From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH net] ipv6: take rcu lock in rawv6_send_hdrinc() Date: Fri, 05 Oct 2018 14:46:29 -0700 (PDT) Message-ID: <20181005.144629.1332596138050709254.davem@davemloft.net> References: <20181004171237.181701-1-tracywwnj@gmail.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, edumazet@google.com To: weiwan@google.com Return-path: Received: from shards.monkeyblade.net ([23.128.96.9]:46890 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725787AbeJFErH (ORCPT ); Sat, 6 Oct 2018 00:47:07 -0400 In-Reply-To: <20181004171237.181701-1-tracywwnj@gmail.com> Sender: netdev-owner@vger.kernel.org List-ID: From: Wei Wang Date: Thu, 4 Oct 2018 10:12:37 -0700 > From: Wei Wang > > In rawv6_send_hdrinc(), in order to avoid an extra dst_hold(), we > directly assign the dst to skb and set passed in dst to NULL to avoid > double free. > However, in error case, we free skb and then do stats update with the > dst pointer passed in. This causes use-after-free on the dst. > Fix it by taking rcu read lock right before dst could get released to > make sure dst does not get freed until the stats update is done. > Note: we don't have this issue in ipv4 cause dst is not used for stats > update in v4. > > Syzkaller reported following crash: ... > Fixes: 1789a640f556 ("raw: avoid two atomics in xmit") > Signed-off-by: Wei Wang > Signed-off-by: Eric Dumazet Applied and queued up for -stable, thanks.