This is a note to let you know that I've just added the patch titled
xfrm6: fix inet6_dev refcount underflow problem
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
xfrm6-fix-inet6_dev-refcount-underflow-problem.patch
and it can be found in the queue-5.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From e18f0e6509ebb2ed91524ab5b591218445998b92 Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@xxxxxxxxxx>
Date: Fri, 15 Sep 2023 19:20:41 +0800
Subject: xfrm6: fix inet6_dev refcount underflow problem
From: Zhang Changzhong <zhangchangzhong@xxxxxxxxxx>
[ Upstream commit cc9b364bb1d58d3dae270c7a931a8cc717dc2b3b ]
There are race conditions that may lead to inet6_dev refcount underflow
in xfrm6_dst_destroy() and rt6_uncached_list_flush_dev().
One of the refcount underflow bugs is shown below:
(cpu 1) | (cpu 2)
xfrm6_dst_destroy() |
... |
in6_dev_put() |
| rt6_uncached_list_flush_dev()
... | ...
| in6_dev_put()
rt6_uncached_list_del() | ...
... |
xfrm6_dst_destroy() calls rt6_uncached_list_del() after in6_dev_put(),
so rt6_uncached_list_flush_dev() has a chance to call in6_dev_put()
again for the same inet6_dev.
Fix it by moving in6_dev_put() after rt6_uncached_list_del() in
xfrm6_dst_destroy().
Fixes: 510c321b5571 ("xfrm: reuse uncached_list to track xdsts")
Signed-off-by: Zhang Changzhong <zhangchangzhong@xxxxxxxxxx>
Reviewed-by: Xin Long <lucien.xin@xxxxxxxxx>
Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/ipv6/xfrm6_policy.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -120,11 +120,11 @@ static void xfrm6_dst_destroy(struct dst
{
struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
- if (likely(xdst->u.rt6.rt6i_idev))
- in6_dev_put(xdst->u.rt6.rt6i_idev);
dst_destroy_metrics_generic(dst);
if (xdst->u.rt6.rt6i_uncached_list)
rt6_uncached_list_del(&xdst->u.rt6);
+ if (likely(xdst->u.rt6.rt6i_idev))
+ in6_dev_put(xdst->u.rt6.rt6i_idev);
xfrm_dst_destroy(xdst);
}
Patches currently in stable-queue which might be from sashal@xxxxxxxxxx are
queue-5.15/overlayfs-set-ctime-when-setting-mtime-and-atime.patch
queue-5.15/wifi-mwifiex-sanity-check-tlv_len-and-tlv_bitmap_len.patch
queue-5.15/net-fix-ifname-in-netlink-ntf-during-netns-move.patch
queue-5.15/regulator-core-revert-fix-kobject-release-warning-an.patch
queue-5.15/iio-un-inline-iio_buffer_enabled.patch
queue-5.15/wifi-mac80211-allow-transmitting-eapol-frames-with-t.patch
queue-5.15/net-introduce-a-function-to-check-if-a-netdev-name-i.patch
queue-5.15/btrfs-error-when-cowing-block-from-a-root-that-is-be.patch
queue-5.15/gpio-vf610-mask-the-gpio-irq-in-system-suspend-and-s.patch
queue-5.15/phy-mapphone-mdm6600-fix-runtime-disable-on-probe.patch
queue-5.15/mctp-perform-route-lookups-under-a-rcu-read-side-loc.patch
queue-5.15/iio-core-hide-read-accesses-to-iio_dev-currentmode.patch
queue-5.15/powerpc-47x-fix-47x-syscall-return-crash.patch
queue-5.15/phy-mapphone-mdm6600-fix-runtime-pm-for-remove.patch
queue-5.15/ata-libata-eh-fix-compilation-warning-in-ata_eh_link.patch
queue-5.15/xfrm6-fix-inet6_dev-refcount-underflow-problem.patch
queue-5.15/i2c-mux-avoid-potential-false-error-message-in-i2c_m.patch
queue-5.15/wifi-cfg80211-avoid-leaking-stack-data-into-trace.patch
queue-5.15/nfp-flower-avoid-rmmod-nfp-crash-issues.patch
queue-5.15/perf-x86-lbr-filter-vsyscall-addresses.patch
queue-5.15/bluetooth-avoid-redundant-authentication.patch
queue-5.15/gpio-timberdale-fix-potential-deadlock-on-tgpio-lock.patch
queue-5.15/drm-get-rid-of-drm_debug_-log-calls-in-drm-core-file.patch
queue-5.15/btrfs-initialize-start_slot-in-btrfs_log_prealloc_ex.patch
queue-5.15/btrfs-error-out-when-reallocating-block-for-defrag-u.patch
queue-5.15/asoc-pxa-fix-a-memory-leak-in-probe.patch
queue-5.15/sky2-make-sure-there-is-at-least-one-frag_addr-avail.patch
queue-5.15/drm-atomic-helper-relax-unregistered-connector-check.patch
queue-5.15/ksmbd-not-allow-to-open-file-if-delelete-on-close-bi.patch
queue-5.15/bluetooth-btusb-add-shutdown-function-for-qca6174.patch
queue-5.15/serial-8250_omap-fix-errors-with-no_console_suspend.patch
queue-5.15/powerpc-32s-remove-capability-to-disable-kuep-at-boo.patch
queue-5.15/fs-writeback-do-not-requeue-a-clean-inode-having-ski.patch
queue-5.15/tracing-relax-trace_event_eval_update-execution-with.patch
queue-5.15/hid-multitouch-add-required-quirk-for-synaptics-0xcd.patch
queue-5.15/net-mlx5-handle-fw-tracer-change-ownership-event-bas.patch
queue-5.15/platform-x86-touchscreen_dmi-add-info-for-the-positi.patch
queue-5.15/bluetooth-hci_event-fix-using-memcmp-when-comparing-.patch
queue-5.15/bluetooth-hci_core-fix-build-warnings.patch
queue-5.15/arm-dts-ti-omap-fix-noisy-serial-with-overrun-thrott.patch
queue-5.15/powerpc-32s-do-kuep_lock-and-kuep_unlock-in-assembly.patch
queue-5.15/phy-mapphone-mdm6600-fix-pinctrl_pm-handling-for-sle.patch
queue-5.15/wifi-cfg80211-fix-6ghz-scan-configuration.patch
queue-5.15/perf-add-irq-and-exception-return-branch-types.patch
queue-5.15/iio-adc-ad7192-correct-reference-voltage.patch
queue-5.15/gpio-vf610-make-irq_chip-immutable.patch
queue-5.15/selftests-mm-fix-awk-usage-in-charge_reserved_hugetl.patch
queue-5.15/net-move-from-strlcpy-with-unused-retval-to-strscpy.patch
queue-5.15/mctp-allow-local-delivery-to-the-null-eid.patch
queue-5.15/btrfs-return-euclean-for-delayed-tree-ref-with-a-ref.patch
queue-5.15/iio-core-introduce-iio_device_-claim-release-_buffer.patch
queue-5.15/btrfs-error-out-when-cowing-block-using-a-stale-tran.patch
queue-5.15/serial-8250-omap-fix-imprecise-external-abort-for-om.patch
queue-5.15/perf-x86-move-branch-classifier.patch
queue-5.15/hid-holtek-fix-slab-out-of-bounds-write-in-holtek_kb.patch
queue-5.15/iio-cros_ec-fix-an-use-after-free-in-cros_ec_sensors.patch
queue-5.15/ata-libata-core-fix-compilation-warning-in-ata_dev_c.patch
queue-5.15/wifi-iwlwifi-ensure-ack-flag-is-properly-cleared.patch
queue-5.15/ipv4-fib-send-notify-when-delete-source-address-rout.patch
queue-5.15/drm-panel-orientation-quirks-add-quirk-for-one-mix-2.patch
queue-5.15/btrfs-fix-some-wmaybe-uninitialized-warnings-in-ioct.patch
