net: fix __dst_negative_advice() race
__dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then call dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this means each of the three ->negative_advice() existing methods must perform the sk_dst_reset() themselves. Note the check against NULL dst is centralized in __dst_negative_advice(), there is no need to duplicate it in various callbacks. Many thanks to Clement Lecigne for tracking this issue. This old bug became visible after the blamed commit, using UDP sockets. Fixes: a87cb3e4 ("net: Facility to report route quality of connected sockets") Reported-by:Clement Lecigne <clecigne@google.com> Diagnosed-by:
Eric Dumazet <edumazet@google.com> Cc: Tom Herbert <tom@herbertland.com> Reviewed-by:
David Ahern <dsahern@kernel.org> Link: https://lore.kernel.org/r/20240528114353.1794151-1-edumazet@google.com Signed-off-by:
Jakub Kicinski <kuba@kernel.org>
Loading
-
mentioned in commit f0554d82
-
mentioned in commit 7dbc4cec
-
mentioned in commit 95d1a18d
-
mentioned in commit eb07d63b
-
mentioned in commit c165e67b
-
mentioned in commit 3032c4e3
-
mentioned in commit 20bd277f
-
mentioned in commit 455c4dc2
-
mentioned in commit b572b1fa
-
mentioned in commit 77b12937
-
mentioned in commit e4b3010f
-
mentioned in commit b49996c2
-
mentioned in commit 9a84d60e
-
mentioned in commit 9b0dadc8
-
mentioned in commit 9e3f84a8
-
mentioned in commit 12f33888
-
mentioned in commit 29c88853
-
mentioned in commit dc586962
-
mentioned in commit 51e48339
-
mentioned in commit 3856ad0c
-
mentioned in commit cd90bfdd
-
mentioned in commit 5055db81
-
mentioned in commit 7c837a6e
-
mentioned in commit e1551735
-
mentioned in commit a7462d70
-
mentioned in commit bd2bcb81
-
mentioned in commit 8d56f8ab
-
mentioned in commit b8932254
-
mentioned in commit bda79d62
-
mentioned in commit aa80ae5b
-
mentioned in commit 09ea9846
-
mentioned in commit f7af961c
-
mentioned in commit 9fc407b5
-
mentioned in commit 5046404a
-
mentioned in commit fe43a8bd
-
mentioned in commit 00502cb4
-
mentioned in commit c7231138
-
mentioned in commit 8d07c061
-
mentioned in commit bff4c6ba
-
mentioned in commit 9d06d47c
-
mentioned in commit f77790c7
-
mentioned in commit 19e7eae0
-
mentioned in commit 46cb59e7
-
mentioned in commit cdf8911e
-
mentioned in commit 1ea9213d
-
mentioned in commit 6b99e20d
-
mentioned in commit d8e4b099
-
mentioned in commit 98e631b4
-
mentioned in commit 6d1a46e5
-
mentioned in commit 7d7e0d01
-
mentioned in commit b10d160b
-
mentioned in commit e9bbab26
-
mentioned in commit 88abfda8
-
mentioned in commit 3dfa5a4d
-
mentioned in commit d2de71b7
-
mentioned in commit e026cce9
-
mentioned in commit f95f00e0
-
mentioned in commit bc403b99
-
mentioned in commit bf1faaca
-
mentioned in commit 4af855de
-
mentioned in commit 1edd02df
-
mentioned in commit e4f2809d
-
mentioned in commit 67abc031
-
mentioned in commit 23168368
-
mentioned in commit 4e64dace
-
mentioned in commit 07f4a1e1
-
mentioned in commit d24063e9
-
mentioned in commit b0f1ac27
-
mentioned in commit d6c118a1
-
mentioned in commit 66e55932
-
mentioned in commit b7cef2ac
-
mentioned in commit 60aab548
-
mentioned in commit 7b28a2ca
-
mentioned in commit e673b01b
-
mentioned in commit f7b2b20b
-
mentioned in commit a006016c
-
mentioned in commit 737b4874
-
mentioned in commit c3a24c7a
-
mentioned in commit 85dd68cd
-
mentioned in commit e55ab40d
-
mentioned in commit a75c8f9b
-
mentioned in commit e5cc961b
-
mentioned in commit e1e7d630
-
mentioned in commit 872ec621
-
mentioned in commit a0d26614
-
mentioned in commit 5f9bf361
Please sign in to comment