Patch "xfrm6: fix inet6_dev refcount underflow problem" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 20 Oct 2023 20:19:10 -0400

This is a note to let you know that I've just added the patch titled

    xfrm6: fix inet6_dev refcount underflow problem

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     xfrm6-fix-inet6_dev-refcount-underflow-problem.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit e18f0e6509ebb2ed91524ab5b591218445998b92
Author: Zhang Changzhong <zhangchangzhong@xxxxxxxxxx>
Date:   Fri Sep 15 19:20:41 2023 +0800

    xfrm6: fix inet6_dev refcount underflow problem
    
    [ Upstream commit cc9b364bb1d58d3dae270c7a931a8cc717dc2b3b ]
    
    There are race conditions that may lead to inet6_dev refcount underflow
    in xfrm6_dst_destroy() and rt6_uncached_list_flush_dev().
    
    One of the refcount underflow bugs is shown below:
            (cpu 1)                 |       (cpu 2)
    xfrm6_dst_destroy()             |
      ...                           |
      in6_dev_put()                 |
                                    |  rt6_uncached_list_flush_dev()
      ...                           |    ...
                                    |    in6_dev_put()
      rt6_uncached_list_del()       |    ...
      ...                           |
    
    xfrm6_dst_destroy() calls rt6_uncached_list_del() after in6_dev_put(),
    so rt6_uncached_list_flush_dev() has a chance to call in6_dev_put()
    again for the same inet6_dev.
    
    Fix it by moving in6_dev_put() after rt6_uncached_list_del() in
    xfrm6_dst_destroy().
    
    Fixes: 510c321b5571 ("xfrm: reuse uncached_list to track xdsts")
    Signed-off-by: Zhang Changzhong <zhangchangzhong@xxxxxxxxxx>
    Reviewed-by: Xin Long <lucien.xin@xxxxxxxxx>
    Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index eecc5e59da17c..50c278f1c1063 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -117,10 +117,10 @@ static void xfrm6_dst_destroy(struct dst_entry *dst)
 {
 	struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
 
-	if (likely(xdst->u.rt6.rt6i_idev))
-		in6_dev_put(xdst->u.rt6.rt6i_idev);
 	dst_destroy_metrics_generic(dst);
 	rt6_uncached_list_del(&xdst->u.rt6);
+	if (likely(xdst->u.rt6.rt6i_idev))
+		in6_dev_put(xdst->u.rt6.rt6i_idev);
 	xfrm_dst_destroy(xdst);
 }
 






