• Ido Schimmel's avatar
    net: ipv4: Fix memory leak in network namespace dismantle · 54da4fb6
    Ido Schimmel authored
    BugLink: https://bugs.launchpad.net/bugs/1818803
    
    [ Upstream commit f97f4dd8 ]
    
    IPv4 routing tables are flushed in two cases:
    
    1. In response to events in the netdev and inetaddr notification chains
    2. When a network namespace is being dismantled
    
    In both cases only routes associated with a dead nexthop group are
    flushed. However, a nexthop group will only be marked as dead in case it
    is populated with actual nexthops using a nexthop device. This is not
    the case when the route in question is an error route (e.g.,
    'blackhole', 'unreachable').
    
    Therefore, when a network namespace is being dismantled such routes are
    not flushed and leaked [1].
    
    To reproduce:
    # ip netns add blue
    # ip -n blue route add unreachable 192.0.2.0/24
    # ip netns del blue
    
    Fix this by not skipping error routes that are not marked with
    RTNH_F_DEAD when flushing the routing tables.
    
    To prevent the flushing of such routes in case #1, add a parameter to
    fib_table_flush() that indicates if the table is flushed as part of
    namespace dismantle or not.
    
    Note that this problem does not exist in IPv6 since error routes are
    associated with the loopback device.
    
    [1]
    unreferenced object 0xffff888066650338 (size 56):
      comm "ip", pid 1206, jiffies 4294786063 (age 26.235s)
      hex dump (first 32 bytes):
        00 00 00 00 00 00 00 00 b0 1c 62 61 80 88 ff ff  ..........ba....
        e8 8b a1 64 80 88 ff ff 00 07 00 08 fe 00 00 00  ...d............
      backtrace:
        [<00000000856ed27d>] inet_rtm_newroute+0x129/0x220
        [<00000000fcdfc00a>] rtnetlink_rcv_msg+0x397/0xa20
        [<00000000cb85801a>] netlink_rcv_skb+0x132/0x380
        [<00000000ebc991d2>] netlink_unicast+0x4c0/0x690
        [<0000000014f62875>] netlink_sendmsg+0x929/0xe10
        [<00000000bac9d967>] sock_sendmsg+0xc8/0x110
        [<00000000223e6485>] ___sys_sendmsg+0x77a/0x8f0
        [<000000002e94f880>] __sys_sendmsg+0xf7/0x250
        [<00000000ccb1fa72>] do_syscall_64+0x14d/0x610
        [<00000000ffbe3dae>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
        [<000000003a8b605b>] 0xffffffffffffffff
    unreferenced object 0xffff888061621c88 (size 48):
      comm "ip", pid 1206, jiffies 4294786063 (age 26.235s)
      hex dump (first 32 bytes):
        6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
        6b 6b 6b 6b 6b 6b 6b 6b d8 8e 26 5f 80 88 ff ff  kkkkkkkk..&_....
      backtrace:
        [<00000000733609e3>] fib_table_insert+0x978/0x1500
        [<00000000856ed27d>] inet_rtm_newroute+0x129/0x220
        [<00000000fcdfc00a>] rtnetlink_rcv_msg+0x397/0xa20
        [<00000000cb85801a>] netlink_rcv_skb+0x132/0x380
        [<00000000ebc991d2>] netlink_unicast+0x4c0/0x690
        [<0000000014f62875>] netlink_sendmsg+0x929/0xe10
        [<00000000bac9d967>] sock_sendmsg+0xc8/0x110
        [<00000000223e6485>] ___sys_sendmsg+0x77a/0x8f0
        [<000000002e94f880>] __sys_sendmsg+0xf7/0x250
        [<00000000ccb1fa72>] do_syscall_64+0x14d/0x610
        [<00000000ffbe3dae>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
        [<000000003a8b605b>] 0xffffffffffffffff
    
    Fixes: 8cced9ef ("[NETNS]: Enable routing configuration in non-initial namespace.")
    Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
    Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
    Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
    54da4fb6
ip_fib.h 9.46 KB