On Fri, Sep 15, 2023 at 6:54 AM Zhang Changzhong
<[email protected]> wrote:
>
> There are race conditions that may lead to inet6_dev refcount underflow
> in xfrm6_dst_destroy() and rt6_uncached_list_flush_dev().
>
> One of the refcount underflow bugs is shown below:
> (cpu 1) | (cpu 2)
> xfrm6_dst_destroy() |
> ... |
> in6_dev_put() |
> | rt6_uncached_list_flush_dev()
> ... | ...
> | in6_dev_put()
> rt6_uncached_list_del() | ...
> ... |
>
> xfrm6_dst_destroy() calls rt6_uncached_list_del() after in6_dev_put(),
> so rt6_uncached_list_flush_dev() has a chance to call in6_dev_put()
> again for the same inet6_dev.
>
> Fix it by moving in6_dev_put() after rt6_uncached_list_del() in
> xfrm6_dst_destroy().
>
> Fixes: 510c321b5571 ("xfrm: reuse uncached_list to track xdsts")
> Signed-off-by: Zhang Changzhong <[email protected]>
> ---
> net/ipv6/xfrm6_policy.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
> index 41a680c..42fb6996 100644
> --- a/net/ipv6/xfrm6_policy.c
> +++ b/net/ipv6/xfrm6_policy.c
> @@ -117,10 +117,10 @@ static void xfrm6_dst_destroy(struct dst_entry *dst)
> {
> struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
>
> - if (likely(xdst->u.rt6.rt6i_idev))
> - in6_dev_put(xdst->u.rt6.rt6i_idev);
> dst_destroy_metrics_generic(dst);
> rt6_uncached_list_del(&xdst->u.rt6);
> + if (likely(xdst->u.rt6.rt6i_idev))
> + in6_dev_put(xdst->u.rt6.rt6i_idev);
> xfrm_dst_destroy(xdst);
> }
>
> --
> 2.9.5
>
Reviewed-by: Xin Long <[email protected]>
Thanks.