[ Sasha's backport helper bot ]
Hi,
Summary of potential issues: ⚠️ Found follow-up fixes in mainline
The upstream commit SHA1 provided is correct: e8c526f2bdf1845bedaf6a478816a3d06fa78b8f
WARNING: Author mismatch between patch and upstream commit: Backport author: Nathan Gaozcgao@amazon.com Commit author: Kuniyuki Iwashimakuniyu@amazon.com
Status in newer kernel trees: 6.13.y | Present (exact SHA1) 6.12.y | Present (exact SHA1) 6.6.y | Present (different SHA1: 997ae8da14f1) 6.1.y | Present (different SHA1: 5071beb59ee4) 5.15.y | Present (different SHA1: 8459d61fbf24) 5.10.y | Not found
Found fixes commits: c31e72d021db tcp: Fix use-after-free of nreq in reqsk_timer_handler().
Note: The patch differs from the upstream commit: --- 1: e8c526f2bdf18 ! 1: a2faf327265e4 tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). @@ Metadata ## Commit message ## tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().
+ [ Upstream commit e8c526f2bdf1845bedaf6a478816a3d06fa78b8f ] + Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler().
""" @@ Commit message Reviewed-by: Martin KaFai Lau martin.lau@kernel.org Link: https://patch.msgid.link/20241014223312.4254-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski kuba@kernel.org + [Resolved conflicts due to context difference] + Signed-off-by: Nathan Gao zcgao@amazon.com
## net/ipv4/inet_connection_sock.c ## @@ net/ipv4/inet_connection_sock.c: static bool reqsk_queue_unlink(struct request_sock *req) - found = __sk_nulls_del_node_init_rcu(sk); + found = __sk_nulls_del_node_init_rcu(req_to_sk(req)); spin_unlock(lock); } - if (timer_pending(&req->rsk_timer) && del_timer_sync(&req->rsk_timer)) @@ net/ipv4/inet_connection_sock.c: static bool reqsk_queue_unlink(struct request_s
void inet_csk_reqsk_queue_drop_and_put(struct sock *sk, struct request_sock *req) @@ net/ipv4/inet_connection_sock.c: static void reqsk_timer_handler(struct timer_list *t) - - if (!inet_ehash_insert(req_to_sk(nreq), req_to_sk(oreq), NULL)) { - /* delete timer */ -- inet_csk_reqsk_queue_drop(sk_listener, nreq); -+ __inet_csk_reqsk_queue_drop(sk_listener, nreq, true); - goto no_ownership; - } - -@@ net/ipv4/inet_connection_sock.c: static void reqsk_timer_handler(struct timer_list *t) + return; } - drop: -- inet_csk_reqsk_queue_drop_and_put(oreq->rsk_listener, oreq); -+ __inet_csk_reqsk_queue_drop(sk_listener, oreq, true); +- inet_csk_reqsk_queue_drop_and_put(sk_listener, req); ++ __inet_csk_reqsk_queue_drop(sk_listener, req, true); + reqsk_put(req); }
- static bool reqsk_queue_hash_req(struct request_sock *req, + static void reqsk_queue_hash_req(struct request_sock *req, ---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-5.4.y | Success | Success |