linux/net
WANG Cong 82486aa6f1 ipv4: restore rt->fi for reference counting
IPv4 dst could use fi->fib_metrics to store metrics but fib_info
itself is refcnt'ed, so without taking a refcnt fi and
fi->fib_metrics could be freed while dst metrics still points to
it. This triggers use-after-free as reported by Andrey twice.

This patch reverts commit 2860583fe8 ("ipv4: Kill rt->fi") to
restore this reference counting. It is a quick fix for -net and
-stable, for -net-next, as Eric suggested, we can consider doing
reference counting for metrics itself instead of relying on fib_info.

IPv6 is very different, it copies or steals the metrics from mx6_config
in fib6_commit_metrics() so probably doesn't need a refcnt.

Decnet has already done the refcnt'ing, see dn_fib_semantic_match().

Fixes: 2860583fe8 ("ipv4: Kill rt->fi")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-05-08 14:35:03 -04:00
..
6lowpan 6lowpan: Don't set IFF_NO_QUEUE 2017-04-12 22:02:40 +02:00
9p xen: fixes and featrues for 4.12 2017-05-04 11:37:09 -07:00
802
8021q netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
appletalk lib/vsprintf.c: remove %Z support 2017-02-27 18:43:47 -08:00
atm neighbour: fix nlmsg_pid in notifications 2017-03-22 10:48:49 -07:00
ax25 net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
batman-adv This feature/cleanup patchset includes the following patches: 2017-04-06 14:37:50 -07:00
bluetooth Bluetooth: Add selftest for ECDH key generation 2017-04-30 16:52:43 +03:00
bpf bpf: Align packet data properly in program testing framework. 2017-05-02 11:46:28 -04:00
bridge bridge: netlink: account for IFLA_BRPORT_{B, M}CAST_FLOOD size and policy 2017-05-05 11:21:03 -04:00
caif sched/headers: Prepare for new header dependencies before moving code to <linux/sched/signal.h> 2017-03-02 08:42:29 +01:00
can can: fix CAN BCM build with CONFIG_PROC_FS disabled 2017-04-27 09:34:13 +02:00
ceph libceph: force GFP_NOIO for socket allocations 2017-03-23 12:03:36 +01:00
core tcp: randomize timestamps on syncookies 2017-05-05 12:00:11 -04:00
dcb net: rtnetlink: plumb extended ack to doit function 2017-04-17 15:35:38 -04:00
dccp dccp: fix memory leak during tear-down of unsuccessful connection request 2017-03-13 22:00:42 -07:00
decnet Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2017-05-01 10:47:53 -04:00
dns_resolver Merge branch 'WIP.sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-03-03 10:16:38 -08:00
dsa net: dsa: Remove redundant NULL dst check 2017-04-21 10:41:24 -04:00
ethernet Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2017-02-16 21:25:49 -05:00
hsr netlink: extended ACK reporting 2017-04-13 13:58:20 -04:00
ieee802154 netlink: pass extended ACK struct where available 2017-04-13 13:58:22 -04:00
ife
ipv4 ipv4: restore rt->fi for reference counting 2017-05-08 14:35:03 -04:00
ipv6 tcp: randomize timestamps on syncookies 2017-05-05 12:00:11 -04:00
ipx ipx: call ipxitf_put() in ioctl error path 2017-05-02 15:34:53 -04:00
irda net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
iucv net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
kcm kcm: remove a useless copy_from_user() 2017-04-17 13:28:48 -04:00
key Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-04-21 20:23:53 -07:00
l2tp l2tp: remove useless device duplication test in l2tp_eth_create() 2017-04-27 16:32:13 -04:00
l3mdev
lapb
llc net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
mac80211 cfg80211: add request id to cfg80211_sched_scan_*() api 2017-04-28 14:51:43 +02:00
mac802154 drivers: add explicit interrupt.h includes 2017-03-30 11:05:34 -07:00
mpls net: rtnetlink: plumb extended ack to doit function 2017-04-17 15:35:38 -04:00
ncsi
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-05-04 12:26:43 -07:00
netlabel netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
netlink netlink: pass extended ACK struct where available 2017-04-13 13:58:22 -04:00
netrom net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
nfc NFC 4.12 pull request 2017-04-21 15:29:40 -04:00
openvswitch Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2017-05-03 10:11:26 -04:00
packet Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-04-26 22:39:08 -04:00
phonet net: rtnetlink: plumb extended ack to doit function 2017-04-17 15:35:38 -04:00
psample
qrtr Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-04-21 20:23:53 -07:00
rds Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-05-02 16:40:27 -07:00
rfkill
rose net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
rxrpc rxrpc: Trace client call connection 2017-04-06 11:10:41 +01:00
sched net/sched: remove redundant null check on head 2017-05-04 11:01:30 -04:00
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-05-02 16:40:27 -07:00
smc IB/core: Define 'ib' and 'roce' rdma_ah_attr types 2017-05-01 14:32:43 -04:00
strparser strparser: destroy workqueue on module exit 2017-03-03 20:43:26 -08:00
sunrpc The restriction of NFSv4 to TCP went overboard and also broke the 2017-04-01 10:43:37 -07:00
switchdev netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
tipc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-05-02 16:40:27 -07:00
unix af_unix: Use designated initializers 2017-04-06 12:43:04 -07:00
vmw_vsock VSOCK: Add virtio vsock vsockmon hooks 2017-04-24 12:35:56 -04:00
wimax
wireless cfg80211: add request id to cfg80211_sched_scan_*() api 2017-04-28 14:51:43 +02:00
x25 net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
xfrm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-05-02 16:40:27 -07:00
compat.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-02-22 10:15:09 -08:00
Kconfig bpf: make jited programs visible in traces 2017-02-17 13:40:05 -05:00
Makefile bpf: introduce BPF_PROG_TEST_RUN command 2017-04-01 12:45:57 -07:00
socket.c l2tp: device MTU setup, tunnel socket needs a lock 2017-04-17 13:01:48 -04:00
sysctl_net.c