)]}'
{
  "commit": "c6cc3ce85d7ed70ec69a71e2d8f7e205d6f7ae3c",
  "tree": "ac369f5179597977246542540896969586eb659e",
  "parents": [
    "49d820f0cf69487ea7fc821abd249f3fe7aed773"
  ],
  "author": {
    "name": "Eric Dumazet",
    "email": "edumazet@google.com",
    "time": "Tue Oct 08 14:31:10 2024 +0000"
  },
  "committer": {
    "name": "Michael Kochera",
    "email": "kochera@google.com",
    "time": "Mon Dec 02 01:28:48 2024 +0000"
  },
  "message": "net: do not delay dst_entries_add() in dst_release()\n\ncommit ac888d58869bb99753e7652be19a151df9ecb35d upstream.\n\ndst_entries_add() uses per-cpu data that might be freed at netns\ndismantle from ip6_route_net_exit() calling dst_entries_destroy()\n\nBefore ip6_route_net_exit() can be called, we release all\nthe dsts associated with this netns, via calls to dst_release(),\nwhich waits an rcu grace period before calling dst_destroy()\n\ndst_entries_add() use in dst_destroy() is racy, because\ndst_entries_destroy() could have been called already.\n\nDecrementing the number of dsts must happen sooner.\n\nNotes:\n\n1) in CONFIG_XFRM case, dst_destroy() can call\n   dst_release_immediate(child), this might also cause UAF\n   if the child does not have DST_NOCOUNT set.\n   IPSEC maintainers might take a look and see how to address this.\n\n2) There is also discussion about removing this count of dst,\n   which might happen in future kernels.\n\nBUG\u003db/377471279\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2024-50036 in the Linux kernel.\n\ncos-patch: security-high\nFixes: f88649721268 (\"ipv4: fix dst race in sk_dst_get()\")\nCloses: https://lore.kernel.org/lkml/CANn89iLCCGsP7SFn9HKpvnKu96Td4KD08xf7aGtiYgZnkjaL\u003dw@mail.gmail.com/T/\nReported-by: Naresh Kamboju \u003cnaresh.kamboju@linaro.org\u003e\nTested-by: Linux Kernel Functional Testing \u003clkft@linaro.org\u003e\nTested-by: Naresh Kamboju \u003cnaresh.kamboju@linaro.org\u003e\nChange-Id: I07e77e84e8ca9e0530940ec6a1d10c10bfead02a\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nCc: Xin Long \u003clucien.xin@gmail.com\u003e\nCc: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nReviewed-by: Xin Long \u003clucien.xin@gmail.com\u003e\nLink: https://patch.msgid.link/20241008143110.1064899-1-edumazet@google.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n[ resolved conflict due to bc9d3a9f2afc (\"net: dst: Switch to rcuref_t\n  reference counting\") is not in the tree ]\nSigned-off-by: Abdelkareem Abdelsaamad \u003ckareemem@amazon.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Kernel CVE Triage Automation \u003ccloud-image-kernel-cve-triage-automation@prod.google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/87061\nReviewed-by: Michael Kochera \u003ckochera@google.com\u003e\nReviewed-by: Kevin Berry \u003ckpberry@google.com\u003e\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "d178c564138eeb42b513b3cc294bb7065d0a391b",
      "old_mode": 33188,
      "old_path": "net/core/dst.c",
      "new_id": "8db87258d14505014961721f5aff2942a92637fc",
      "new_mode": 33188,
      "new_path": "net/core/dst.c"
    }
  ]
}