From patchwork Fri Jun 16 11:42:17 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Serhey Popovych <serhe.popovych@gmail.com>
X-Patchwork-Id: 776671
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3wpz4y1fC7z9s8J
	for <patchwork-incoming@ozlabs.org>;
	Fri, 16 Jun 2017 21:42:42 +1000 (AEST)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="BK8RKURX"; dkim-atps=neutral
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752937AbdFPLmk (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 16 Jun 2017 07:42:40 -0400
Received: from mail-lf0-f65.google.com ([209.85.215.65]:36803 "EHLO
	mail-lf0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750899AbdFPLmj (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 16 Jun 2017 07:42:39 -0400
Received: by mail-lf0-f65.google.com with SMTP id x81so3885469lfb.3
	for <netdev@vger.kernel.org>; Fri, 16 Jun 2017 04:42:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025; h=from:to:subject:date:message-id;
	bh=5r/nlGd/dv0iVuJbuV3Gx8lD3SfMNWTX8znBK4dQt7Y=;
	b=BK8RKURXODfzUBwqfnSoJ7Rdb2Gg5NMnKweObc7Fcq0NX1pV3uyZSs/puiZcBZtlpg
	6EpXj9y7aAcyRdUXIVcjWto5gN2/kW82DU9OyXQmnL5Y9TsNcWEUpSpVFGie0d7qyVlq
	oCNCpf8OwOWk/dsab4yFeV5woIMSrswyWJKMd5LzQ6u7NKZt/Wzh9QSHcbcPkbyF58+f
	U/3dIEJX3VEFCn6Fwd86cSvi5ygKw9wNVZa5cKBUTiHpnezikkxhQyNqXzpNw1LJ176E
	wZJKEOq/WdPDH2ct8/7M9N3gt+CUcK4q5uZYM7sPrAjtN0ZGvH2GeovDe4Egi7hTyS7M
	+YFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id;
	bh=5r/nlGd/dv0iVuJbuV3Gx8lD3SfMNWTX8znBK4dQt7Y=;
	b=e5UPKNCeFMJ136bSTwW78Bq1XZ+GCVVmFuERVFZeuwyWa23kjbez0mqzOZOGAVf9sK
	+bDQoGD605MoAkZbMtCitmtEVtC57ExEsa5mEMdxEC1Hpczp/22dZBDT1N0F1Ja91ch/
	xQ2oMiRA2EYHqUWSTpb11J7uUacjt6H4myy236PruTCPgjroDuu3N99ETp5WzhT7DOV4
	Ev2H/n0R/ZaqwIaSMPGyX3hAO/HIuPNBqSZpz6X1G8kvsemzu6drG75wSRBT1oW4wV98
	8TJ5D8lnaxDRpPRWuud1C+4HI6SrQT+X9LPRxL/7++t4spcIgxYNNzan+IYqTUgY0eDL
	O/6A==
X-Gm-Message-State: AKS2vOzKHgq5sF6/A3pTRRqo7ecepKq2VA7oGEAA51Sv12l7DNpM415O
	BNuermPpTGFAFTD1tDpPXw==
X-Received: by 10.25.115.14 with SMTP id o14mr2910003lfc.96.1497613347328;
	Fri, 16 Jun 2017 04:42:27 -0700 (PDT)
Received: from tuxracer.synapse.com ([195.238.92.77])
	by smtp.gmail.com with ESMTPSA id 90sm544966lfs.9.2017.06.16.04.42.26
	for <netdev@vger.kernel.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 16 Jun 2017 04:42:26 -0700 (PDT)
From: Serhey Popovych <serhe.popovych@gmail.com>
To: netdev@vger.kernel.org
Subject: ipv6: Do not leak throw route references
Date: Fri, 16 Jun 2017 14:42:17 +0300
Message-Id: <1497613337-24027-1-git-send-email-serhe.popovych@gmail.com>
X-Mailer: git-send-email 1.8.3.1
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

While commit 73ba57b (ipv6: fix backtracking for throw routes)
does good job on error propagation to the fib_rules_lookup()
in fib rules core framework that also corrects throw routes
handling, it does not solve route reference leakage problem
happened when we return -EAGAIN to the fib_rules_lookup()
and leave routing table entry referenced in arg->result.

If rule with matched throw route isn't last matched in the
list we overwrite arg->result loosing reference on throw
route stored previously forever.

We also partially revert commit ab997ad (ipv6: fix the
incorrect return value of throw route) since we never return
routing table entry with dst.error == -EAGAIN when
CONFIG_IPV6_MULTIPLE_TABLES is on. Also there is no point
to check for RTF_REJECT flag since it is always set throw
route.

Fixes: 73ba57b (ipv6: fix backtracking for throw routes)
Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
---
 net/ipv6/fib6_rules.c |   22 ++++++----------------
 net/ipv6/ip6_fib.c    |    3 +--
 2 files changed, 7 insertions(+), 18 deletions(-)

diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c
index 11318b7..65a3c62 100644
--- a/net/ipv6/fib6_rules.c
+++ b/net/ipv6/fib6_rules.c
@@ -33,7 +33,6 @@ struct fib6_rule
 struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6,
 				   int flags, pol_lookup_t lookup)
 {
-	struct rt6_info *rt;
 	struct fib_lookup_arg arg = {
 		.lookup_ptr = lookup,
 		.flags = FIB_LOOKUP_NOREF,
@@ -42,21 +41,11 @@ struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6,
 	fib_rules_lookup(net->ipv6.fib6_rules_ops,
 			 flowi6_to_flowi(fl6), flags, &arg);
 
-	rt = arg.result;
+	if (arg.result)
+		return arg.result;
 
-	if (!rt) {
-		dst_hold(&net->ipv6.ip6_null_entry->dst);
-		return &net->ipv6.ip6_null_entry->dst;
-	}
-
-	if (rt->rt6i_flags & RTF_REJECT &&
-	    rt->dst.error == -EAGAIN) {
-		ip6_rt_put(rt);
-		rt = net->ipv6.ip6_null_entry;
-		dst_hold(&rt->dst);
-	}
-
-	return &rt->dst;
+	dst_hold(&net->ipv6.ip6_null_entry->dst);
+	return &net->ipv6.ip6_null_entry->dst;
 }
 
 static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp,
@@ -117,7 +106,8 @@ static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp,
 			ipv6_addr_copy(&flp6->saddr, &saddr);
 		}
 		err = rt->dst.error;
-		goto out;
+		if (err != -EAGAIN)
+			goto out;
 	}
 again:
 	ip6_rt_put(rt);
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index d3cd013..32f91cd 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -249,8 +249,7 @@ struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6,
 	table = fib6_get_table(net, RT6_TABLE_MAIN);
 	if (table) {
 		rt = lookup(net, table, fl6, flags);
-		if (rt->rt6i_flags & RTF_REJECT &&
-		    rt->dst.error == -EAGAIN) {
+		if (rt->dst.error == -EAGAIN) {
 			ip6_rt_put(rt);
 			rt = NULL;
 		}