Re: [PATCH 5.10.y] tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().

Sasha Levin <sashal@xxxxxxxxxx> · Thu, 20 Mar 2025 09:59:28 -0400

[ Sasha's backport helper bot ]

Hi,

Summary of potential issues:
⚠️ Found follow-up fixes in mainline

The upstream commit SHA1 provided is correct: e8c526f2bdf1845bedaf6a478816a3d06fa78b8f

WARNING: Author mismatch between patch and upstream commit:
Backport author: bin.lan.cn@xxxxxxxxxxxxx
Commit author: Kuniyuki Iwashima<kuniyu@xxxxxxxxxx>

Status in newer kernel trees:
6.13.y | Present (exact SHA1)
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: 997ae8da14f1)
6.1.y | Present (different SHA1: 5071beb59ee4)
5.15.y | Present (different SHA1: 8459d61fbf24)

Found fixes commits:
c31e72d021db tcp: Fix use-after-free of nreq in reqsk_timer_handler().

Note: The patch differs from the upstream commit:
---
1:  e8c526f2bdf18 ! 1:  a87888675b240 tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().
    @@ Metadata
      ## Commit message ##
         tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().

    +    [ Upstream commit e8c526f2bdf1845bedaf6a478816a3d06fa78b8f ]
    +
         Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler().

           """
    @@ Commit message
         Reviewed-by: Martin KaFai Lau <martin.lau@xxxxxxxxxx>
         Link: https://patch.msgid.link/20241014223312.4254-1-kuniyu@xxxxxxxxxx
         Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    +    Signed-off-by: Bin Lan <bin.lan.cn@xxxxxxxxxxxxx>
    +    Signed-off-by: He Zhe <zhe.he@xxxxxxxxxxxxx>

      ## net/ipv4/inet_connection_sock.c ##
     @@ net/ipv4/inet_connection_sock.c: static bool reqsk_queue_unlink(struct request_sock *req)
    - 		found = __sk_nulls_del_node_init_rcu(sk);
    + 		found = __sk_nulls_del_node_init_rcu(req_to_sk(req));
      		spin_unlock(lock);
      	}
     -	if (timer_pending(&req->rsk_timer) && del_timer_sync(&req->rsk_timer))
    @@ net/ipv4/inet_connection_sock.c: static bool reqsk_queue_unlink(struct request_s

      void inet_csk_reqsk_queue_drop_and_put(struct sock *sk, struct request_sock *req)
     @@ net/ipv4/inet_connection_sock.c: static void reqsk_timer_handler(struct timer_list *t)
    - 
    - 		if (!inet_ehash_insert(req_to_sk(nreq), req_to_sk(oreq), NULL)) {
    - 			/* delete timer */
    --			inet_csk_reqsk_queue_drop(sk_listener, nreq);
    -+			__inet_csk_reqsk_queue_drop(sk_listener, nreq, true);
    - 			goto no_ownership;
    - 		}
    - 
    -@@ net/ipv4/inet_connection_sock.c: static void reqsk_timer_handler(struct timer_list *t)
    + 		return;
      	}
    - 
      drop:
    --	inet_csk_reqsk_queue_drop_and_put(oreq->rsk_listener, oreq);
    -+	__inet_csk_reqsk_queue_drop(sk_listener, oreq, true);
    +-	inet_csk_reqsk_queue_drop_and_put(sk_listener, req);
    ++	__inet_csk_reqsk_queue_drop(sk_listener, req, true);
     +	reqsk_put(req);
      }

    - static bool reqsk_queue_hash_req(struct request_sock *req,
    + static void reqsk_queue_hash_req(struct request_sock *req,
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.10.y       |  Success    |  Success   |