ipv4: restore rt->fi for reference counting

IPv4 dst could use fi->fib_metrics to store metrics but fib_info itself is refcnt'ed, so without taking a refcnt fi and fi->fib_metrics could be freed while dst metrics still points to it. This triggers use-after-free as reported by Andrey twice. This patch reverts commit 2860583fe840 ("ipv4: Kill rt->fi") to restore this reference counting. It is a quick fix for -net and -stable, for -net-next, as Eric suggested, we can consider doing reference counting for metrics itself instead of relying on fib_info. IPv6 is very different, it copies or steals the metrics from mx6_config in fib6_commit_metrics() so probably doesn't need a refcnt. Decnet has already done the refcnt'ing, see dn_fib_semantic_match(). Fixes: 2860583fe840 ("ipv4: Kill rt->fi") Reported-by: Andrey Konovalov <andreyknvl@google.com> Tested-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: WANG Cong <xiyou.wangcong@gmail.com> 2017-05-04 17:54:17 -0400
committer: David S. Miller <davem@davemloft.net> 2017-05-08 14:35:03 -0400
commit: 82486aa6f1b9bc8145e6d0fa2bc0b44307f3b875 (patch)
tree: 97674aade6f2ac755baebde5255a916028c50125
parent: 3013c4983eb15f4ce8958e81922cdfd80f771d3e (diff)
2 files changed, 18 insertions, 1 deletions
diff --git a/include/net/route.h b/include/net/route.h
index 2cc0e14c6359..4335eb72a04c 100644
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -69,6 +69,7 @@ struct rtable {
        struct list_head        rt_uncached;
        struct uncached_list    *rt_uncached_list;
+        struct fib_info         *fi; /* for refcnt to shared metrics */
 };
 static inline bool rt_is_input_route(const struct rtable *rt)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 655d9eebe43e..f647310f8e4d 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1387,6 +1387,11 @@ static void ipv4_dst_destroy(struct dst_entry *dst)
 {
        struct rtable *rt = (struct rtable *) dst;
+        if (rt->fi) {
+                fib_info_put(rt->fi);
+                rt->fi = NULL;
+        }
        if (!list_empty(&rt->rt_uncached)) {
                struct uncached_list *ul = rt->rt_uncached_list;
@@ -1424,6 +1429,16 @@ static bool rt_cache_valid(const struct rtable *rt)
                !rt_is_expired(rt);
 }
+static void rt_init_metrics(struct rtable *rt, struct fib_info *fi)
+{
+        if (fi->fib_metrics != (u32 *)dst_default_metrics) {
+                fib_info_hold(fi);
+                rt->fi = fi;
+        }
+        dst_init_metrics(&rt->dst, fi->fib_metrics, true);
+}
 static void rt_set_nexthop(struct rtable *rt, __be32 daddr,
                           const struct fib_result *res,
                           struct fib_nh_exception *fnhe,
@@ -1438,7 +1453,7 @@ static void rt_set_nexthop(struct rtable *rt, __be32 daddr,
                        rt->rt_gateway = nh->nh_gw;
                        rt->rt_uses_gateway = 1;
                }
-                dst_init_metrics(&rt->dst, fi->fib_metrics, true);
+                rt_init_metrics(rt, fi);
 #ifdef CONFIG_IP_ROUTE_CLASSID
                rt->dst.tclassid = nh->nh_tclassid;
 #endif
@@ -1490,6 +1505,7 @@ struct rtable *rt_dst_alloc(struct net_device *dev,
                rt->rt_gateway = 0;
                rt->rt_uses_gateway = 0;
                rt->rt_table_id = 0;
+                rt->fi = NULL;
                INIT_LIST_HEAD(&rt->rt_uncached);
                rt->dst.output = ip_output;
author	WANG Cong <xiyou.wangcong@gmail.com>	2017-05-04 17:54:17 -0400
committer	David S. Miller <davem@davemloft.net>	2017-05-08 14:35:03 -0400
commit	82486aa6f1b9bc8145e6d0fa2bc0b44307f3b875 (patch)
tree	97674aade6f2ac755baebde5255a916028c50125
parent	3013c4983eb15f4ce8958e81922cdfd80f771d3e (diff)