mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/include/net
History
Eric Dumazet eacb8b1955 net: fix __dst_negative_advice() race 
commit 92f1655aa2 upstream.

__dst_negative_advice() does not enforce proper RCU rules when
sk->dst_cache must be cleared, leading to possible UAF.

RCU rules are that we must first clear sk->sk_dst_cache,
then call dst_release(old_dst).

Note that sk_dst_reset(sk) is implementing this protocol correctly,
while __dst_negative_advice() uses the wrong order.

Given that ip6_negative_advice() has special logic
against RTF_CACHE, this means each of the three ->negative_advice()
existing methods must perform the sk_dst_reset() themselves.

Note the check against NULL dst is centralized in
__dst_negative_advice(), there is no need to duplicate
it in various callbacks.

Many thanks to Clement Lecigne for tracking this issue.

This old bug became visible after the blamed commit, using UDP sockets.

Fixes: a87cb3e48e ("net: Facility to report route quality of connected sockets")
Reported-by: Clement Lecigne <clecigne@google.com>
Diagnosed-by: Clement Lecigne <clecigne@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Tom Herbert <tom@herbertland.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20240528114353.1794151-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[Lee: Stable backport]
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2024-06-16 13:39:59 +02:00
..
9p 9p: Add client parameter to p9_req_put() 2022-08-17 14:24:07 +02:00
bluetooth Bluetooth: Fix bogus check for re-auth no supported with non-ssp 2024-01-25 14:52:40 -08:00
caif net: remove the caif_hsi driver 2021-07-01 13:19:48 -07:00
iucv
netfilter netfilter: nft_payload: move struct nft_payload_set definition where it belongs 2024-06-16 13:39:50 +02:00
netns netfilter: nf_flow_table: count pending offload workqueue tasks 2024-04-27 17:05:24 +02:00
nfc NFC: add NCI_UNREG flag to eliminate the race 2021-11-25 09:48:40 +01:00
phonet
sctp sctp: add a refcnt in sctp_stream_priorities to avoid a nested loop 2023-03-11 13:57:28 +01:00
tc_act net/sched: transition act_pedit to rcu and percpu stats 2023-03-11 13:57:29 +01:00
6lowpan.h
Space.h wan: remove sbni/granch driver 2021-08-03 13:05:26 +01:00
act_api.h net_sched: refactor TC action init API 2021-08-02 10:24:38 +01:00
addrconf.h ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr 2024-04-17 11:15:14 +02:00
af_ieee802154.h
af_rxrpc.h afs: Don't truncate iter during data fetch 2021-04-23 10:17:26 +01:00
af_unix.h af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc(). 2024-05-02 16:24:47 +02:00
af_vsock.h vsock: each transport cycles only on its own sockets 2022-03-23 09:16:41 +01:00
ah.h
arp.h ipv4: Invalidate neighbour for broadcast address upon address addition 2022-04-13 20:59:05 +02:00
atmclip.h
ax25.h ax25: fix reference count leaks of ax25_dev 2022-04-20 09:34:22 +02:00
ax88796.h ax88796: export ax_NS8390_init() hook 2021-08-03 13:05:25 +01:00
bareudp.h
bond_3ad.h net: bonding: Share lacpdu_mcast_addr definition 2022-09-28 11:11:48 +02:00
bond_alb.h bonding (gcc13): synchronize bond_{a,t}lb_xmit() types 2023-06-14 11:13:00 +02:00
bond_options.h Bonding: add arp_missed_max option 2023-06-05 09:21:19 +02:00
bonding.h bonding: fix macvlan over alb bond support 2023-08-30 16:18:15 +02:00
bpf_sk_storage.h bpf: struct sock is declared twice in bpf_sk_storage header 2021-03-26 17:43:55 +01:00
busy_poll.h net: Fix a data-race around sysctl_net_busy_poll. 2022-08-31 17:16:43 +02:00
calipso.h
cfg80211-wext.h
cfg80211.h wifi: cfg80211: fix sband iftype data lookup for AP_VLAN 2023-08-16 18:22:01 +02:00
cfg802154.h mac802154: fix llsec key resources release in mac802154_llsec_key_del 2024-04-10 16:18:39 +02:00
checksum.h net: Force inlining of checksum functions in net/checksum.h 2022-03-02 11:47:58 +01:00
cipso_ipv4.h
cls_cgroup.h
codel.h
codel_impl.h
codel_qdisc.h
compat.h net/ipv4/ipv6: Replace one-element arraya with flexible-array members 2021-08-05 11:46:42 +01:00
datalink.h
dcbevent.h
dcbnl.h
devlink.h devlink: Use xarray to store devlink instances 2021-08-14 13:59:10 +01:00
dsa.h net: dsa: introduce preferred_default_local_cpu_port and use on MT7530 2024-04-27 17:05:29 +02:00
dsfield.h
dst.h net: Remove unused inline function dst_hold_and_use() 2023-06-21 15:59:19 +02:00
dst_cache.h wireguard: device: reset peer src endpoint when netns exits 2021-12-08 09:04:46 +01:00
dst_metadata.h net: fix a memleak when uncloning an skb dst and its metadata 2022-02-16 12:56:30 +01:00
dst_ops.h net: fix __dst_negative_advice() race 2024-06-16 13:39:59 +02:00
erspan.h
esp.h esp: limit skb_page_frag_refill use to a single page 2022-04-27 14:38:52 +02:00
espintcp.h
ethoc.h
failover.h
fib_notifier.h
fib_rules.h ipv6: fix memory leak in fib6_rule_suppress 2021-12-08 09:04:43 +01:00
firewire.h
flow.h inet: shrink struct flowi_common 2023-11-20 11:08:28 +01:00
flow_dissector.h net/sched: flower: fix parsing of ethertype following VLAN header 2022-04-20 09:34:09 +02:00
flow_offload.h netfilter: nf_tables: bail out early if hardware offload is not supported 2022-06-14 18:36:17 +02:00
fou.h
fq.h
fq_impl.h
garp.h
gen_stats.h
genetlink.h drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group 2023-12-13 18:36:38 +01:00
geneve.h
gre.h
gro.h gro: add combined call_gro_receive() + INDIRECT_CALL_INET() helper 2021-03-18 19:51:12 -07:00
gro_cells.h
gtp.h
gue.h
hwbm.h
icmp.h ipv6: ICMPV6: add response to ICMPV6 RFC 8335 PROBE messages 2021-06-28 14:29:45 -07:00
ieee80211_radiotap.h mac80211: Use flex-array for radiotap header bitmap 2021-08-13 09:58:25 +02:00
ieee802154_netdev.h net: ieee802154: return -EINVAL for unknown addr type 2022-10-26 12:35:54 +02:00
if_inet6.h net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX 2023-12-20 15:17:34 +01:00
ife.h
ila.h
inet6_connection_sock.h
inet6_hashtables.h net: remove duplicate reuseport_lookup functions 2024-06-16 13:39:21 +02:00
inet_common.h
inet_connection_sock.h tcp: properly terminate timers for kernel sockets 2024-04-10 16:19:35 +02:00
inet_ecn.h
inet_frag.h inet: frags: annotate races around fqdir->dead and fqdir->high_thresh 2022-01-27 11:05:35 +01:00
inet_hashtables.h net: remove duplicate reuseport_lookup functions 2024-06-16 13:39:21 +02:00
inet_sock.h net: allow unbound socket for packets in VRF when tcp_l3mdev_accept set 2022-08-17 14:23:36 +02:00
inet_timewait_sock.h
inetpeer.h
ioam6.h ipv6: ioam: Support for IOAM injection with lwtunnels 2021-07-21 08:14:33 -07:00
ip.h ipv4: ignore dst hint for multipath routes 2023-09-19 12:22:58 +02:00
ip6_checksum.h
ip6_fib.h net: fib: avoid warn splat in flow dissector 2023-09-19 12:22:58 +02:00
ip6_route.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-08-05 15:08:47 -07:00
ip6_tunnel.h ip_gre, ip6_gre: Fix race condition on o_seqno in collect_md mode 2022-05-09 09:14:36 +02:00
ip_fib.h ipv4/fib: send notify when delete source address routes 2023-10-25 11:59:00 +02:00
ip_tunnels.h geneve: fix header validation in geneve[6]_xmit_skb 2024-04-17 11:15:14 +02:00
ip_vs.h ipvs: Update width of source for ip_vs_sync_conn_options 2023-05-24 17:36:46 +01:00
ipcomp.h
ipconfig.h
ipv6.h ipv6: fix ip6_sock_set_addr_preferences() typo 2023-09-19 12:23:04 +02:00
ipv6_frag.h inet: frags: annotate races around fqdir->dead and fqdir->high_thresh 2022-01-27 11:05:35 +01:00
ipv6_stubs.h bpf: Derive source IP addr via bpf_*_fib_lookup() 2024-03-06 14:38:50 +00:00
iw_handler.h
kcm.h
l3mdev.h
lag.h
lapb.h net: lapb: Make "lapb_t1timer_running" able to detect an already running timer 2021-03-23 14:14:50 -07:00
lib80211.h
llc.h llc: fix out-of-bound array index in llc_sk_dev_hash() 2021-11-18 19:17:10 +01:00
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc_if.h
llc_pdu.h llc: Drop support for ETH_P_TR_802_2. 2024-02-23 08:54:27 +01:00
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
lwtunnel.h lwt: Check LWTUNNEL_XMIT_CONTINUE strictly 2023-09-19 12:22:34 +02:00
mac80211.h mac80211: Fix Ptk0 rekey documentation 2021-09-27 12:02:54 +02:00
mac802154.h
macsec.h net: macsec: indicate next pn update when offloading 2023-10-19 23:05:34 +02:00
mctp.h mctp: unify sockaddr_mctp types 2021-10-18 13:47:09 +01:00
mctpdevice.h mctp: Remove the repeated declaration 2021-08-25 11:23:14 +01:00
mip6.h
mld.h mld: add new workqueues for process mld events 2021-03-26 15:14:56 -07:00
mpls.h
mpls_iptunnel.h
mptcp.h mptcp: remove MPTCP 'ifdef' in TCP SYN cookies 2023-01-12 11:58:52 +01:00
mrp.h mrp: introduce active flags to prevent UAF when applicant uninit 2022-12-31 13:14:42 +01:00
ncsi.h
ndisc.h ipv6: fix skb drops in igmp6_event_query() and igmp6_event_report() 2022-03-08 19:12:33 +01:00
neighbour.h neighbour: delete neigh_lookup_nodev as not used 2023-06-21 15:59:19 +02:00
net_failover.h
net_namespace.h netfilter: nf_flow_table: count pending offload workqueue tasks 2024-04-27 17:05:24 +02:00
net_ratelimit.h
netevent.h
netlabel.h
netlink.h net: netlink: add the case when nlh is NULL 2021-07-27 11:43:50 +01:00
netprio_cgroup.h
netrom.h
nexthop.h net: ipv4: Fix rtnexthop len when RTA_FLOW is present 2021-09-24 14:07:10 +01:00
nl802154.h net: ieee802154: handle iftypes as u32 2021-12-01 09:04:46 +01:00
nsh.h
p8022.h
page_pool.h page_pool: fix inconsistency for page_pool_ring_[un]lock() 2023-06-05 09:21:22 +02:00
pie.h
ping.h
pkt_cls.h sch_htb: Fix inconsistency when leaf qdisc creation fails 2021-08-30 16:33:59 -07:00
pkt_sched.h net/sched: make psched_mtu() RTNL-less safe 2023-07-23 13:47:45 +02:00
pptp.h
protocol.h tcp/udp: Make early_demux back namespacified. 2022-11-10 18:15:38 +01:00
psample.h psample: Add a fwd declaration for skbuff 2021-08-09 15:34:21 -07:00
psnap.h
raw.h raw: Fix a data-race around sysctl_raw_l3mdev_accept. 2022-07-21 21:24:27 +02:00
rawv6.h
red.h sch_red: fix off-by-one checks in red_check_params() 2021-03-25 17:40:43 -07:00
regulatory.h
request_sock.h
rose.h
route.h ip: Fix data-races around sysctl_ip_default_ttl. 2022-07-29 17:25:09 +02:00
rpl.h ipv6: rpl: Fix Route of Death. 2023-06-14 11:13:02 +02:00
rsi_91x.h
rtnetlink.h net: validate veth and vxcan peer ifindexes 2023-08-30 16:18:14 +02:00
rtnh.h
sch_generic.h net/sched: sch_taprio: fix possible use-after-free 2023-02-01 08:27:09 +01:00
scm.h scm: fix MSG_CTRUNC setting condition for SO_PASSSEC 2023-05-11 23:00:26 +09:00
secure_seq.h secure_seq: use the 64 bits of the siphash for port offset calculation 2022-05-18 10:26:53 +02:00
seg6.h udp6: Use Segment Routing Header for dest address if present 2022-01-27 11:05:05 +01:00
seg6_hmac.h
seg6_local.h
selftests.h net: selftest: fix build issue if INET is disabled 2021-04-28 14:06:45 -07:00
slhc_vj.h
smc.h
snmp.h
sock.h net: fix __dst_negative_advice() race 2024-06-16 13:39:59 +02:00
sock_reuseport.h soreuseport: Fix socket selection for SO_INCOMING_CPU. 2022-12-31 13:14:07 +01:00
stp.h
strparser.h tls: rx: don't store the decryption status in socket context 2024-03-06 14:38:47 +00:00
switchdev.h net: make switchdev_bridge_port_{,unoffload} loosely coupled with the bridge 2021-08-04 12:35:07 +01:00
tcp.h mptcp: fix lockless access in subflow ULP diag 2024-03-01 13:21:50 +01:00
tcp_states.h
timewait_sock.h
tipc.h
tls.h tls: fix race between async notify and socket close 2024-05-25 16:20:17 +02:00
tls_toe.h
transp_v6.h
tso.h
tun_proto.h
udp.h tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct(). 2023-04-26 13:51:54 +02:00
udp_tunnel.h rxrpc: Fix ICMP/ICMP6 error handling 2022-09-15 11:30:05 +02:00
udplite.h tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct(). 2023-04-26 13:51:54 +02:00
vsock_addr.h
vxlan.h vxlan: Fix nexthop hash size 2023-08-11 15:13:54 +02:00
wext.h
x25.h
x25device.h
xdp.h xdp: Allow registering memory model without rxq reference 2023-06-05 09:21:21 +02:00
xdp_priv.h
xdp_sock.h xdp: Add proper __rcu annotations to redirect map entries 2021-06-24 19:41:15 +02:00
xdp_sock_drv.h i40e: xsk: Move tmp desc array from driver to pool 2022-06-14 18:36:18 +02:00
xfrm.h xfrm: Preserve vlan tags for transport mode software GRO 2024-05-17 11:50:57 +02:00
xsk_buff_pool.h xsk: Fix unaligned descriptor validation 2023-05-11 23:00:27 +09:00