[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 0f6ede9fbc747e2553612271bce108f7517e7a45
WARNING: Author mismatch between patch and upstream commit: Backport author: Vasiliy Kovalevkovalev@altlinux.org Commit author: Eric Dumazetedumazet@google.com
Status in newer kernel trees: 6.12.y | Present (different SHA1: 6610c7f8a8d4) 6.6.y | Present (different SHA1: b7a79e51297f) 6.1.y | Present (different SHA1: 3267b254dc0a) 5.15.y | Not found 5.10.y | Not found
Note: The patch differs from the upstream commit: --- 1: 0f6ede9fbc74 ! 1: 2b14d8a38dbc net: defer final 'struct net' free in netns dismantle @@ Metadata ## Commit message ## net: defer final 'struct net' free in netns dismantle
+ commit 0f6ede9fbc747e2553612271bce108f7517e7a45 upstream. + Ilya reported a slab-use-after-free in dst_destroy [1]
Issue is in xfrm6_net_init() and xfrm4_net_init() : @@ Commit message Reviewed-by: Kuniyuki Iwashima kuniyu@amazon.com Link: https://patch.msgid.link/20241204125455.3871859-1-edumazet@google.com Signed-off-by: Jakub Kicinski kuba@kernel.org + Signed-off-by: Vasiliy Kovalev kovalev@altlinux.org
## include/net/net_namespace.h ## @@ include/net/net_namespace.h: struct net { @@ net/core/net_namespace.c: static struct net *net_alloc(void) + static void net_free(struct net *net) { - if (refcount_dec_and_test(&net->passive)) { -@@ net/core/net_namespace.c: static void net_free(struct net *net) - /* There should not be any trackers left there. */ - ref_tracker_dir_exit(&net->notrefcnt_tracker); - -- kmem_cache_free(net_cachep, net); +- kfree(rcu_access_pointer(net->gen)); +- kmem_cache_free(net_cachep, net); ++ if (refcount_dec_and_test(&net->passive)) { ++ kfree(rcu_access_pointer(net->gen)); ++ + /* Wait for an extra rcu_barrier() before final free. */ + llist_add(&net->defer_free_list, &defer_free_list); - } ++ } }
+ void net_drop_ns(void *p) @@ net/core/net_namespace.c: static void cleanup_net(struct work_struct *work) */ rcu_barrier(); ---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-5.10.y | Success | Success |