This is a note to let you know that I've just added the patch titled
xfrm6: fix inet6_dev refcount underflow problem
to the 5.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
xfrm6-fix-inet6_dev-refcount-underflow-problem.patch
and it can be found in the queue-5.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From e18f0e6509ebb2ed91524ab5b591218445998b92 Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@xxxxxxxxxx>
Date: Fri, 15 Sep 2023 19:20:41 +0800
Subject: xfrm6: fix inet6_dev refcount underflow problem
From: Zhang Changzhong <zhangchangzhong@xxxxxxxxxx>
[ Upstream commit cc9b364bb1d58d3dae270c7a931a8cc717dc2b3b ]
There are race conditions that may lead to inet6_dev refcount underflow
in xfrm6_dst_destroy() and rt6_uncached_list_flush_dev().
One of the refcount underflow bugs is shown below:
(cpu 1) | (cpu 2)
xfrm6_dst_destroy() |
... |
in6_dev_put() |
| rt6_uncached_list_flush_dev()
... | ...
| in6_dev_put()
rt6_uncached_list_del() | ...
... |
xfrm6_dst_destroy() calls rt6_uncached_list_del() after in6_dev_put(),
so rt6_uncached_list_flush_dev() has a chance to call in6_dev_put()
again for the same inet6_dev.
Fix it by moving in6_dev_put() after rt6_uncached_list_del() in
xfrm6_dst_destroy().
Fixes: 510c321b5571 ("xfrm: reuse uncached_list to track xdsts")
Signed-off-by: Zhang Changzhong <zhangchangzhong@xxxxxxxxxx>
Reviewed-by: Xin Long <lucien.xin@xxxxxxxxx>
Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/ipv6/xfrm6_policy.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -120,11 +120,11 @@ static void xfrm6_dst_destroy(struct dst
{
struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
- if (likely(xdst->u.rt6.rt6i_idev))
- in6_dev_put(xdst->u.rt6.rt6i_idev);
dst_destroy_metrics_generic(dst);
if (xdst->u.rt6.rt6i_uncached_list)
rt6_uncached_list_del(&xdst->u.rt6);
+ if (likely(xdst->u.rt6.rt6i_idev))
+ in6_dev_put(xdst->u.rt6.rt6i_idev);
xfrm_dst_destroy(xdst);
}
Patches currently in stable-queue which might be from sashal@xxxxxxxxxx are
queue-5.10/overlayfs-set-ctime-when-setting-mtime-and-atime.patch
queue-5.10/resource-add-irqresource_disabled.patch
queue-5.10/acpi-resource-add-asus-model-s5402za-to-quirks.patch
queue-5.10/net-release-reference-to-inet6_dev-pointer.patch
queue-5.10/acpi-resource-skip-irq-override-on-asus-expertbook-b.patch-28713
queue-5.10/xhci-clear-usb2-resume-related-variables-in-one-plac.patch
queue-5.10/xen-netback-use-default-tx-queue-size-for-vifs.patch
queue-5.10/drm-connector-add-drm_connector_find_by_fwnode-funct.patch
queue-5.10/regulator-core-revert-fix-kobject-release-warning-an.patch
queue-5.10/wifi-mac80211-allow-transmitting-eapol-frames-with-t.patch
queue-5.10/perf-arm-cmn-fix-the-unhandled-overflow-status-of-co.patch
queue-5.10/gpio-vf610-mask-the-gpio-irq-in-system-suspend-and-s.patch
queue-5.10/phy-mapphone-mdm6600-fix-runtime-disable-on-probe.patch
queue-5.10/net-add-sysctl-accept_ra_min_rtr_lft.patch
queue-5.10/phy-mapphone-mdm6600-fix-runtime-pm-for-remove.patch
queue-5.10/ata-libata-eh-fix-compilation-warning-in-ata_eh_link.patch
queue-5.10/rdma-srp-make-struct-scsi_cmnd-and-struct-srp_reques.patch
queue-5.10/xfrm6-fix-inet6_dev-refcount-underflow-problem.patch
queue-5.10/net-macsec-indicate-next-pn-update-when-offloading.patch
queue-5.10/i2c-mux-avoid-potential-false-error-message-in-i2c_m.patch
queue-5.10/arm64-factor-insn-read-out-of-call_undef_hook.patch
queue-5.10/arm64-rework-el0-mrs-emulation.patch
queue-5.10/acpi-resources-add-dmi-based-legacy-irq-override-qui.patch
queue-5.10/wifi-cfg80211-avoid-leaking-stack-data-into-trace.patch
queue-5.10/powerpc-64e-fix-wrong-test-in-__ptep_test_and_clear_.patch
queue-5.10/bluetooth-avoid-redundant-authentication.patch
queue-5.10/drm-connector-add-a-fwnode-pointer-to-drm_connector-.patch
queue-5.10/gpio-timberdale-fix-potential-deadlock-on-tgpio-lock.patch
queue-5.10/net-change-accept_ra_min_rtr_lft-to-affect-all-ra-lifetimes.patch
queue-5.10/usb-core-track-superspeed-plus-genxxy.patch
queue-5.10/drm-vmwgfx-fix-typo-of-sizeof-argument.patch
queue-5.10/btrfs-initialize-start_slot-in-btrfs_log_prealloc_ex.patch
queue-5.10/arm64-die-pass-err-as-long.patch
queue-5.10/xhci-track-port-suspend-state-correctly-in-unsuccess.patch
queue-5.10/asoc-pxa-fix-a-memory-leak-in-probe.patch
queue-5.10/workqueue-override-implicit-ordered-attribute-in-wor.patch
queue-5.10/xhci-cleanup-xhci_hub_control-port-references.patch
queue-5.10/sky2-make-sure-there-is-at-least-one-frag_addr-avail.patch
queue-5.10/ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch
queue-5.10/arm64-armv8_deprecated-rework-deprected-instruction-handling.patch
queue-5.10/ixgbe-fix-crash-with-empty-vf-macvlan-list.patch
queue-5.10/acpi-resource-skip-irq-override-on-asus-vivobook-s56.patch
queue-5.10/xhci-rename-resume_done-to-resume_timestamp.patch
queue-5.10/arm64-armv8_deprecated-fix-unused-function-error.patch
queue-5.10/rdma-srp-do-not-call-scsi_done-from-srp_abort.patch
queue-5.10/revert-spi-spi-zynqmp-gqspi-fix-runtime-pm-imbalance.patch
queue-5.10/nfc-nci-assert-requested-protocol-is-valid.patch
queue-5.10/arm64-armv8_deprecated-move-aarch32-helper-earlier.patch
queue-5.10/serial-8250_omap-fix-errors-with-no_console_suspend.patch
queue-5.10/tracing-relax-trace_event_eval_update-execution-with.patch
queue-5.10/acpi-resource-skip-irq-override-on-asus-expertbook-b.patch
queue-5.10/arm64-consistently-pass-esr_elx-to-die.patch
queue-5.10/acpi-resource-add-asus-expertbook-b2502-to-asus-quir.patch
queue-5.10/hid-multitouch-add-required-quirk-for-synaptics-0xcd.patch
queue-5.10/net-mlx5-handle-fw-tracer-change-ownership-event-bas.patch
queue-5.10/platform-x86-touchscreen_dmi-add-info-for-the-positi.patch
queue-5.10/bluetooth-hci_event-fix-using-memcmp-when-comparing-.patch
queue-5.10/ravb-fix-up-dma_free_coherent-call-in-ravb_remove.patch
queue-5.10/net-phy-mscc-macsec-reject-pn-update-requests.patch
queue-5.10/bluetooth-hci_core-fix-build-warnings.patch
queue-5.10/arm-dts-ti-omap-fix-noisy-serial-with-overrun-thrott.patch
queue-5.10/platform-x86-hp-wmi-mark-driver-struct-with-__refdat.patch
queue-5.10/xhci-move-port-specific-items-such-as-state-completi.patch
queue-5.10/dmaengine-mediatek-fix-deadlock-caused-by-synchroniz.patch
queue-5.10/thunderbolt-workaround-an-iommu-fault-on-certain-sys.patch
queue-5.10/drm-msm-dpu-change-_dpu_plane_calc_bw-to-use-u64-to-.patch
queue-5.10/revert-spi-zynqmp-gqspi-fix-clock-imbalance-on-probe.patch
queue-5.10/usb-typec-altmodes-displayport-notify-drm-subsys-of-.patch
queue-5.10/arm64-factor-out-el1-ssbs-emulation-hook.patch
queue-5.10/pinctrl-renesas-rzn1-enable-missing-pinmux.patch
queue-5.10/net-nfc-fix-races-in-nfc_llcp_sock_get-and-nfc_llcp_.patch
queue-5.10/phy-mapphone-mdm6600-fix-pinctrl_pm-handling-for-sle.patch
queue-5.10/eth-remove-copies-of-the-napi_poll_weight-define.patch
queue-5.10/wifi-cfg80211-fix-6ghz-scan-configuration.patch
queue-5.10/arm64-report-el1-undefs-better.patch
queue-5.10/arm64-armv8_deprecated-fold-ops-into-insn_emulation.patch
queue-5.10/powerpc-8xx-fix-pte_access_permitted-for-page_none.patch
queue-5.10/usb-typec-altmodes-displayport-signal-hpd-low-when-e.patch
queue-5.10/mlxsw-fix-mlxsw_sp2_nve_vxlan_learning_set-return-ty.patch
queue-5.10/arm64-rework-bti-exception-handling.patch
queue-5.10/gpio-vf610-make-irq_chip-immutable.patch
queue-5.10/arm64-rework-fpac-exception-handling.patch
queue-5.10/arm64-split-el0-el1-undef-handlers.patch
queue-5.10/selftests-mm-fix-awk-usage-in-charge_reserved_hugetl.patch
queue-5.10/btrfs-return-euclean-for-delayed-tree-ref-with-a-ref.patch
queue-5.10/arm64-allow-kprobes-on-el0-handlers.patch
queue-5.10/drm-msm-dp-do-not-reinitialize-phy-unless-retry-duri.patch
queue-5.10/drm-amd-display-don-t-set-dpms_off-for-seamless-boot.patch
queue-5.10/riscv-bpf-factor-out-emit_call-for-kernel-and-bpf-co.patch
queue-5.10/acpi-resource-skip-irq-override-on-asus-expertbook-b.patch-22201
queue-5.10/serial-8250-omap-fix-imprecise-external-abort-for-om.patch
queue-5.10/hid-holtek-fix-slab-out-of-bounds-write-in-holtek_kb.patch
queue-5.10/riscv-bpf-sign-extend-return-values.patch
queue-5.10/rdma-cxgb4-check-skb-value-for-failure-to-allocate.patch
queue-5.10/ipv4-fib-send-notify-when-delete-source-address-rout.patch
queue-5.10/acpi-drop-acpi_dev_irqresource_disabled.patch
queue-5.10/drm-connector-give-connector-sysfs-devices-there-own.patch
queue-5.10/drm-amd-display-only-check-available-pipe-to-disable.patch
queue-5.10/acpi-resource-skip-irq-override-on-asus-vivobook-k34.patch
queue-5.10/drm-msm-dsi-skip-the-wait-for-video-mode-done-if-not.patch
queue-5.10/drm-panel-orientation-quirks-add-quirk-for-one-mix-2.patch
queue-5.10/arm64-armv8_deprecated-move-emulation-functions.patch
queue-5.10/selftests-vm-make-charge_reserved_hugetlb.sh-work-wi.patch
queue-5.10/btrfs-fix-some-wmaybe-uninitialized-warnings-in-ioct.patch
queue-5.10/drm-connector-add-support-for-out-of-band-hotplug-no.patch
queue-5.10/xhci-decouple-usb2-port-resume-and-get_port_status-r.patch
