ipv6: prevent possible fib6 leaks

At ipv6 route dismantle, fib6_drop_pcpu_from() is responsible
for finding all percpu routes and set their ->from pointer
to NULL, so that fib6_ref can reach its expected value (1).

The problem right now is that other cpus can still catch the
route being deleted, since there is no rcu grace period
between the route deletion and call to fib6_drop_pcpu_from()

This can leak the fib6 and associated resources, since no
notifier will take care of removing the last reference(s).

I decided to add another boolean (fib6_destroying) instead
of reusing/renaming exception_bucket_flushed to ease stable backports,
and properly document the memory barriers used to implement this fix.

This patch has been co-developped with Wei Wang.

Fixes: 93531c674315 ("net/ipv6: separate handling of FIB entries from dst based routes")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Wei Wang <weiwan@google.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Martin Lau <kafai@fb.com>
Acked-by: Wei Wang <weiwan@google.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

2 files changed, 16 insertions, 3 deletions

diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index 08e0390e001c..008421b550c6 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -904,6 +904,12 @@ static void fib6_drop_pcpu_from(struct fib6_info *f6i,
 {
         int cpu;
 
+        /* Make sure rt6_make_pcpu_route() wont add other percpu routes
+         * while we are cleaning them here.
+         */
+        f6i->fib6_destroying = 1;
+        mb(); /* paired with the cmpxchg() in rt6_make_pcpu_route() */
+
         /* release the reference to this fib entry from
          * all of its cached pcpu routes
          */
@@ -927,6 +933,9 @@ static void fib6_purge_rt(struct fib6_info *rt, struct fib6_node *fn,
 {
         struct fib6_table *table = rt->fib6_table;
 
+        if (rt->rt6i_pcpu)
+                fib6_drop_pcpu_from(rt, table);
+
         if (refcount_read(&rt->fib6_ref) != 1) {
                 /* This route is used as dummy address holder in some split
                  * nodes. It is not leaked, but it still holds other resources,
@@ -948,9 +957,6 @@ static void fib6_purge_rt(struct fib6_info *rt, struct fib6_node *fn,
                         fn = rcu_dereference_protected(fn->parent,
                                     lockdep_is_held(&table->tb6_lock));
                 }
-
-                if (rt->rt6i_pcpu)
-                        fib6_drop_pcpu_from(rt, table);
         }
 }
 
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 23a20d62daac..27c0cc5d9d30 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1295,6 +1295,13 @@ static struct rt6_info *rt6_make_pcpu_route(struct net *net,
         prev = cmpxchg(p, NULL, pcpu_rt);
         BUG_ON(prev);
 
+        if (res->f6i->fib6_destroying) {
+                struct fib6_info *from;
+
+                from = xchg((__force struct fib6_info **)&pcpu_rt->from, NULL);
+                fib6_info_release(from);
+        }
+
         return pcpu_rt;
 }