[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 0f6ede9fbc747e2553612271bce108f7517e7a45
WARNING: Author mismatch between patch and upstream commit:
Backport author: Vasiliy Kovalev<kovalev@xxxxxxxxxxxx>
Commit author: Eric Dumazet<edumazet@xxxxxxxxxx>
Status in newer kernel trees:
6.12.y | Present (different SHA1: 6610c7f8a8d4)
6.6.y | Present (different SHA1: b7a79e51297f)
6.1.y | Present (different SHA1: 3267b254dc0a)
5.15.y | Not found
Note: The patch differs from the upstream commit:
---
1: 0f6ede9fbc74 ! 1: bb5ecf836b36 net: defer final 'struct net' free in netns dismantle
@@ Metadata
## Commit message ##
net: defer final 'struct net' free in netns dismantle
+ commit 0f6ede9fbc747e2553612271bce108f7517e7a45 upstream.
+
Ilya reported a slab-use-after-free in dst_destroy [1]
Issue is in xfrm6_net_init() and xfrm4_net_init() :
@@ Commit message
Reviewed-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
Link: https://patch.msgid.link/20241204125455.3871859-1-edumazet@xxxxxxxxxx
Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
+ Signed-off-by: Vasiliy Kovalev <kovalev@xxxxxxxxxxxx>
## include/net/net_namespace.h ##
@@ include/net/net_namespace.h: struct net {
@@ net/core/net_namespace.c: static struct net *net_alloc(void)
static void net_free(struct net *net)
{
if (refcount_dec_and_test(&net->passive)) {
-@@ net/core/net_namespace.c: static void net_free(struct net *net)
- /* There should not be any trackers left there. */
- ref_tracker_dir_exit(&net->notrefcnt_tracker);
-
+ kfree(rcu_access_pointer(net->gen));
- kmem_cache_free(net_cachep, net);
++
+ /* Wait for an extra rcu_barrier() before final free. */
+ llist_add(&net->defer_free_list, &defer_free_list);
}
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.15.y | Success | Success |
