mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-29 22:02:02 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/ipv6
History
Eric Dumazet 5af198c387 net: fix __dst_negative_advice() race 
commit 92f1655aa2 upstream.

__dst_negative_advice() does not enforce proper RCU rules when
sk->dst_cache must be cleared, leading to possible UAF.

RCU rules are that we must first clear sk->sk_dst_cache,
then call dst_release(old_dst).

Note that sk_dst_reset(sk) is implementing this protocol correctly,
while __dst_negative_advice() uses the wrong order.

Given that ip6_negative_advice() has special logic
against RTF_CACHE, this means each of the three ->negative_advice()
existing methods must perform the sk_dst_reset() themselves.

Note the check against NULL dst is centralized in
__dst_negative_advice(), there is no need to duplicate
it in various callbacks.

Many thanks to Clement Lecigne for tracking this issue.

This old bug became visible after the blamed commit, using UDP sockets.

Fixes: a87cb3e48e ("net: Facility to report route quality of connected sockets")
Reported-by: Clement Lecigne <clecigne@google.com>
Diagnosed-by: Clement Lecigne <clecigne@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Tom Herbert <tom@herbertland.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20240528114353.1794151-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[Lee: Stable backport]
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-06-16 13:47:44 +02:00
..
ila ila: Remove unnecessary file net/ila.h 2023-08-02 12:28:16 -07:00
netfilter netfilter: complete validation of user input 2024-04-17 11:19:30 +02:00
addrconf.c ipv6: annotate data-races around cnf.disable_ipv6 2024-05-17 12:02:24 +02:00
addrconf_core.c ipv6: Ensure natural alignment of const ipv6 loopback and router addresses 2024-02-05 20:14:36 +00:00
addrlabel.c ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network 2022-11-07 12:26:15 +00:00
af_inet6.c bpf: Derive source IP addr via bpf_*_fib_lookup() 2024-03-01 13:35:04 +01:00
ah6.c net: ipv6: Remove completion function scaffolding 2023-02-13 18:35:15 +08:00
anycast.c IPv6: add extack info for IPv6 address add/delete 2023-07-28 11:01:56 +01:00
calipso.c
datagram.c inet: introduce inet->inet_flags 2023-08-16 11:09:16 +01:00
esp6.c net: esp: fix bad handling of pages from page_pool 2024-04-03 15:28:35 +02:00
esp6_offload.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-06-22 18:40:38 -07:00
exthdrs.c Fix write to cloned skb in ipv6_hop_ioam() 2024-03-01 13:35:10 +01:00
exthdrs_core.c ipv6: Fix out-of-bounds access in ipv6_find_tlv() 2023-05-24 08:43:39 +01:00
exthdrs_offload.c
fib6_notifier.c
fib6_rules.c ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action() 2024-05-17 12:02:23 +02:00
fou6.c
icmp.c sysctl-6.6-rc1 2023-08-29 17:39:15 -07:00
inet6_connection_sock.c net: annotate lockless accesses to sk->sk_err_soft 2023-03-17 08:25:05 +00:00
inet6_hashtables.c net: remove duplicate INDIRECT_CALLABLE_DECLARE of udp[6]_ehashfn 2023-07-31 13:53:10 -07:00
ioam6.c genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
ioam6_iptunnel.c
ip6_checksum.c
ip6_fib.c ipv6: fib: hide unused 'pn' variable 2024-04-17 11:19:29 +02:00
ip6_flowlabel.c ipv6: flowlabel: do not disable BH where not needed 2023-03-21 21:32:18 -07:00
ip6_gre.c net: add netdev_lockdep_set_classes() to virtual drivers 2024-04-13 13:07:30 +02:00
ip6_icmp.c
ip6_input.c ipv6: annotate data-races around cnf.disable_ipv6 2024-05-17 12:02:24 +02:00
ip6_offload.c net: gro: fix udp bad offset in socket lookup by adding {inner_}network_offset to napi_gro_cb 2024-05-17 12:02:07 +02:00
ip6_offload.h
ip6_output.c ipv6: prevent NULL dereference in ip6_output() 2024-05-17 12:02:24 +02:00
ip6_tunnel.c net: add netdev_lockdep_set_classes() to virtual drivers 2024-04-13 13:07:30 +02:00
ip6_udp_tunnel.c
ip6_vti.c net: add netdev_lockdep_set_classes() to virtual drivers 2024-04-13 13:07:30 +02:00
ip6mr.c net: ipv4, ipv6: fix IPSTATS_MIB_OUTOCTETS increment duplicated 2023-08-30 09:44:09 +01:00
ipcomp6.c xfrm: ipcomp: add extack to ipcomp{4,6}_init_state 2022-09-29 07:18:00 +02:00
ipv6_sockglue.c net: selectively purge error queue in IP_RECVERR / IPV6_RECVERR 2023-08-20 15:17:47 +01:00
Kconfig ipv6: fix indentation of a config attribute 2023-08-16 10:03:08 +01:00
Makefile
mcast.c net: fix IPSTATS_MIB_OUTPKGS increment in OutForwDatagrams. 2024-04-03 15:28:39 +02:00
mcast_snoop.c
mip6.c xfrm: mip6: add extack to mip6_destopt_init_state, mip6_rthdr_init_state 2022-09-29 07:18:01 +02:00
ndisc.c net: fix IPSTATS_MIB_OUTPKGS increment in OutForwDatagrams. 2024-04-03 15:28:39 +02:00
netfilter.c
output_core.c treewide: use get_random_u32_{above,below}() instead of manual loop 2022-11-18 02:15:22 +01:00
ping.c bpf: Propagate modified uaddrlen from cgroup sockaddr programs 2024-01-31 16:19:04 -08:00
proc.c net: fix IPSTATS_MIB_OUTPKGS increment in OutForwDatagrams. 2024-04-03 15:28:39 +02:00
protocol.c
raw.c net: fix IPSTATS_MIB_OUTPKGS increment in OutForwDatagrams. 2024-04-03 15:28:39 +02:00
reassembly.c net: ipv6: fix wrong start position when receive hop-by-hop fragment 2024-06-12 11:11:51 +02:00
route.c net: fix __dst_negative_advice() race 2024-06-16 13:47:44 +02:00
rpl.c ipv6: rpl: Remove pskb(_may)?_pull() in ipv6_rpl_srh_rcv(). 2023-06-19 11:32:58 -07:00
rpl_iptunnel.c ipv6: rpl: Remove redundant skb_dst_drop(). 2023-07-12 17:12:29 -07:00
seg6.c ipv6: sr: fix invalid unregister error path 2024-06-12 11:11:53 +02:00
seg6_hmac.c ipv6: sr: fix memleak in seg6_hmac_init_algo 2024-06-12 11:12:48 +02:00
seg6_iptunnel.c ipv6: sr: fix missing sk_buff release in seg6_input_core 2024-06-12 11:12:46 +02:00
seg6_local.c seg6: add NEXT-C-SID support for SRv6 End.X behavior 2023-08-15 18:51:47 -07:00
sit.c net: add netdev_lockdep_set_classes() to virtual drivers 2024-04-13 13:07:30 +02:00
syncookies.c dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses. 2023-11-20 11:59:35 +01:00
sysctl_net_ipv6.c networking: Update to register_net_sysctl_sz 2023-08-15 15:26:18 -07:00
tcp_ipv6.c bpf: Propagate modified uaddrlen from cgroup sockaddr programs 2024-01-31 16:19:04 -08:00
tcpv6_offload.c net: Make gro complete function to return void 2023-05-31 09:50:17 +01:00
tunnel6.c
udp.c udp: Avoid call to compute_score on multiple sites 2024-06-12 11:11:42 +02:00
udp_impl.h tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct(). 2022-10-12 17:50:37 -07:00
udp_offload.c net: gro: fix udp bad offset in socket lookup by adding {inner_}network_offset to napi_gro_cb 2024-05-17 12:02:07 +02:00
udplite.c udplite: remove UDPLITE_BIT 2023-11-20 11:58:56 +01:00
xfrm6_input.c xfrm: Preserve vlan tags for transport mode software GRO 2024-05-17 12:02:20 +02:00
xfrm6_output.c
xfrm6_policy.c ipsec-2023-10-17 2023-10-17 18:21:13 -07:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c xfrm: tunnel: add extack to ipip_init_state, xfrm6_tunnel_init_state 2022-09-29 07:18:00 +02:00