Description
In the Linux kernel, the following vulnerability has been resolved: net: nexthop: fix percpu use-after-free in remove_nh_grp_entry When removing a nexthop from a group, remove_nh_grp_entry() publishes the new group via rcu_assign_pointer() then immediately frees the removed entry's percpu stats with free_percpu(). However, the synchronize_net() grace period in the caller remove_nexthop_from_groups() runs after the free. RCU readers that entered before the publish still see the old group and can dereference the freed stats via nh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a use-after-free on percpu memory. Fix by deferring the free_percpu() until after synchronize_net() in the caller. Removed entries are chained via nh_list onto a local deferred free list. After the grace period completes and all RCU readers have finished, the percpu stats are safely freed.
Product status
f4676ea74b8549cd88dbfe2a592ce4530039e61f (git) before abf4feaee6405f1441929c6ebe7a250f2cd170a7
f4676ea74b8549cd88dbfe2a592ce4530039e61f (git) before ab5ebab9664214ba41a7633cb4e72f128204f924
f4676ea74b8549cd88dbfe2a592ce4530039e61f (git) before 9e08ad731862b22a87cc55f752e16d66cdc9e231
f4676ea74b8549cd88dbfe2a592ce4530039e61f (git) before b2662e7593e94ae09b1cf7ee5f09160a3612bcb2
6.9
Any version before 6.9
6.12.78 (semver)
6.18.19 (semver)
6.19.9 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/abf4feaee6405f1441929c6ebe7a250f2cd170a7
git.kernel.org/...c/ab5ebab9664214ba41a7633cb4e72f128204f924
git.kernel.org/...c/9e08ad731862b22a87cc55f752e16d66cdc9e231
git.kernel.org/...c/b2662e7593e94ae09b1cf7ee5f09160a3612bcb2