From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linuxfoundation.org ([140.211.169.12]:46852 "EHLO
	mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932376AbbKQWj1 (ORCPT
	<rfc822;stable@vger.kernel.org>); Tue, 17 Nov 2015 17:39:27 -0500
Subject: Patch "net: fix a race in dst_release()" has been added to the 4.1-stable tree
To: edumazet@google.com, davem@davemloft.net,
	gregkh@linuxfoundation.org, gthelen@google.com
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
From: <gregkh@linuxfoundation.org>
Date: Tue, 17 Nov 2015 14:39:26 -0800
Message-ID: <144779996635212@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>


This is a note to let you know that I've just added the patch titled

    net: fix a race in dst_release()

to the 4.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-fix-a-race-in-dst_release.patch
and it can be found in the queue-4.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>>From foo@baz Tue Nov 17 14:35:45 PST 2015
From: Eric Dumazet <edumazet@google.com>
Date: Mon, 9 Nov 2015 17:51:23 -0800
Subject: net: fix a race in dst_release()

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit d69bbf88c8d0b367cf3e3a052f6daadf630ee566 ]

Only cpu seeing dst refcount going to 0 can safely
dereference dst->flags.

Otherwise an other cpu might already have freed the dst.

Fixes: 27b75c95f10d ("net: avoid RCU for NOCACHE dst")
Reported-by: Greg Thelen <gthelen@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/dst.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -285,7 +285,7 @@ void dst_release(struct dst_entry *dst)
 
 		newrefcnt = atomic_dec_return(&dst->__refcnt);
 		WARN_ON(newrefcnt < 0);
-		if (unlikely(dst->flags & DST_NOCACHE) && !newrefcnt)
+		if (!newrefcnt && unlikely(dst->flags & DST_NOCACHE))
 			call_rcu(&dst->rcu_head, dst_destroy_rcu);
 	}
 }


Patches currently in stable-queue which might be from edumazet@google.com are

queue-4.1/ipv6-gre-support-sit-encapsulation.patch
queue-4.1/ipmr-fix-possible-race-resulting-from-improper-usage-of-ip_inc_stats_bh-in-preemptible-context.patch
queue-4.1/net-avoid-null-deref-in-inet_ctl_sock_destroy.patch
queue-4.1/net-fix-a-race-in-dst_release.patch
queue-4.1/sit-fix-sit0-percpu-double-allocations.patch