CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

routing: Fix crashes with dpdk_lpm[46] algo.

When a prefix gets deleted from the RIB, dpdk_lpm algo needs to know
the nexthop of the "parent" prefix to update its internal state.
The glue code, which utilises RIB as a backing route store, uses
fib[46]_lookup_rt() for the prefix destination after its deletion
to fetch the desired nexthop.
This approach does not work when deleting less-specific prefixes
with most-specific ones are still present. For example, if
10.0.0.0/24, 10.0.0.0/23 and 10.0.0.0/22 exist in RIB, deleting
10.0.0.0/23 would result in 10.0.0.0/24 being returned as a search
result instead of 10.0.0.0/22. This, in turn, results in the failed
datastructure update: part of the deleted /23 prefix will still
contain the reference to an old nexthop. This leads to the
use-after-free behaviour, ending with the eventual crashes.

Fix the logic flaw by properly fetching the prefix "parent" via
newly-created rt_get_inet[6]_parent() helpers.

Differential Revision: https://reviews.freebsd.org/D31546
PR: 256882,256833

(cherry picked from commit 36e15b717eec80047fe7442898b5752101f2fbca)

author	Alexander V. Chernikov <melifaro@FreeBSD.org>
	Sun, 15 Aug 2021 22:25:21 +0000 (22:25 +0000)
committer	Alexander V. Chernikov <melifaro@FreeBSD.org>
	Tue, 7 Sep 2021 21:02:58 +0000 (21:02 +0000)
commit	5007bc4e13906104163ca78440ffcefb5c126548
tree	ee6f779ea3a922ceaa5db6e2142ff318978c7e65	tree \| snapshot
parent	b17ecfd3a7e7945fe27d1f57abf2825450e78a60	commit \| diff

sys/contrib/dpdk_rte_lpm/dpdk_lpm.c		diff \| blob \| history
sys/contrib/dpdk_rte_lpm/dpdk_lpm6.c		diff \| blob \| history
sys/net/radix.c		diff \| blob \| history
sys/net/radix.h		diff \| blob \| history
sys/net/route/route_ctl.h		diff \| blob \| history
sys/net/route/route_helpers.c		diff \| blob \| history