1. 23 6月, 2017 1 次提交
  2. 15 6月, 2017 1 次提交
    • X
      ipv6: fix calling in6_ifa_hold incorrectly for dad work · f8a894b2
      Xin Long 提交于
      Now when starting the dad work in addrconf_mod_dad_work, if the dad work
      is idle and queued, it needs to hold ifa.
      
      The problem is there's one gap in [1], during which if the pending dad work
      is removed elsewhere. It will miss to hold ifa, but the dad word is still
      idea and queue.
      
              if (!delayed_work_pending(&ifp->dad_work))
                      in6_ifa_hold(ifp);
                          <--------------[1]
              mod_delayed_work(addrconf_wq, &ifp->dad_work, delay);
      
      An use-after-free issue can be caused by this.
      
      Chen Wei found this issue when WARN_ON(!hlist_unhashed(&ifp->addr_lst)) in
      net6_ifa_finish_destroy was hit because of it.
      
      As Hannes' suggestion, this patch is to fix it by holding ifa first in
      addrconf_mod_dad_work, then calling mod_delayed_work and putting ifa if
      the dad_work is already in queue.
      
      Note that this patch did not choose to fix it with:
      
        if (!mod_delayed_work(delay))
                in6_ifa_hold(ifp);
      
      As with it, when delay == 0, dad_work would be scheduled immediately, all
      addrconf_mod_dad_work(0) callings had to be moved under ifp->lock.
      Reported-by: NWei Chen <weichen@redhat.com>
      Suggested-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f8a894b2
  3. 16 5月, 2017 1 次提交
    • M
      ipv6: avoid dad-failures for addresses with NODAD · 66eb9f86
      Mahesh Bandewar 提交于
      Every address gets added with TENTATIVE flag even for the addresses with
      IFA_F_NODAD flag and dad-work is scheduled for them. During this DAD process
      we realize it's an address with NODAD and complete the process without
      sending any probe. However the TENTATIVE flags stays on the
      address for sometime enough to cause misinterpretation when we receive a NS.
      While processing NS, if the address has TENTATIVE flag, we mark it DADFAILED
      and endup with an address that was originally configured as NODAD with
      DADFAILED.
      
      We can't avoid scheduling dad_work for addresses with NODAD but we can
      avoid adding TENTATIVE flag to avoid this racy situation.
      Signed-off-by: NMahesh Bandewar <maheshb@google.com>
      Acked-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      66eb9f86
  4. 09 5月, 2017 1 次提交
    • W
      ipv6: reorder ip6_route_dev_notifier after ipv6_dev_notf · 242d3a49
      WANG Cong 提交于
      For each netns (except init_net), we initialize its null entry
      in 3 places:
      
      1) The template itself, as we use kmemdup()
      2) Code around dst_init_metrics() in ip6_route_net_init()
      3) ip6_route_dev_notify(), which is supposed to initialize it after
         loopback registers
      
      Unfortunately the last one still happens in a wrong order because
      we expect to initialize net->ipv6.ip6_null_entry->rt6i_idev to
      net->loopback_dev's idev, thus we have to do that after we add
      idev to loopback. However, this notifier has priority == 0 same as
      ipv6_dev_notf, and ipv6_dev_notf is registered after
      ip6_route_dev_notifier so it is called actually after
      ip6_route_dev_notifier. This is similar to commit 2f460933
      ("ipv6: initialize route null entry in addrconf_init()") which
      fixes init_net.
      
      Fix it by picking a smaller priority for ip6_route_dev_notifier.
      Also, we have to release the refcnt accordingly when unregistering
      loopback_dev because device exit functions are called before subsys
      exit functions.
      Acked-by: NDavid Ahern <dsahern@gmail.com>
      Tested-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      242d3a49
  5. 05 5月, 2017 1 次提交
  6. 03 5月, 2017 1 次提交
    • D
      net: ipv6: Do not duplicate DAD on link up · 6d717134
      David Ahern 提交于
      Andrey reported a warning triggered by the rcu code:
      
      ------------[ cut here ]------------
      WARNING: CPU: 1 PID: 5911 at lib/debugobjects.c:289
      debug_print_object+0x175/0x210
      ODEBUG: activate active (active state 1) object type: rcu_head hint:
              (null)
      Modules linked in:
      CPU: 1 PID: 5911 Comm: a.out Not tainted 4.11.0-rc8+ #271
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:16
       dump_stack+0x192/0x22d lib/dump_stack.c:52
       __warn+0x19f/0x1e0 kernel/panic.c:549
       warn_slowpath_fmt+0xe0/0x120 kernel/panic.c:564
       debug_print_object+0x175/0x210 lib/debugobjects.c:286
       debug_object_activate+0x574/0x7e0 lib/debugobjects.c:442
       debug_rcu_head_queue kernel/rcu/rcu.h:75
       __call_rcu.constprop.76+0xff/0x9c0 kernel/rcu/tree.c:3229
       call_rcu_sched+0x12/0x20 kernel/rcu/tree.c:3288
       rt6_rcu_free net/ipv6/ip6_fib.c:158
       rt6_release+0x1ea/0x290 net/ipv6/ip6_fib.c:188
       fib6_del_route net/ipv6/ip6_fib.c:1461
       fib6_del+0xa42/0xdc0 net/ipv6/ip6_fib.c:1500
       __ip6_del_rt+0x100/0x160 net/ipv6/route.c:2174
       ip6_del_rt+0x140/0x1b0 net/ipv6/route.c:2187
       __ipv6_ifa_notify+0x269/0x780 net/ipv6/addrconf.c:5520
       addrconf_ifdown+0xe60/0x1a20 net/ipv6/addrconf.c:3672
      ...
      
      Andrey's reproducer program runs in a very tight loop, calling
      'unshare -n' and then spawning 2 sets of 14 threads running random ioctl
      calls. The relevant networking sequence:
      
      1. New network namespace created via unshare -n
      - ip6tnl0 device is created in down state
      
      2. address added to ip6tnl0
      - equivalent to ip -6 addr add dev ip6tnl0 fd00::bb/1
      - DAD is started on the address and when it completes the host
        route is inserted into the FIB
      
      3. ip6tnl0 is brought up
      - the new fixup_permanent_addr function restarts DAD on the address
      
      4. exit namespace
      - teardown / cleanup sequence starts
      - once in a blue moon, lo teardown appears to happen BEFORE teardown
        of ip6tunl0
        + down on 'lo' removes the host route from the FIB since the dst->dev
          for the route is loobback
        + host route added to rcu callback list
          * rcu callback has not run yet, so rt is NOT on the gc list so it has
            NOT been marked obsolete
      
      5. in parallel to 4. worker_thread runs addrconf_dad_completed
      - DAD on the address on ip6tnl0 completes
      - calls ipv6_ifa_notify which inserts the host route
      
      All of that happens very quickly. The result is that a host route that
      has been deleted from the IPv6 FIB and added to the RCU list is re-inserted
      into the FIB.
      
      The exit namespace eventually gets to cleaning up ip6tnl0 which removes the
      host route from the FIB again, calls the rcu function for cleanup -- and
      triggers the double rcu trace.
      
      The root cause is duplicate DAD on the address -- steps 2 and 3. Arguably,
      DAD should not be started in step 2. The interface is in the down state,
      so it can not really send out requests for the address which makes starting
      DAD pointless.
      
      Since the second DAD was introduced by a recent change, seems appropriate
      to use it for the Fixes tag and have the fixup function only start DAD for
      addresses in the PREDAD state which occurs in addrconf_ifdown if the
      address is retained.
      
      Big thanks to Andrey for isolating a reliable reproducer for this problem.
      Fixes: f1705ec1 ("net: ipv6: Make address flushing on ifdown optional")
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: NDavid Ahern <dsahern@gmail.com>
      Tested-by: NAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6d717134
  7. 26 4月, 2017 1 次提交
    • D
      net: ipv6: regenerate host route if moved to gc list · 8048ced9
      David Ahern 提交于
      Taking down the loopback device wreaks havoc on IPv6 routing. By
      extension, taking down a VRF device wreaks havoc on its table.
      
      Dmitry and Andrey both reported heap out-of-bounds reports in the IPv6
      FIB code while running syzkaller fuzzer. The root cause is a dead dst
      that is on the garbage list gets reinserted into the IPv6 FIB. While on
      the gc (or perhaps when it gets added to the gc list) the dst->next is
      set to an IPv4 dst. A subsequent walk of the ipv6 tables causes the
      out-of-bounds access.
      
      Andrey's reproducer was the key to getting to the bottom of this.
      
      With IPv6, host routes for an address have the dst->dev set to the
      loopback device. When the 'lo' device is taken down, rt6_ifdown initiates
      a walk of the fib evicting routes with the 'lo' device which means all
      host routes are removed. That process moves the dst which is attached to
      an inet6_ifaddr to the gc list and marks it as dead.
      
      The recent change to keep global IPv6 addresses added a new function,
      fixup_permanent_addr, that is called on admin up. That function restarts
      dad for an inet6_ifaddr and when it completes the host route attached
      to it is inserted into the fib. Since the route was marked dead and
      moved to the gc list, re-inserting the route causes the reported
      out-of-bounds accesses. If the device with the address is taken down
      or the address is removed, the WARN_ON in fib6_del is triggered.
      
      All of those faults are fixed by regenerating the host route if the
      existing one has been moved to the gc list, something that can be
      determined by checking if the rt6i_ref counter is 0.
      
      Fixes: f1705ec1 ("net: ipv6: Make address flushing on ifdown optional")
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: NDavid Ahern <dsa@cumulusnetworks.com>
      Acked-by: NMartin KaFai Lau <kafai@fb.com>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8048ced9
  8. 18 4月, 2017 1 次提交
  9. 14 4月, 2017 1 次提交
  10. 13 4月, 2017 3 次提交
  11. 29 3月, 2017 2 次提交
  12. 23 3月, 2017 1 次提交
  13. 07 3月, 2017 1 次提交
  14. 02 3月, 2017 2 次提交
  15. 09 2月, 2017 1 次提交
    • M
      ipv6: addrconf: fix generation of new temporary addresses · a11a7f71
      Marcus Huewe 提交于
      Under some circumstances it is possible that no new temporary addresses
      will be generated.
      
      For instance, addrconf_prefix_rcv_add_addr() indirectly calls
      ipv6_create_tempaddr(), which creates a tentative temporary address and
      starts dad. Next, addrconf_prefix_rcv_add_addr() indirectly calls
      addrconf_verify_rtnl(). Now, assume that the previously created temporary
      address has the least preferred lifetime among all existing addresses and
      is still tentative (that is, dad is still running). Hence, the next run of
      addrconf_verify_rtnl() is performed when the preferred lifetime of the
      temporary address ends. If dad succeeds before the next run, the temporary
      address becomes deprecated during the next run, but no new temporary
      address is generated.
      
      In order to fix this, schedule the next addrconf_verify_rtnl() run slightly
      before the temporary address becomes deprecated, if dad succeeded.
      Signed-off-by: NMarcus Huewe <suse-tux@gmx.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a11a7f71
  16. 07 2月, 2017 1 次提交
    • L
      ipv6: Fix IPv6 packet loss in scenarios involving roaming + snooping switches · a088d1d7
      Linus Lüssing 提交于
      When for instance a mobile Linux device roams from one access point to
      another with both APs sharing the same broadcast domain and a
      multicast snooping switch in between:
      
      1)    (c) <~~~> (AP1) <--[SSW]--> (AP2)
      
      2)              (AP1) <--[SSW]--> (AP2) <~~~> (c)
      
      Then currently IPv6 multicast packets will get lost for (c) until an
      MLD Querier sends its next query message. The packet loss occurs
      because upon roaming the Linux host so far stayed silent regarding
      MLD and the snooping switch will therefore be unaware of the
      multicast topology change for a while.
      
      This patch fixes this by always resending MLD reports when an interface
      change happens, for instance from NO-CARRIER to CARRIER state.
      Signed-off-by: NLinus Lüssing <linus.luessing@c0d3.blue>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a088d1d7
  17. 27 1月, 2017 2 次提交
  18. 20 1月, 2017 1 次提交
  19. 07 1月, 2017 1 次提交
    • M
      ipv6: do not send RTM_DELADDR for tentative addresses · f784ad3d
      Mahesh Bandewar 提交于
      RTM_NEWADDR notification is sent when IFA_F_TENTATIVE is cleared from
      the address. So if the address is added and deleted before DAD probes
      completes, the RTM_DELADDR will be sent for which there was no
      RTM_NEWADDR causing asymmetry in notification. However if the same
      logic is used while sending RTM_DELADDR notification, this asymmetry
      can be avoided.
      Signed-off-by: NMahesh Bandewar <maheshb@google.com>
      CC: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
      CC: Patrick McHardy <kaber@trash.net>
      CC: Hannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f784ad3d
  20. 04 12月, 2016 1 次提交
  21. 25 11月, 2016 1 次提交
    • P
      ipv6: bump genid when the IFA_F_TENTATIVE flag is clear · 764d3be6
      Paolo Abeni 提交于
      When an ipv6 address has the tentative flag set, it can't be
      used as source for egress traffic, while the associated route,
      if any, can be looked up and even stored into some dst_cache.
      
      In the latter scenario, the source ipv6 address selected and
      stored in the cache is most probably wrong (e.g. with
      link-local scope) and the entity using the dst_cache will
      experience lack of ipv6 connectivity until said cache is
      cleared or invalidated.
      
      Overall this may cause lack of connectivity over most IPv6 tunnels
      (comprising geneve and vxlan), if the first egress packet reaches
      the tunnel before the DaD is completed for the used ipv6
      address.
      
      This patch bumps a new genid after that the IFA_F_TENTATIVE flag
      is cleared, so that dst_cache will be invalidated on
      next lookup and ipv6 connectivity restored.
      
      Fixes: 0c1d70af ("net: use dst_cache for vxlan device")
      Fixes: 468dfffc ("geneve: add dst caching support")
      Acked-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: NPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      764d3be6
  22. 10 11月, 2016 2 次提交
    • D
      ipv6: sr: add core files for SR HMAC support · bf355b8d
      David Lebrun 提交于
      This patch adds the necessary functions to compute and check the HMAC signature
      of an SR-enabled packet. Two HMAC algorithms are supported: hmac(sha1) and
      hmac(sha256).
      
      In order to avoid dynamic memory allocation for each HMAC computation,
      a per-cpu ring buffer is allocated for this purpose.
      
      A new per-interface sysctl called seg6_require_hmac is added, allowing a
      user-defined policy for processing HMAC-signed SR-enabled packets.
      A value of -1 means that the HMAC field will always be ignored.
      A value of 0 means that if an HMAC field is present, its validity will
      be enforced (the packet is dropped is the signature is incorrect).
      Finally, a value of 1 means that any SR-enabled packet that does not
      contain an HMAC signature or whose signature is incorrect will be dropped.
      Signed-off-by: NDavid Lebrun <david.lebrun@uclouvain.be>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bf355b8d
    • D
      ipv6: implement dataplane support for rthdr type 4 (Segment Routing Header) · 1ababeba
      David Lebrun 提交于
      Implement minimal support for processing of SR-enabled packets
      as described in
      https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-02.
      
      This patch implements the following operations:
      - Intermediate segment endpoint: incrementation of active segment and rerouting.
      - Egress for SR-encapsulated packets: decapsulation of outer IPv6 header + SRH
        and routing of inner packet.
      - Cleanup flag support for SR-inlined packets: removal of SRH if we are the
        penultimate segment endpoint.
      
      A per-interface sysctl seg6_enabled is provided, to accept/deny SR-enabled
      packets. Default is deny.
      
      This patch does not provide support for HMAC-signed packets.
      Signed-off-by: NDavid Lebrun <david.lebrun@uclouvain.be>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1ababeba
  23. 21 10月, 2016 1 次提交
  24. 14 10月, 2016 3 次提交
    • J
      IPv6: fix DESYNC_FACTOR · 76506a98
      Jiri Bohac 提交于
      The IPv6 temporary address generation uses a variable called DESYNC_FACTOR
      to prevent hosts updating the addresses at the same time. Quoting RFC 4941:
      
         ... The value DESYNC_FACTOR is a random value (different for each
         client) that ensures that clients don't synchronize with each other and
         generate new addresses at exactly the same time ...
      
      DESYNC_FACTOR is defined as:
      
         DESYNC_FACTOR -- A random value within the range 0 - MAX_DESYNC_FACTOR.
         It is computed once at system start (rather than each time it is used)
         and must never be greater than (TEMP_VALID_LIFETIME - REGEN_ADVANCE).
      
      First, I believe the RFC has a typo in it and meant to say: "and must
      never be greater than (TEMP_PREFERRED_LIFETIME - REGEN_ADVANCE)"
      
      The reason is that at various places in the RFC, DESYNC_FACTOR is used in
      a calculation like (TEMP_PREFERRED_LIFETIME - DESYNC_FACTOR) or
      (TEMP_PREFERRED_LIFETIME - REGEN_ADVANCE - DESYNC_FACTOR). It needs to be
      smaller than (TEMP_PREFERRED_LIFETIME - REGEN_ADVANCE) for the result of
      these calculations to be larger than zero. It's never used in a
      calculation together with TEMP_VALID_LIFETIME.
      
      I already submitted an errata to the rfc-editor:
      https://www.rfc-editor.org/errata_search.php?rfc=4941
      
      The Linux implementation of DESYNC_FACTOR is very wrong:
      max_desync_factor is used in places DESYNC_FACTOR should be used.
      max_desync_factor is initialized to the RFC-recommended value for
      MAX_DESYNC_FACTOR (600) but the whole point is to get a _random_ value.
      
      And nothing ensures that the value used is not greater than
      (TEMP_PREFERRED_LIFETIME - REGEN_ADVANCE), which leads to underflows.  The
      effect can easily be observed when setting the temp_prefered_lft sysctl
      e.g. to 60. The preferred lifetime of the temporary addresses will be
      bogus.
      
      TEMP_PREFERRED_LIFETIME and REGEN_ADVANCE are not constants and can be
      influenced by these three sysctls: regen_max_retry, dad_transmits and
      temp_prefered_lft. Thus, the upper bound for desync_factor needs to be
      re-calculated each time a new address is generated and if desync_factor is
      larger than the new upper bound, a new random value needs to be
      re-generated.
      
      And since we already have max_desync_factor configurable per interface, we
      also need to calculate and store desync_factor per interface.
      Signed-off-by: NJiri Bohac <jbohac@suse.cz>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      76506a98
    • J
      IPv6: Drop the temporary address regen_timer · 9d6280da
      Jiri Bohac 提交于
      The randomized interface identifier (rndid) was periodically updated from
      the regen_timer timer. Simplify the code by updating the rndid only when
      needed by ipv6_try_regen_rndid().
      
      This makes the follow-up DESYNC_FACTOR fix much simpler.  Also it fixes a
      reference counting error in this error path, where an in6_dev_put was
      missing:
      		err = addrconf_sysctl_register(ndev);
      		if (err) {
      			ipv6_mc_destroy_dev(ndev);
      	-               del_timer(&ndev->regen_timer);
      			snmp6_unregister_dev(ndev);
      			goto err_release;
      Signed-off-by: NJiri Bohac <jbohac@suse.cz>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9d6280da
    • N
      ipv6: correctly add local routes when lo goes up · a220445f
      Nicolas Dichtel 提交于
      The goal of the patch is to fix this scenario:
       ip link add dummy1 type dummy
       ip link set dummy1 up
       ip link set lo down ; ip link set lo up
      
      After that sequence, the local route to the link layer address of dummy1 is
      not there anymore.
      
      When the loopback is set down, all local routes are deleted by
      addrconf_ifdown()/rt6_ifdown(). At this time, the rt6_info entry still
      exists, because the corresponding idev has a reference on it. After the rcu
      grace period, dst_rcu_free() is called, and thus ___dst_free(), which will
      set obsolete to DST_OBSOLETE_DEAD.
      
      In this case, init_loopback() is called before dst_rcu_free(), thus
      obsolete is still sets to something <= 0. So, the function doesn't add the
      route again. To avoid that race, let's check the rt6 refcnt instead.
      
      Fixes: 25fb6ca4 ("net IPv6 : Fix broken IPv6 routing table after loopback down-up")
      Fixes: a881ae1f ("ipv6: don't call addrconf_dst_alloc again when enable lo")
      Fixes: 33d99113 ("ipv6: reallocate addrconf router for ipv6 address when lo device up")
      Reported-by: NFrancesco Santoro <francesco.santoro@6wind.com>
      Reported-by: NSamuel Gauthier <samuel.gauthier@6wind.com>
      CC: Balakumaran Kannan <Balakumaran.Kannan@ap.sony.com>
      CC: Maruthi Thotad <Maruthi.Thotad@ap.sony.com>
      CC: Sabrina Dubroca <sd@queasysnail.net>
      CC: Hannes Frederic Sowa <hannes@stressinduktion.org>
      CC: Weilong Chen <chenweilong@huawei.com>
      CC: Gao feng <gaofeng@cn.fujitsu.com>
      Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a220445f
  25. 08 10月, 2016 1 次提交
  26. 03 10月, 2016 1 次提交
    • M
      ipv6 addrconf: remove addrconf_sysctl_hop_limit() · cb9e684e
      Maciej Żenczykowski 提交于
      This is an effective no-op in terms of user observable behaviour.
      
      By preventing the overwrite of non-null extra1/extra2 fields
      in addrconf_sysctl() we can enable the use of proc_dointvec_minmax().
      
      This allows us to eliminate the constant min/max (1..255) trampoline
      function that is addrconf_sysctl_hop_limit().
      
      This is nice because it simplifies the code, and allows future
      sysctls with constant min/max limits to also not require trampolines.
      
      We still can't eliminate the trampoline for mtu because it isn't
      actually a constant (it depends on other tunables of the device)
      and thus requires at-write-time logic to enforce range.
      Signed-off-by: NMaciej Żenczykowski <maze@google.com>
      Acked-by: NErik Kline <ek@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cb9e684e
  27. 30 9月, 2016 2 次提交
  28. 07 9月, 2016 1 次提交
    • W
      ipv6: addrconf: fix dev refcont leak when DAD failed · 751eb6b6
      Wei Yongjun 提交于
      In general, when DAD detected IPv6 duplicate address, ifp->state
      will be set to INET6_IFADDR_STATE_ERRDAD and DAD is stopped by a
      delayed work, the call tree should be like this:
      
      ndisc_recv_ns
        -> addrconf_dad_failure        <- missing ifp put
           -> addrconf_mod_dad_work
             -> schedule addrconf_dad_work()
               -> addrconf_dad_stop()  <- missing ifp hold before call it
      
      addrconf_dad_failure() called with ifp refcont holding but not put.
      addrconf_dad_work() call addrconf_dad_stop() without extra holding
      refcount. This will not cause any issue normally.
      
      But the race between addrconf_dad_failure() and addrconf_dad_work()
      may cause ifp refcount leak and netdevice can not be unregister,
      dmesg show the following messages:
      
      IPv6: eth0: IPv6 duplicate address fe80::XX:XXXX:XXXX:XX detected!
      ...
      unregister_netdevice: waiting for eth0 to become free. Usage count = 1
      
      Cc: stable@vger.kernel.org
      Fixes: c15b1cca ("ipv6: move DAD and addrconf_verify processing
      to workqueue")
      Signed-off-by: NWei Yongjun <weiyongjun1@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      751eb6b6
  29. 02 9月, 2016 2 次提交
  30. 23 8月, 2016 1 次提交
    • M
      net: ipv6: Remove addresses for failures with strict DAD · 85b51b12
      Mike Manning 提交于
      If DAD fails with accept_dad set to 2, global addresses and host routes
      are incorrectly left in place. Even though disable_ipv6 is set,
      contrary to documentation, the addresses are not dynamically deleted
      from the interface. It is only on a subsequent link down/up that these
      are removed. The fix is not only to set the disable_ipv6 flag, but
      also to call addrconf_ifdown(), which is the action to carry out when
      disabling IPv6. This results in the addresses and routes being deleted
      immediately. The DAD failure for the LL addr is determined as before
      via netlink, or by the absence of the LL addr (which also previously
      would have had to be checked for in case of an intervening link down
      and up). As the call to addrconf_ifdown() requires an rtnl lock, the
      logic to disable IPv6 when DAD fails is moved to addrconf_dad_work().
      
      Previous behavior:
      
      root@vm1:/# sysctl net.ipv6.conf.eth3.accept_dad=2
      net.ipv6.conf.eth3.accept_dad = 2
      root@vm1:/# ip -6 addr add 2000::10/64 dev eth3
      root@vm1:/# ip link set up eth3
      root@vm1:/# ip -6 addr show dev eth3
      5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
          inet6 2000::10/64 scope global
             valid_lft forever preferred_lft forever
          inet6 fe80::5054:ff:fe43:dd5a/64 scope link tentative dadfailed
             valid_lft forever preferred_lft forever
      root@vm1:/# ip -6 route show dev eth3
      2000::/64  proto kernel  metric 256
      fe80::/64  proto kernel  metric 256
      root@vm1:/# ip link set down eth3
      root@vm1:/# ip link set up eth3
      root@vm1:/# ip -6 addr show dev eth3
      root@vm1:/# ip -6 route show dev eth3
      root@vm1:/#
      
      New behavior:
      
      root@vm1:/# sysctl net.ipv6.conf.eth3.accept_dad=2
      net.ipv6.conf.eth3.accept_dad = 2
      root@vm1:/# ip -6 addr add 2000::10/64 dev eth3
      root@vm1:/# ip link set up eth3
      root@vm1:/# ip -6 addr show dev eth3
      root@vm1:/# ip -6 route show dev eth3
      root@vm1:/#
      Signed-off-by: NMike Manning <mmanning@brocade.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      85b51b12