Re: [PATCH 5.10] net: defer final 'struct net' free in netns dismantle

Sasha Levin <sashal@xxxxxxxxxx> · Wed, 15 Jan 2025 19:26:03 -0500

[ Sasha's backport helper bot ]

Hi,

The upstream commit SHA1 provided is correct: 0f6ede9fbc747e2553612271bce108f7517e7a45

WARNING: Author mismatch between patch and upstream commit:
Backport author: Vasiliy Kovalev<kovalev@xxxxxxxxxxxx>
Commit author: Eric Dumazet<edumazet@xxxxxxxxxx>

Status in newer kernel trees:
6.12.y | Present (different SHA1: 6610c7f8a8d4)
6.6.y | Present (different SHA1: b7a79e51297f)
6.1.y | Present (different SHA1: 3267b254dc0a)
5.15.y | Not found
5.10.y | Not found

Note: The patch differs from the upstream commit:
---
1:  0f6ede9fbc74 ! 1:  2b14d8a38dbc net: defer final 'struct net' free in netns dismantle
    @@ Metadata
      ## Commit message ##
         net: defer final 'struct net' free in netns dismantle

    +    commit 0f6ede9fbc747e2553612271bce108f7517e7a45 upstream.
    +
         Ilya reported a slab-use-after-free in dst_destroy [1]

         Issue is in xfrm6_net_init() and xfrm4_net_init() :
    @@ Commit message
         Reviewed-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
         Link: https://patch.msgid.link/20241204125455.3871859-1-edumazet@xxxxxxxxxx
         Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    +    Signed-off-by: Vasiliy Kovalev <kovalev@xxxxxxxxxxxx>

      ## include/net/net_namespace.h ##
     @@ include/net/net_namespace.h: struct net {
    @@ net/core/net_namespace.c: static struct net *net_alloc(void)
     +
      static void net_free(struct net *net)
      {
    - 	if (refcount_dec_and_test(&net->passive)) {
    -@@ net/core/net_namespace.c: static void net_free(struct net *net)
    - 		/* There should not be any trackers left there. */
    - 		ref_tracker_dir_exit(&net->notrefcnt_tracker);
    - 
    --		kmem_cache_free(net_cachep, net);
    +-	kfree(rcu_access_pointer(net->gen));
    +-	kmem_cache_free(net_cachep, net);
    ++	if (refcount_dec_and_test(&net->passive)) {
    ++		kfree(rcu_access_pointer(net->gen));
    ++
     +		/* Wait for an extra rcu_barrier() before final free. */
     +		llist_add(&net->defer_free_list, &defer_free_list);
    - 	}
    ++	}
      }

    + void net_drop_ns(void *p)
     @@ net/core/net_namespace.c: static void cleanup_net(struct work_struct *work)
      	 */
      	rcu_barrier();
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.10.y       |  Success    |  Success   |