mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/net/ipv4
History
Eric Dumazet eacb8b1955 net: fix __dst_negative_advice() race 
commit 92f1655aa2 upstream.

__dst_negative_advice() does not enforce proper RCU rules when
sk->dst_cache must be cleared, leading to possible UAF.

RCU rules are that we must first clear sk->sk_dst_cache,
then call dst_release(old_dst).

Note that sk_dst_reset(sk) is implementing this protocol correctly,
while __dst_negative_advice() uses the wrong order.

Given that ip6_negative_advice() has special logic
against RTF_CACHE, this means each of the three ->negative_advice()
existing methods must perform the sk_dst_reset() themselves.

Note the check against NULL dst is centralized in
__dst_negative_advice(), there is no need to duplicate
it in various callbacks.

Many thanks to Clement Lecigne for tracking this issue.

This old bug became visible after the blamed commit, using UDP sockets.

Fixes: a87cb3e48e ("net: Facility to report route quality of connected sockets")
Reported-by: Clement Lecigne <clecigne@google.com>
Diagnosed-by: Clement Lecigne <clecigne@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Tom Herbert <tom@herbertland.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20240528114353.1794151-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[Lee: Stable backport]
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2024-06-16 13:39:59 +02:00
..
bpfilter
netfilter netfilter: tproxy: bail out if IP has been disabled on the device 2024-06-16 13:39:51 +02:00
Kconfig tcp: configurable source port perturb table size 2022-12-02 17:41:11 +01:00
Makefile
af_inet.c inet: read sk->sk_family once in inet_recv_error() 2024-02-23 08:54:57 +01:00
ah4.c Networking changes for 5.14. 2021-06-30 15:51:09 -07:00
arp.c arp: Prevent overflow in arp_req_get(). 2024-03-01 13:22:00 +01:00
bpf_tcp_ca.c bpf: Forbid bpf_ktime_get_coarse_ns and bpf_timer_* in tracing progs 2021-11-25 09:49:07 +01:00
cipso_ipv4.c cipso: Fix data-races around sysctl. 2022-07-21 21:24:21 +02:00
datagram.c udp: Update reuse->has_conns under reuseport_lock. 2022-10-29 10:12:56 +02:00
devinet.c ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid 2024-03-01 13:21:58 +01:00
esp4.c net: ipv4: fix return value check in esp_remove_trailer 2023-10-25 11:58:56 +02:00
esp4_offload.c xfrm: Linearize the skb after offloading if needed. 2023-06-28 10:29:46 +02:00
fib_frontend.c ipv4: Fix incorrect table ID in IOCTL path 2023-03-22 13:31:28 +01:00
fib_lookup.h ipv4: fix data races in fib_alias_hw_flags_set 2022-02-23 12:03:10 +01:00
fib_notifier.c
fib_rules.c ipv4: convert fib_num_tclassid_users to atomic_t 2021-12-08 09:04:49 +01:00
fib_semantics.c ipv4/fib: send notify when delete source address routes 2023-10-25 11:59:00 +02:00
fib_trie.c ipv4/fib: send notify when delete source address routes 2023-10-25 11:59:00 +02:00
fou.c fou: remove sparse errors 2021-08-31 12:03:33 +01:00
gre_demux.c
gre_offload.c
icmp.c icmp: prevent possible NULL dereferences from icmp_build_probe() 2024-05-02 16:24:44 +02:00
igmp.c bpf: net: Change do_ip_getsockopt() to take the sockptr_t argument 2024-03-26 18:21:23 -04:00
inet_connection_sock.c tcp: properly terminate timers for kernel sockets 2024-04-10 16:19:35 +02:00
inet_diag.c inet_diag: annotate data-races around inet_diag_table[] 2024-03-26 18:21:17 -04:00
inet_fragment.c inet: frags: annotate races around fqdir->dead and fqdir->high_thresh 2022-01-27 11:05:35 +01:00
inet_hashtables.c net: remove duplicate reuseport_lookup functions 2024-06-16 13:39:21 +02:00
inet_timewait_sock.c tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge() 2024-05-02 16:24:49 +02:00
inetpeer.c inetpeer: Fix data-races around sysctl. 2022-07-21 21:24:21 +02:00
ip_forward.c ip: Fix data-races around sysctl_ip_fwd_update_priority. 2022-07-29 17:25:13 +02:00
ip_fragment.c inet: frags: annotate races around fqdir->dead and fqdir->high_thresh 2022-01-27 11:05:35 +01:00
ip_gre.c erspan: make sure erspan_base_hdr is present in skb->head 2024-04-10 16:19:38 +02:00
ip_input.c ipv4: ignore dst hint for multipath routes 2023-09-19 12:22:58 +02:00
ip_options.c
ip_output.c net: ipv4: fix a memleak in ip_setup_cork 2024-02-23 08:54:54 +01:00
ip_sockglue.c bpf: net: Change do_ip_getsockopt() to take the sockptr_t argument 2024-03-26 18:21:23 -04:00
ip_tunnel.c net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv() 2024-03-26 18:21:22 -04:00
ip_tunnel_core.c tunnels: fix out of bounds access when building IPv6 PMTU error 2024-02-23 08:54:57 +01:00
ip_vti.c ip_vti: fix potential slab-use-after-free in decode_session6 2023-08-26 14:23:32 +02:00
ipcomp.c Networking changes for 5.14. 2021-06-30 15:51:09 -07:00
ipconfig.c
ipip.c ip_tunnel: use ndo_siocdevprivate 2021-07-27 20:11:44 +01:00
ipmr.c ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function 2024-03-26 18:21:23 -04:00
ipmr_base.c
metrics.c ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() 2023-02-01 08:27:27 +01:00
netfilter.c
netlink.c
nexthop.c nexthop: Fix infinite nexthop bucket dump when using maximum nexthop ID 2023-08-16 18:22:02 +02:00
ping.c ping: fix address binding wrt vrf 2022-05-18 10:26:57 +02:00
proc.c ip: Fix data-races around sysctl_ip_default_ttl. 2022-07-29 17:25:09 +02:00
protocol.c
raw.c ipv{4,6}/raw: fix output xfrm lookup wrt protocol 2023-06-05 09:21:26 +02:00
raw_diag.c net: Use nlmsg_unicast() instead of netlink_unicast() 2021-07-13 09:28:29 -07:00
route.c net: fix __dst_negative_advice() race 2024-06-16 13:39:59 +02:00
syncookies.c tcp: fix cookie_init_timestamp() overflows 2023-11-20 11:08:16 +01:00
sysctl_net_ipv4.c tcp: restrict net.ipv4.tcp_app_win 2023-04-20 12:13:53 +02:00
tcp.c tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets 2024-05-17 11:50:57 +02:00
tcp_bbr.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_bic.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_bpf.c bpf, sockmap: Handle fin correctly 2024-05-17 11:50:56 +02:00
tcp_cdg.c tcp: cdg: allow tcp_cdg_release() to be called multiple times 2022-11-26 09:24:50 +01:00
tcp_cong.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_cubic.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_dctcp.c tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). 2024-06-16 13:39:47 +02:00
tcp_dctcp.h
tcp_diag.c
tcp_fastopen.c tcp: annotate data-races around fastopenq.max_qlen 2023-07-27 08:47:04 +02:00
tcp_highspeed.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_htcp.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_hybla.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_illinois.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_input.c tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets 2024-05-17 11:50:57 +02:00
tcp_ipv4.c tcp: avoid premature drops in tcp_add_backlog() 2024-06-16 13:39:22 +02:00
tcp_lp.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_metrics.c tcp_metrics: do not create an entry from tcp_init_metrics() 2023-11-20 11:08:15 +01:00
tcp_minisocks.c tcp: annotate data-races around tcp_rsk(req)->ts_recent 2023-07-27 08:47:01 +02:00
tcp_nv.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_offload.c net, gro: Set inner transport header offset in tcp/udp GRO hook 2021-08-02 10:20:56 +01:00
tcp_output.c tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets 2024-05-17 11:50:57 +02:00
tcp_rate.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_recovery.c tcp: fix excessive TLP and RACK timeouts from HZ rounding 2023-10-25 11:58:57 +02:00
tcp_scalable.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_timer.c net: tcp: fix unexcepted socket die when snd_wnd is 0 2023-09-19 12:22:33 +02:00
tcp_ulp.c net/ulp: use consistent error code when blocking ULP 2023-01-24 07:22:48 +01:00
tcp_vegas.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_vegas.h
tcp_veno.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_westwood.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_yeah.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tunnel4.c
udp.c udp: Avoid call to compute_score on multiple sites 2024-06-16 13:39:21 +02:00
udp_bpf.c bpf, sockmap: Fix an infinite loop error when len is 0 in tcp_bpf_recvmsg_parser() 2023-03-17 08:48:54 +01:00
udp_diag.c net: Use nlmsg_unicast() instead of netlink_unicast() 2021-07-13 09:28:29 -07:00
udp_impl.h
udp_offload.c net: gro: add flush check in udp_gro_receive_segment 2024-05-17 11:50:51 +02:00
udp_tunnel_core.c net/tunnel: wait until all sk_user_data reader finish before releasing the sock 2022-12-31 13:14:19 +01:00
udp_tunnel_nic.c udp_tunnel: Fix end of loop test in udp_tunnel_nic_unregister() 2022-03-02 11:47:59 +01:00
udp_tunnel_stub.c
udplite.c udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated(). 2023-05-30 13:55:31 +01:00
xfrm4_input.c xfrm: Preserve vlan tags for transport mode software GRO 2024-05-17 11:50:57 +02:00
xfrm4_output.c
xfrm4_policy.c
xfrm4_protocol.c net: xfrm: unexport __init-annotated xfrm4_protocol_init() 2022-06-14 18:36:18 +02:00
xfrm4_state.c
xfrm4_tunnel.c