Diff - db19a3e1d6304ccb8151359520ca0c6151ad11e6^! - third_party/kernel

commit	db19a3e1d6304ccb8151359520ca0c6151ad11e6	[log] [tgz]
author	Yue Haibing <yuehaibing@huawei.com>	Mon Jul 14 22:19:57 2025 +0800
committer	Robert Kolchmeyer <rkolchmeyer@google.com>	Wed Sep 10 19:17:21 2025 -0700
tree	4a4b28c637863a9090a3f74f483e523ed4a586f6
parent	b4dd01604929b76fe2e6ea43dead75bffbfacc33 [diff]

ipv6: mcast: Delay put pmc->idev in mld_del_delrec()

[ Upstream commit ae3264a25a4635531264728859dbe9c659fad554 ]

pmc->idev is still used in ip6_mc_clear_src(), so as mld_clear_delrec()
does, the reference should be put after ip6_mc_clear_src() return.

BUG=b/439333696
TEST=presubmit
RELEASE_NOTE=Fixed CVE-2025-38550 in the Linux kernel.

cos-patch: security-moderate
Fixes: 63ed8de4be81 ("mld: add mc_lock for protecting per-interface mld data")
Change-Id: I97bbe06088cdb55a4478d01198c230546773300e
Signed-off-by: Yue Haibing <yuehaibing@huawei.com>
Link: https://patch.msgid.link/20250714141957.3301871-1-yuehaibing@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Robert Kolchmeyer <rkolchmeyer@google.com>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/111032
Reviewed-by: Chenglong Tang <chenglongtang@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>

diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index a1b3f3e..e9e59a8 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c

@@ -803,8 +803,8 @@ static void mld_del_delrec(struct inet6_dev *idev, struct ifmcaddr6 *im)
 		} else {
 			im->mca_crcount = idev->mc_qrv;
 		}
-		in6_dev_put(pmc->idev);
 		ip6_mc_clear_src(pmc);
+		in6_dev_put(pmc->idev);
 		kfree_rcu(pmc, rcu);
 	}
 }