From: Kuniyuki Iwashima <kuniyu@amazon.com> mainline inclusion from mainline-v6.14-rc4 commit e57a6320215c3967f51ab0edeff87db2095440e4 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBWVSY CVE: CVE-2025-21884 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- net_drop_ns() is NULL when CONFIG_NET_NS is disabled. The next patch introduces a function that increments and decrements net->passive. As a prep, let's rename and export net_free() to net_passive_dec() and add net_passive_inc(). Suggested-by: Eric Dumazet <edumazet@google.com> Link: https://lore.kernel.org/netdev/CANn89i+oUCt2VGvrbrweniTendZFEh+nwS=uonc004-a... Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20250217191129.19967-2-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Conflicts: include/net/net_namespace.h net/core/net_namespace.c [commit 0734d7c3d93c expedite synchronize_net() for cleanup_net(), which not merged lead to conflicts] Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com> --- include/net/net_namespace.h | 10 ++++++++++ net/core/net_namespace.c | 8 ++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h index 9f1bb06ebb99..9f5162b0030f 100644 --- a/include/net/net_namespace.h +++ b/include/net/net_namespace.h @@ -293,6 +293,7 @@ static inline int check_net(const struct net *net) } void net_drop_ns(void *); +void net_passive_dec(struct net *net); #else @@ -322,8 +323,17 @@ static inline int check_net(const struct net *net) } #define net_drop_ns NULL + +static inline void net_passive_dec(struct net *net) +{ + refcount_dec(&net->passive); +} #endif +static inline void net_passive_inc(struct net *net) +{ + refcount_inc(&net->passive); +} static inline void __netns_tracker_alloc(struct net *net, netns_tracker *tracker, diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c index 92b7fea4d495..152761d5ca2f 100644 --- a/net/core/net_namespace.c +++ b/net/core/net_namespace.c @@ -457,7 +457,7 @@ static void net_complete_free(void) } -static void net_free(struct net *net) +void net_passive_dec(struct net *net) { if (refcount_dec_and_test(&net->passive)) { kfree(rcu_access_pointer(net->gen)); @@ -475,7 +475,7 @@ void net_drop_ns(void *p) struct net *net = (struct net *)p; if (net) - net_free(net); + net_passive_dec(net); } struct net *copy_net_ns(unsigned long flags, @@ -517,7 +517,7 @@ struct net *copy_net_ns(unsigned long flags, key_remove_domain(net->key_domain); #endif put_user_ns(user_ns); - net_free(net); + net_passive_dec(net); dec_ucounts: dec_net_namespaces(ucounts); return ERR_PTR(rv); @@ -653,7 +653,7 @@ static void cleanup_net(struct work_struct *work) key_remove_domain(net->key_domain); #endif put_user_ns(net->user_ns); - net_free(net); + net_passive_dec(net); } } -- 2.25.1