Patch "ipv6/addrconf: fix a potential refcount underflow for idev" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 16 Jul 2023 21:10:07 -0400

This is a note to let you know that I've just added the patch titled

    ipv6/addrconf: fix a potential refcount underflow for idev

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 06a02c88d3a087d91221deedbf3c69aea072004c
Author: Ziyang Xuan <william.xuanziyang@xxxxxxxxxx>
Date:   Sat Jul 8 14:59:10 2023 +0800

    ipv6/addrconf: fix a potential refcount underflow for idev
    
    [ Upstream commit 06a0716949c22e2aefb648526580671197151acc ]
    
    Now in addrconf_mod_rs_timer(), reference idev depends on whether
    rs_timer is not pending. Then modify rs_timer timeout.
    
    There is a time gap in [1], during which if the pending rs_timer
    becomes not pending. It will miss to hold idev, but the rs_timer
    is activated. Thus rs_timer callback function addrconf_rs_timer()
    will be executed and put idev later without holding idev. A refcount
    underflow issue for idev can be caused by this.
    
            if (!timer_pending(&idev->rs_timer))
                    in6_dev_hold(idev);
                      <--------------[1]
            mod_timer(&idev->rs_timer, jiffies + when);
    
    To fix the issue, hold idev if mod_timer() return 0.
    
    Fixes: b7b1bfce0bb6 ("ipv6: split duplicate address detection and router solicitation timer")
    Suggested-by: Eric Dumazet <edumazet@xxxxxxxxxx>
    Signed-off-by: Ziyang Xuan <william.xuanziyang@xxxxxxxxxx>
    Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index e6c7edcf68343..51bfc74805ecf 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -318,9 +318,8 @@ static void addrconf_del_dad_work(struct inet6_ifaddr *ifp)
 static void addrconf_mod_rs_timer(struct inet6_dev *idev,
 				  unsigned long when)
 {
-	if (!timer_pending(&idev->rs_timer))
+	if (!mod_timer(&idev->rs_timer, jiffies + when))
 		in6_dev_hold(idev);
-	mod_timer(&idev->rs_timer, jiffies + when);
 }
 
 static void addrconf_mod_dad_work(struct inet6_ifaddr *ifp,






