Unverified Commit fdcc6a87 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!9138 v2 CVE-2024-36971 

Merge Pull Request from: @ci-robot 
 
PR sync from: Liu Jian <liujian56@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/HKP4OOA5DVYEMKX3UY7RZEXKP4HU7OLH/ 
CVE-2024-36971

Eric Dumazet (1):
  net: fix __dst_negative_advice() race

Liu Jian (1):
  net: fix kabi breakage in struct dst_ops


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/IA436B 
 
Link:https://gitee.com/openeuler/kernel/pulls/9138

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parents 7fb3caa8 dbb4182f

include/net/dst_ops.h

+2 −1
Original line number Diff line number Diff line
@@ -25,7 +25,8 @@ struct dst_ops { 
	void			(*destroy)(struct dst_entry *);

	void			(*ifdown)(struct dst_entry *,

					  struct net_device *dev, int how);

	struct dst_entry *	(*negative_advice)(struct dst_entry *);

	KABI_REPLACE(struct dst_entry *	(*negative_advice)(struct dst_entry *),

		     void (*negative_advice)(struct sock *sk, struct dst_entry *))

	void			(*link_failure)(struct sk_buff *);

	void			(*update_pmtu)(struct dst_entry *dst, struct sock *sk,

					       struct sk_buff *skb, u32 mtu,

include/net/sock.h

+3 −10
Original line number Diff line number Diff line
@@ -2059,17 +2059,10 @@ sk_dst_get(struct sock *sk) 


static inline void __dst_negative_advice(struct sock *sk)

{

	struct dst_entry *ndst, *dst = __sk_dst_get(sk);

	struct dst_entry *dst = __sk_dst_get(sk);



	if (dst && dst->ops->negative_advice) {

		ndst = dst->ops->negative_advice(dst);



		if (ndst != dst) {

			rcu_assign_pointer(sk->sk_dst_cache, ndst);

			sk_tx_queue_clear(sk);

			WRITE_ONCE(sk->sk_dst_pending_confirm, 0);

		}

	}

	if (dst && dst->ops->negative_advice)

		dst->ops->negative_advice(sk, dst);

}



static inline void dst_negative_advice(struct sock *sk)

net/ipv4/route.c

+8 −14
Original line number Diff line number Diff line
@@ -137,7 +137,8 @@ static int ip_rt_gc_timeout __read_mostly = RT_GC_TIMEOUT; 
static struct dst_entry *ipv4_dst_check(struct dst_entry *dst, u32 cookie);

static unsigned int	 ipv4_default_advmss(const struct dst_entry *dst);

static unsigned int	 ipv4_mtu(const struct dst_entry *dst);

static struct dst_entry *ipv4_negative_advice(struct dst_entry *dst);

static void		ipv4_negative_advice(struct sock *sk,

					     struct dst_entry *dst);

static void		 ipv4_link_failure(struct sk_buff *skb);

static void		 ip_rt_update_pmtu(struct dst_entry *dst, struct sock *sk,

					   struct sk_buff *skb, u32 mtu,
@@ -866,22 +867,15 @@ static void ip_do_redirect(struct dst_entry *dst, struct sock *sk, struct sk_buf 
	__ip_do_redirect(rt, skb, &fl4, true);

}



static struct dst_entry *ipv4_negative_advice(struct dst_entry *dst)

static void ipv4_negative_advice(struct sock *sk,

				 struct dst_entry *dst)

{

	struct rtable *rt = (struct rtable *)dst;

	struct dst_entry *ret = dst;



	if (rt) {

		if (dst->obsolete > 0) {

			ip_rt_put(rt);

			ret = NULL;

		} else if ((rt->rt_flags & RTCF_REDIRECTED) ||

			   rt->dst.expires) {

			ip_rt_put(rt);

			ret = NULL;

		}

	}

	return ret;

	if ((dst->obsolete > 0) ||

	    (rt->rt_flags & RTCF_REDIRECTED) ||

	    rt->dst.expires)

		sk_dst_reset(sk);

}



/*

net/ipv6/route.c

+15 −14
Original line number Diff line number Diff line
@@ -85,7 +85,8 @@ enum rt6_nud_state { 
static struct dst_entry	*ip6_dst_check(struct dst_entry *dst, u32 cookie);

static unsigned int	 ip6_default_advmss(const struct dst_entry *dst);

static unsigned int	 ip6_mtu(const struct dst_entry *dst);

static struct dst_entry *ip6_negative_advice(struct dst_entry *);

static void		ip6_negative_advice(struct sock *sk,

					    struct dst_entry *dst);

static void		ip6_dst_destroy(struct dst_entry *);

static void		ip6_dst_ifdown(struct dst_entry *,

				       struct net_device *dev, int how);
@@ -2630,24 +2631,24 @@ static struct dst_entry *ip6_dst_check(struct dst_entry *dst, u32 cookie) 
	return dst_ret;

}



static struct dst_entry *ip6_negative_advice(struct dst_entry *dst)

static void ip6_negative_advice(struct sock *sk,

				struct dst_entry *dst)

{

	struct rt6_info *rt = (struct rt6_info *) dst;



	if (rt) {

	if (rt->rt6i_flags & RTF_CACHE) {

		rcu_read_lock();

		if (rt6_check_expired(rt)) {

			/* counteract the dst_release() in sk_dst_reset() */

			dst_hold(dst);

			sk_dst_reset(sk);



			rt6_remove_exception_rt(rt);

				dst = NULL;

		}

		rcu_read_unlock();

		} else {

			dst_release(dst);

			dst = NULL;

		}

		return;

	}

	return dst;

	sk_dst_reset(sk);

}



static void ip6_link_failure(struct sk_buff *skb)

net/xfrm/xfrm_policy.c

+3 −8
Original line number Diff line number Diff line
@@ -3791,15 +3791,10 @@ static void xfrm_link_failure(struct sk_buff *skb) 
	/* Impossible. Such dst must be popped before reaches point of failure. */

}



static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst)

static void xfrm_negative_advice(struct sock *sk, struct dst_entry *dst)

{

	if (dst) {

		if (dst->obsolete) {

			dst_release(dst);

			dst = NULL;

		}

	}

	return dst;

	if (dst->obsolete)

		sk_dst_reset(sk);

}



static void xfrm_init_pmtu(struct xfrm_dst **bundle, int nr)