This is a note to let you know that I've just added the patch titled
xfrm6: fix inet6_dev refcount underflow problem
to the 5.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
xfrm6-fix-inet6_dev-refcount-underflow-problem.patch
and it can be found in the queue-5.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From e18f0e6509ebb2ed91524ab5b591218445998b92 Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@xxxxxxxxxx>
Date: Fri, 15 Sep 2023 19:20:41 +0800
Subject: xfrm6: fix inet6_dev refcount underflow problem
From: Zhang Changzhong <zhangchangzhong@xxxxxxxxxx>
[ Upstream commit cc9b364bb1d58d3dae270c7a931a8cc717dc2b3b ]
There are race conditions that may lead to inet6_dev refcount underflow
in xfrm6_dst_destroy() and rt6_uncached_list_flush_dev().
One of the refcount underflow bugs is shown below:
(cpu 1) | (cpu 2)
xfrm6_dst_destroy() |
... |
in6_dev_put() |
| rt6_uncached_list_flush_dev()
... | ...
| in6_dev_put()
rt6_uncached_list_del() | ...
... |
xfrm6_dst_destroy() calls rt6_uncached_list_del() after in6_dev_put(),
so rt6_uncached_list_flush_dev() has a chance to call in6_dev_put()
again for the same inet6_dev.
Fix it by moving in6_dev_put() after rt6_uncached_list_del() in
xfrm6_dst_destroy().
Fixes: 510c321b5571 ("xfrm: reuse uncached_list to track xdsts")
Signed-off-by: Zhang Changzhong <zhangchangzhong@xxxxxxxxxx>
Reviewed-by: Xin Long <lucien.xin@xxxxxxxxx>
Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/ipv6/xfrm6_policy.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -120,11 +120,11 @@ static void xfrm6_dst_destroy(struct dst
{
struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
- if (likely(xdst->u.rt6.rt6i_idev))
- in6_dev_put(xdst->u.rt6.rt6i_idev);
dst_destroy_metrics_generic(dst);
if (xdst->u.rt6.rt6i_uncached_list)
rt6_uncached_list_del(&xdst->u.rt6);
+ if (likely(xdst->u.rt6.rt6i_idev))
+ in6_dev_put(xdst->u.rt6.rt6i_idev);
xfrm_dst_destroy(xdst);
}
Patches currently in stable-queue which might be from sashal@xxxxxxxxxx are
queue-5.4/overlayfs-set-ctime-when-setting-mtime-and-atime.patch
queue-5.4/resource-add-irqresource_disabled.patch
queue-5.4/acpi-resource-add-asus-model-s5402za-to-quirks.patch
queue-5.4/xen-netback-use-default-tx-queue-size-for-vifs.patch
queue-5.4/regulator-core-revert-fix-kobject-release-warning-an.patch
queue-5.4/wifi-mac80211-allow-transmitting-eapol-frames-with-t.patch
queue-5.4/gpio-vf610-mask-the-gpio-irq-in-system-suspend-and-s.patch
queue-5.4/phy-mapphone-mdm6600-fix-runtime-disable-on-probe.patch
queue-5.4/phy-mapphone-mdm6600-fix-runtime-pm-for-remove.patch
queue-5.4/ata-libata-eh-fix-compilation-warning-in-ata_eh_link.patch
queue-5.4/xfrm6-fix-inet6_dev-refcount-underflow-problem.patch
queue-5.4/i2c-mux-avoid-potential-false-error-message-in-i2c_m.patch
queue-5.4/acpi-resources-add-dmi-based-legacy-irq-override-qui.patch
queue-5.4/wifi-cfg80211-avoid-leaking-stack-data-into-trace.patch
queue-5.4/powerpc-64e-fix-wrong-test-in-__ptep_test_and_clear_.patch
queue-5.4/acpi-resource-skip-irq-override-on-asus-expertbook-b.patch-28910
queue-5.4/bluetooth-avoid-redundant-authentication.patch
queue-5.4/gpio-timberdale-fix-potential-deadlock-on-tgpio-lock.patch
queue-5.4/drm-vmwgfx-fix-typo-of-sizeof-argument.patch
queue-5.4/btrfs-initialize-start_slot-in-btrfs_log_prealloc_ex.patch
queue-5.4/asoc-pxa-fix-a-memory-leak-in-probe.patch
queue-5.4/workqueue-override-implicit-ordered-attribute-in-wor.patch
queue-5.4/sky2-make-sure-there-is-at-least-one-frag_addr-avail.patch
queue-5.4/ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch
queue-5.4/ixgbe-fix-crash-with-empty-vf-macvlan-list.patch
queue-5.4/acpi-resource-skip-irq-override-on-asus-vivobook-s56.patch
queue-5.4/acpi-resource-skip-irq-override-on-asus-expertbook-b.patch-27870
queue-5.4/nfc-nci-assert-requested-protocol-is-valid.patch
queue-5.4/tracing-relax-trace_event_eval_update-execution-with.patch
queue-5.4/acpi-resource-skip-irq-override-on-asus-expertbook-b.patch
queue-5.4/acpi-resource-add-asus-expertbook-b2502-to-asus-quir.patch
queue-5.4/hid-multitouch-add-required-quirk-for-synaptics-0xcd.patch
queue-5.4/bluetooth-hci_event-fix-using-memcmp-when-comparing-.patch
queue-5.4/ravb-fix-up-dma_free_coherent-call-in-ravb_remove.patch
queue-5.4/bluetooth-hci_core-fix-build-warnings.patch
queue-5.4/arm-dts-ti-omap-fix-noisy-serial-with-overrun-thrott.patch
queue-5.4/platform-x86-hp-wmi-mark-driver-struct-with-__refdat.patch
queue-5.4/dmaengine-mediatek-fix-deadlock-caused-by-synchroniz.patch
queue-5.4/net-nfc-fix-races-in-nfc_llcp_sock_get-and-nfc_llcp_.patch
queue-5.4/phy-mapphone-mdm6600-fix-pinctrl_pm-handling-for-sle.patch
queue-5.4/eth-remove-copies-of-the-napi_poll_weight-define.patch
queue-5.4/powerpc-8xx-fix-pte_access_permitted-for-page_none.patch
queue-5.4/mlxsw-fix-mlxsw_sp2_nve_vxlan_learning_set-return-ty.patch
queue-5.4/gpio-vf610-make-irq_chip-immutable.patch
queue-5.4/btrfs-return-euclean-for-delayed-tree-ref-with-a-ref.patch
queue-5.4/hid-holtek-fix-slab-out-of-bounds-write-in-holtek_kb.patch
queue-5.4/rdma-cxgb4-check-skb-value-for-failure-to-allocate.patch
queue-5.4/acpi-drop-acpi_dev_irqresource_disabled.patch
queue-5.4/acpi-resource-skip-irq-override-on-asus-vivobook-k34.patch
queue-5.4/drm-msm-dsi-skip-the-wait-for-video-mode-done-if-not.patch
queue-5.4/drm-panel-orientation-quirks-add-quirk-for-one-mix-2.patch
queue-5.4/btrfs-fix-some-wmaybe-uninitialized-warnings-in-ioct.patch
