gt;] __dump_stack lib/dump_stack.c:15 [inline]
 [&lt;ffffffff81ca384d&gt;] dump_stack+0xc1/0x124 lib/dump_stack.c:51
sctp: [Deprecated]: syz-executor0 (pid 439615) Use of struct sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
 [&lt;ffffffff81735751&gt;] kasan_object_err+0x21/0x70 mm/kasan/report.c:158
 [&lt;ffffffff817359c4&gt;] print_address_description mm/kasan/report.c:196 [inline]
 [&lt;ffffffff817359c4&gt;] kasan_report_error+0x1b4/0x4a0 mm/kasan/report.c:285
 [&lt;ffffffff81735d93&gt;] kasan_report mm/kasan/report.c:305 [inline]
 [&lt;ffffffff81735d93&gt;] __asan_report_load4_noabort+0x43/0x50 mm/kasan/report.c:325
 [&lt;ffffffff82a28e39&gt;] rt6_select net/ipv6/route.c:755 [inline]
 [&lt;ffffffff82a28e39&gt;] ip6_pol_route.isra.46+0x1429/0x1470 net/ipv6/route.c:1084
 [&lt;ffffffff82a28fb1&gt;] ip6_pol_route_output+0x81/0xb0 net/ipv6/route.c:1203
 [&lt;ffffffff82ab0a50&gt;] fib6_rule_action+0x1f0/0x680 net/ipv6/fib6_rules.c:95
 [&lt;ffffffff8265cbb6&gt;] fib_rules_lookup+0x2a6/0x7a0 net/core/fib_rules.c:223
 [&lt;ffffffff82ab1430&gt;] fib6_rule_lookup+0xd0/0x250 net/ipv6/fib6_rules.c:41
 [&lt;ffffffff82a22006&gt;] ip6_route_output+0x1d6/0x2c0 net/ipv6/route.c:1224
 [&lt;ffffffff829e83d2&gt;] ip6_dst_lookup_tail+0x4d2/0x890 net/ipv6/ip6_output.c:943
 [&lt;ffffffff829e889a&gt;] ip6_dst_lookup_flow+0x9a/0x250 net/ipv6/ip6_output.c:1079
 [&lt;ffffffff82a9f7d8&gt;] ip6_datagram_dst_update+0x538/0xd40 net/ipv6/datagram.c:91
 [&lt;ffffffff82aa0978&gt;] __ip6_datagram_connect net/ipv6/datagram.c:251 [inline]
 [&lt;ffffffff82aa0978&gt;] ip6_datagram_connect+0x518/0xe50 net/ipv6/datagram.c:272
 [&lt;ffffffff82aa1313&gt;] ip6_datagram_connect_v6_only+0x63/0x90 net/ipv6/datagram.c:284
 [&lt;ffffffff8292f790&gt;] inet_dgram_connect+0x170/0x1f0 net/ipv4/af_inet.c:564
 [&lt;ffffffff82565547&gt;] SYSC_connect+0x1a7/0x2f0 net/socket.c:1582
 [&lt;ffffffff8256a649&gt;] SyS_connect+0x29/0x30 net/socket.c:1563
 [&lt;ffffffff82c72032&gt;] entry_SYSCALL_64_fastpath+0x12/0x17
Object at ffff8800bc699380, in cache ip6_dst_cache size: 384

The root cause of it is that in fib6_add_rt2node(), when it replaces an
existing route with the new one, it does not update fn-&gt;rr_ptr.
This commit resets fn-&gt;rr_ptr to NULL when it points to a route which is
replaced in fib6_add_rt2node().

Fixes: 27596472473a ("ipv6: fix ECMP route replacement")
Signed-off-by: Wei Wang &lt;weiwan@google.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: ipv6: Compare lwstate in detecting duplicate nexthops</title>
<updated>2017-07-21T05:44:55+00:00</updated>
<author>
<name>David Ahern</name>
<email>dsahern@gmail.com</email>
</author>
<published>2017-07-05T20:41:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=eb7bef1db6f31cdba61a0d8794839fab57da5ed8'/>
<id>eb7bef1db6f31cdba61a0d8794839fab57da5ed8</id>
<content type='text'>
commit f06b7549b79e29a672336d4e134524373fb7a232 upstream.

Lennert reported a failure to add different mpls encaps in a multipath
route:

  $ ip -6 route add 1234::/16 \
        nexthop encap mpls 10 via fe80::1 dev ens3 \
        nexthop encap mpls 20 via fe80::1 dev ens3
  RTNETLINK answers: File exists

The problem is that the duplicate nexthop detection does not compare
lwtunnel configuration. Add it.

Fixes: 19e42e451506 ("ipv6: support for fib route lwtunnel encap attributes")
Signed-off-by: David Ahern &lt;dsahern@gmail.com&gt;
Reported-by: João Taveira Araújo &lt;joao.taveira@gmail.com&gt;
Reported-by: Lennert Buytenhek &lt;buytenh@wantstofly.org&gt;
Acked-by: Roopa Prabhu &lt;roopa@cumulusnetworks.com&gt;
Tested-by: Lennert Buytenhek &lt;buytenh@wantstofly.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f06b7549b79e29a672336d4e134524373fb7a232 upstream.

Lennert reported a failure to add different mpls encaps in a multipath
route:

  $ ip -6 route add 1234::/16 \
        nexthop encap mpls 10 via fe80::1 dev ens3 \
        nexthop encap mpls 20 via fe80::1 dev ens3
  RTNETLINK answers: File exists

The problem is that the duplicate nexthop detection does not compare
lwtunnel configuration. Add it.

Fixes: 19e42e451506 ("ipv6: support for fib route lwtunnel encap attributes")
Signed-off-by: David Ahern &lt;dsahern@gmail.com&gt;
Reported-by: João Taveira Araújo &lt;joao.taveira@gmail.com&gt;
Reported-by: Lennert Buytenhek &lt;buytenh@wantstofly.org&gt;
Acked-by: Roopa Prabhu &lt;roopa@cumulusnetworks.com&gt;
Tested-by: Lennert Buytenhek &lt;buytenh@wantstofly.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: Do not leak throw route references</title>
<updated>2017-07-05T12:37:14+00:00</updated>
<author>
<name>Serhey Popovych</name>
<email>serhe.popovych@gmail.com</email>
</author>
<published>2017-06-20T10:29:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=640a09c64ec6bd0b6e387bc60a0ed45397e1381a'/>
<id>640a09c64ec6bd0b6e387bc60a0ed45397e1381a</id>
<content type='text'>
[ Upstream commit 07f615574f8ac499875b21c1142f26308234a92c ]

While commit 73ba57bfae4a ("ipv6: fix backtracking for throw routes")
does good job on error propagation to the fib_rules_lookup()
in fib rules core framework that also corrects throw routes
handling, it does not solve route reference leakage problem
happened when we return -EAGAIN to the fib_rules_lookup()
and leave routing table entry referenced in arg-&gt;result.

If rule with matched throw route isn't last matched in the
list we overwrite arg-&gt;result losing reference on throw
route stored previously forever.

We also partially revert commit ab997ad40839 ("ipv6: fix the
incorrect return value of throw route") since we never return
routing table entry with dst.error == -EAGAIN when
CONFIG_IPV6_MULTIPLE_TABLES is on. Also there is no point
to check for RTF_REJECT flag since it is always set throw
route.

Fixes: 73ba57bfae4a ("ipv6: fix backtracking for throw routes")
Signed-off-by: Serhey Popovych &lt;serhe.popovych@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 07f615574f8ac499875b21c1142f26308234a92c ]

While commit 73ba57bfae4a ("ipv6: fix backtracking for throw routes")
does good job on error propagation to the fib_rules_lookup()
in fib rules core framework that also corrects throw routes
handling, it does not solve route reference leakage problem
happened when we return -EAGAIN to the fib_rules_lookup()
and leave routing table entry referenced in arg-&gt;result.

If rule with matched throw route isn't last matched in the
list we overwrite arg-&gt;result losing reference on throw
route stored previously forever.

We also partially revert commit ab997ad40839 ("ipv6: fix the
incorrect return value of throw route") since we never return
routing table entry with dst.error == -EAGAIN when
CONFIG_IPV6_MULTIPLE_TABLES is on. Also there is no point
to check for RTF_REJECT flag since it is always set throw
route.

Fixes: 73ba57bfae4a ("ipv6: fix backtracking for throw routes")
Signed-off-by: Serhey Popovych &lt;serhe.popovych@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: make ECMP route replacement less greedy</title>
<updated>2017-03-22T11:04:17+00:00</updated>
<author>
<name>Sabrina Dubroca</name>
<email>sd@queasysnail.net</email>
</author>
<published>2017-03-13T12:28:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=5f8bc3856e285cc12597879039c17f7397f4b37d'/>
<id>5f8bc3856e285cc12597879039c17f7397f4b37d</id>
<content type='text'>
[ Upstream commit 67e194007be08d071294456274dd53e0a04fdf90 ]

Commit 27596472473a ("ipv6: fix ECMP route replacement") introduced a
loop that removes all siblings of an ECMP route that is being
replaced. However, this loop doesn't stop when it has replaced
siblings, and keeps removing other routes with a higher metric.
We also end up triggering the WARN_ON after the loop, because after
this nsiblings &lt; 0.

Instead, stop the loop when we have taken care of all routes with the
same metric as the route being replaced.

  Reproducer:
  ===========
    #!/bin/sh

    ip netns add ns1
    ip netns add ns2
    ip -net ns1 link set lo up

    for x in 0 1 2 ; do
        ip link add veth$x netns ns2 type veth peer name eth$x netns ns1
        ip -net ns1 link set eth$x up
        ip -net ns2 link set veth$x up
    done

    ip -net ns1 -6 r a 2000::/64 nexthop via fe80::0 dev eth0 \
            nexthop via fe80::1 dev eth1 nexthop via fe80::2 dev eth2
    ip -net ns1 -6 r a 2000::/64 via fe80::42 dev eth0 metric 256
    ip -net ns1 -6 r a 2000::/64 via fe80::43 dev eth0 metric 2048

    echo "before replace, 3 routes"
    ip -net ns1 -6 r | grep -v '^fe80\|^ff00'
    echo

    ip -net ns1 -6 r c 2000::/64 nexthop via fe80::4 dev eth0 \
            nexthop via fe80::5 dev eth1 nexthop via fe80::6 dev eth2

    echo "after replace, only 2 routes, metric 2048 is gone"
    ip -net ns1 -6 r | grep -v '^fe80\|^ff00'

Fixes: 27596472473a ("ipv6: fix ECMP route replacement")
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Acked-by: Nicolas Dichtel &lt;nicolas.dichtel@6wind.com&gt;
Reviewed-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Reviewed-by: Michal Kubecek &lt;mkubecek@suse.cz&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 67e194007be08d071294456274dd53e0a04fdf90 ]

Commit 27596472473a ("ipv6: fix ECMP route replacement") introduced a
loop that removes all siblings of an ECMP route that is being
replaced. However, this loop doesn't stop when it has replaced
siblings, and keeps removing other routes with a higher metric.
We also end up triggering the WARN_ON after the loop, because after
this nsiblings &lt; 0.

Instead, stop the loop when we have taken care of all routes with the
same metric as the route being replaced.

  Reproducer:
  ===========
    #!/bin/sh

    ip netns add ns1
    ip netns add ns2
    ip -net ns1 link set lo up

    for x in 0 1 2 ; do
        ip link add veth$x netns ns2 type veth peer name eth$x netns ns1
        ip -net ns1 link set eth$x up
        ip -net ns2 link set veth$x up
    done

    ip -net ns1 -6 r a 2000::/64 nexthop via fe80::0 dev eth0 \
            nexthop via fe80::1 dev eth1 nexthop via fe80::2 dev eth2
    ip -net ns1 -6 r a 2000::/64 via fe80::42 dev eth0 metric 256
    ip -net ns1 -6 r a 2000::/64 via fe80::43 dev eth0 metric 2048

    echo "before replace, 3 routes"
    ip -net ns1 -6 r | grep -v '^fe80\|^ff00'
    echo

    ip -net ns1 -6 r c 2000::/64 nexthop via fe80::4 dev eth0 \
            nexthop via fe80::5 dev eth1 nexthop via fe80::6 dev eth2

    echo "after replace, only 2 routes, metric 2048 is gone"
    ip -net ns1 -6 r | grep -v '^fe80\|^ff00'

Fixes: 27596472473a ("ipv6: fix ECMP route replacement")
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Acked-by: Nicolas Dichtel &lt;nicolas.dichtel@6wind.com&gt;
Reviewed-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Reviewed-by: Michal Kubecek &lt;mkubecek@suse.cz&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: Fix mem leak in rt6i_pcpu</title>
<updated>2016-07-27T16:47:31+00:00</updated>
<author>
<name>Martin KaFai Lau</name>
<email>kafai@fb.com</email>
</author>
<published>2016-07-05T19:10:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=9c458a866844793b040ef496b635b2816b6ce31a'/>
<id>9c458a866844793b040ef496b635b2816b6ce31a</id>
<content type='text'>
[ Upstream commit 903ce4abdf374e3365d93bcb3df56c62008835ba ]

It was first reported and reproduced by Petr (thanks!) in
https://bugzilla.kernel.org/show_bug.cgi?id=119581

free_percpu(rt-&gt;rt6i_pcpu) used to always happen in ip6_dst_destroy().

However, after fixing a deadlock bug in
commit 9c7370a166b4 ("ipv6: Fix a potential deadlock when creating pcpu rt"),
free_percpu() is not called before setting non_pcpu_rt-&gt;rt6i_pcpu to NULL.

It is worth to note that rt6i_pcpu is protected by table-&gt;tb6_lock.

kmemleak somehow did not report it.  We nailed it down by
observing the pcpu entries in /proc/vmallocinfo (first suggested
by Hannes, thanks!).

Signed-off-by: Martin KaFai Lau &lt;kafai@fb.com&gt;
Fixes: 9c7370a166b4 ("ipv6: Fix a potential deadlock when creating pcpu rt")
Reported-by: Petr Novopashenniy &lt;pety@rusnet.ru&gt;
Tested-by: Petr Novopashenniy &lt;pety@rusnet.ru&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Cc: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Cc: Petr Novopashenniy &lt;pety@rusnet.ru&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 903ce4abdf374e3365d93bcb3df56c62008835ba ]

It was first reported and reproduced by Petr (thanks!) in
https://bugzilla.kernel.org/show_bug.cgi?id=119581

free_percpu(rt-&gt;rt6i_pcpu) used to always happen in ip6_dst_destroy().

However, after fixing a deadlock bug in
commit 9c7370a166b4 ("ipv6: Fix a potential deadlock when creating pcpu rt"),
free_percpu() is not called before setting non_pcpu_rt-&gt;rt6i_pcpu to NULL.

It is worth to note that rt6i_pcpu is protected by table-&gt;tb6_lock.

kmemleak somehow did not report it.  We nailed it down by
observing the pcpu entries in /proc/vmallocinfo (first suggested
by Hannes, thanks!).

Signed-off-by: Martin KaFai Lau &lt;kafai@fb.com&gt;
Fixes: 9c7370a166b4 ("ipv6: Fix a potential deadlock when creating pcpu rt")
Reported-by: Petr Novopashenniy &lt;pety@rusnet.ru&gt;
Tested-by: Petr Novopashenniy &lt;pety@rusnet.ru&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Cc: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Cc: Petr Novopashenniy &lt;pety@rusnet.ru&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
