mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/net/ipv4
History
Eric Dumazet 051c0bde9f net: fix __dst_negative_advice() race 
commit 92f1655aa2 upstream.

__dst_negative_advice() does not enforce proper RCU rules when
sk->dst_cache must be cleared, leading to possible UAF.

RCU rules are that we must first clear sk->sk_dst_cache,
then call dst_release(old_dst).

Note that sk_dst_reset(sk) is implementing this protocol correctly,
while __dst_negative_advice() uses the wrong order.

Given that ip6_negative_advice() has special logic
against RTF_CACHE, this means each of the three ->negative_advice()
existing methods must perform the sk_dst_reset() themselves.

Note the check against NULL dst is centralized in
__dst_negative_advice(), there is no need to duplicate
it in various callbacks.

Many thanks to Clement Lecigne for tracking this issue.

This old bug became visible after the blamed commit, using UDP sockets.

Fixes: a87cb3e48e ("net: Facility to report route quality of connected sockets")
Reported-by: Clement Lecigne <clecigne@google.com>
Diagnosed-by: Clement Lecigne <clecigne@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Tom Herbert <tom@herbertland.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20240528114353.1794151-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[Lee: Stable backport]
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2024-06-16 13:23:45 +02:00
..
bpfilter
netfilter treewide: Remove uninitialized_var() usage 2023-08-11 11:45:01 +02:00
Kconfig tcp: configurable source port perturb table size 2022-12-08 11:18:31 +01:00
Makefile
af_inet.c inet: read sk->sk_family once in inet_recv_error() 2024-02-23 08:12:53 +01:00
ah4.c
arp.c ipv4: Invalidate neighbour for broadcast address upon address addition 2022-04-15 14:15:01 +02:00
cipso_ipv4.c cipso: Fix data-races around sysctl. 2022-07-21 21:09:28 +02:00
datagram.c inet: stop leaking jiffies on the wire 2019-11-10 11:27:37 +01:00
devinet.c net: return correct error code 2021-12-08 08:50:11 +01:00
esp4.c net: ipv4: fix return value check in esp_remove_trailer 2023-10-25 11:16:44 +02:00
esp4_offload.c xfrm: Linearize the skb after offloading if needed. 2023-06-28 10:15:29 +02:00
fib_frontend.c ipv4: Fix incorrect table ID in IOCTL path 2023-03-22 13:27:10 +01:00
fib_lookup.h
fib_notifier.c
fib_rules.c
fib_semantics.c net: Fix the arp error in some cases 2020-06-30 23:17:06 -04:00
fib_trie.c ipv4: Silence suspicious RCU usage warning 2020-08-11 15:32:34 +02:00
fou.c
gre_demux.c erspan: fix version 1 check in gre_parse_header() 2021-01-12 20:10:19 +01:00
gre_offload.c net: gre: recompute gre csum for sctp over gre tunnels 2020-08-11 15:32:34 +02:00
icmp.c icmp: guard against too small mtu 2023-04-20 12:04:38 +02:00
igmp.c ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet 2023-12-08 08:43:25 +01:00
inet_connection_sock.c tcp: properly terminate timers for kernel sockets 2024-04-13 12:50:12 +02:00
inet_diag.c inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill() 2020-11-24 13:27:16 +01:00
inet_fragment.c
inet_hashtables.c Revert "tcp: avoid the lookup process failing to get sk in ehash table" 2023-08-11 11:45:26 +02:00
inet_timewait_sock.c tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge() 2024-05-02 16:17:13 +02:00
inetpeer.c inetpeer: Fix data-races around sysctl. 2022-07-21 21:09:27 +02:00
ip_forward.c
ip_fragment.c
ip_gre.c ip_gre: do not report erspan version on GRE interface 2024-04-13 12:50:17 +02:00
ip_input.c tcp/udp: Make early_demux back namespacified. 2022-11-10 17:46:54 +01:00
ip_options.c
ip_output.c net: ipv4: fix a memleak in ip_setup_cork 2024-02-23 08:12:52 +01:00
ip_sockglue.c ipv{4,6}/raw: fix output xfrm lookup wrt protocol 2023-06-09 10:23:54 +02:00
ip_tunnel.c net: tunnels: annotate lockless accesses to dev->needed_headroom 2023-03-22 13:27:09 +01:00
ip_tunnel_core.c ip_tunnel: allow not to count pkts on tstats by setting skb's dev to NULL 2019-08-04 09:30:57 +02:00
ip_vti.c ip_vti: fix potential slab-use-after-free in decode_session6 2023-08-30 16:31:48 +02:00
ipcomp.c
ipconfig.c net: ipconfig: Don't override command-line hostnames or domains 2021-06-30 08:48:13 -04:00
ipip.c net: ipip: fix wrong address family in init error path 2020-06-03 08:19:10 +02:00
ipmr.c ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on failure path 2022-02-16 12:51:45 +01:00
ipmr_base.c
metrics.c ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() 2023-02-06 07:49:43 +01:00
netfilter.c netfilter: use actual socket sk rather than skb sk when routing harder 2020-11-18 19:18:44 +01:00
netlink.c
ping.c ping: fix address binding wrt vrf 2022-05-18 09:42:50 +02:00
proc.c tcp: tcp_fragment() should apply sane memory limits 2019-06-17 19:51:56 +02:00
protocol.c
raw.c ipv{4,6}/raw: fix output xfrm lookup wrt protocol 2023-06-09 10:23:54 +02:00
raw_diag.c inet_diag: return classid for all socket types 2020-03-18 07:14:11 +01:00
route.c net: fix __dst_negative_advice() race 2024-06-16 13:23:45 +02:00
syncookies.c tcp: make sure treq->af_specific is initialized 2022-05-12 12:20:25 +02:00
sysctl_net_ipv4.c tcp/udp: Make early_demux back namespacified. 2022-11-10 17:46:54 +01:00
tcp.c tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets 2024-05-17 11:42:41 +02:00
tcp_bbr.c tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after 2B packets 2021-08-26 08:36:39 -04:00
tcp_bic.c
tcp_cdg.c tcp: cdg: allow tcp_cdg_release() to be called multiple times 2022-11-25 17:40:28 +01:00
tcp_cong.c net: Only allow init netns to set default tcp cong to a restricted algo 2021-05-22 10:59:39 +02:00
tcp_cubic.c tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited flows 2021-12-01 09:27:43 +01:00
tcp_dctcp.c tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). 2024-06-16 13:23:35 +02:00
tcp_diag.c tcp: annotate tp->write_seq lockless reads 2021-03-17 16:43:43 +01:00
tcp_fastopen.c tcp: annotate data-races around fastopenq.max_qlen 2023-08-11 11:45:27 +02:00
tcp_highspeed.c
tcp_htcp.c
tcp_hybla.c
tcp_illinois.c
tcp_input.c tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets 2024-05-17 11:42:41 +02:00
tcp_ipv4.c tcp: Use refcount_inc_not_zero() in tcp_twsk_unique(). 2024-05-17 11:42:41 +02:00
tcp_lp.c
tcp_metrics.c tcp_metrics: do not create an entry from tcp_init_metrics() 2023-11-20 10:29:16 +01:00
tcp_minisocks.c tcp: tcp_check_req() can be called from process context 2023-03-11 16:31:59 +01:00
tcp_nv.c
tcp_offload.c
tcp_output.c tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets 2024-05-17 11:42:41 +02:00
tcp_rate.c
tcp_recovery.c tcp: fix excessive TLP and RACK timeouts from HZ rounding 2023-10-25 11:16:46 +02:00
tcp_scalable.c
tcp_timer.c net: fix the RTO timer retransmitting skb every 1ms if linear option is enabled 2023-08-30 16:31:50 +02:00
tcp_ulp.c
tcp_vegas.c
tcp_vegas.h
tcp_veno.c
tcp_westwood.c
tcp_yeah.c
tunnel4.c
udp.c udp: preserve the connected status if only UDP cmsg 2024-05-02 16:17:14 +02:00
udp_diag.c inet_diag: return classid for all socket types 2020-03-18 07:14:11 +01:00
udp_impl.h
udp_offload.c net: Fix gro aggregation for udp encaps with zero csum 2021-03-17 16:43:42 +01:00
udp_tunnel.c net/tunnel: wait until all sk_user_data reader finish before releasing the sock 2023-01-18 11:30:18 +01:00
udplite.c udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated(). 2023-05-30 12:42:14 +01:00
xfrm4_input.c
xfrm4_mode_beet.c
xfrm4_mode_transport.c
xfrm4_mode_tunnel.c
xfrm4_output.c xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish 2020-04-29 16:31:23 +02:00
xfrm4_policy.c xfrm: Don't accidentally set RTO_ONLINK in decode_session4() 2022-02-23 11:58:39 +01:00
xfrm4_protocol.c net: xfrm: unexport __init-annotated xfrm4_protocol_init() 2022-06-14 16:59:35 +02:00
xfrm4_state.c
xfrm4_tunnel.c