On Wed, Jun 24, 2026 at 5:04 AM Tung Quang Nguyen
[off-list ref] wrote:

quoted

Subject: [PATCH v2 net 1/2] tipc: fix UAF in cleanup_bearer() due to premature
dst_cache_destroy()

TIPC UDP media bearer teardown calls dst_cache_destroy() on its replicast
caches before calling synchronize_net() to wait for concurrent RCU readers
(transmitters) to finish:

static void cleanup_bearer(struct work_struct *work) { ...
      list_for_each_entry_safe(rcast, tmp, &ub->rcast.list, list) {
              dst_cache_destroy(&rcast->dst_cache);
              list_del_rcu(&rcast->list);
              kfree_rcu(rcast, rcu);
      }
...
      dst_cache_destroy(&ub->rcast.dst_cache);
      udp_tunnel_sock_release(ub->sk);
      synchronize_net();
...
}

This is highly buggy because dst_cache_destroy() immediately frees the per-
CPU cache memory (free_percpu()) and releases the cached dst entries
without any synchronization.

If a concurrent transmitter (e.g., tipc_udp_xmit()) is running on another CPU
under RCU protection, it can call dst_cache_get() concurrently, leading to:
1. Use-After-Free on the per-CPU cache pointer itself (crash).
2. "rcuref - imbalanced put()" warning if it attempts to release a
  dst that was concurrently released by dst_cache_destroy().

Furthermore, calling kfree(ub) immediately after synchronize_net() without
closing the socket first (or waiting after closing it) leaves a window where a
concurrent receiver (tipc_udp_recv()) could start after synchronize_net(),
access ub, and suffer a UAF when kfree(ub) runs.

To fix this, we must defer dst_cache_destroy() and kfree(ub) until after we have
ensured that no more readers can see the bearer/socket and all existing
readers have finished:

1. Defer rcast entry destruction (both dst_cache_destroy() and kfree())
  to an RCU callback using call_rcu_hurry().
  Using call_rcu_hurry() ensures the dst entries are released quickly.

2. Release the bearer socket using udp_tunnel_sock_release() (stops
  new receive readers).

3. Call synchronize_net() to wait for all outstanding RCU readers
  (both transmit and receive) to finish.

4. Now that it is safe, call dst_cache_destroy() on the main bearer
  cache, and free ub.

Note: 3) and 4) can be changed later in net-next to also use
call_rcu_hurry() and get rid of the synchronize_net() latency.

Fixes: e9c1a793210f ("tipc: add dst_cache support for udp media")
Reported-by: syzbot+e14bc5d4942756023b77@syzkaller.appspotmail.com
Closes:
https://lore.kernel.org/netdev/6a396a66.52ae72c2.136ac7.0003.GAE@google.
com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Xin Long <lucien.xin@gmail.com>
Cc: Jon Maloy <jmaloy@redhat.com>
Cc: tipc-discussion@lists.sourceforge.net
---
v2: addressed Xin Long feedback
v1:
https://lore.kernel.org/netdev/CANn89i+dkbrSAwvaWXW7yWMfcwUebuTBLG
5T7AGZaZcpVYGyfQ@mail.gmail.com/T/#m7bbeedffe3bedb69e33236410e383
3c7ce809850
net/tipc/udp_media.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c index

988b8a7f953ad6da860e6190f1f244650f121dce..66f3cb87a0aaaac8f40e8f237a
b9a44d539b1cd8 100644

--- a/net/tipc/udp_media.c
+++ b/net/tipc/udp_media.c

@@ -803,6 +803,14 @@ static int tipc_udp_enable(struct net *net, struct

tipc_bearer *b,
      return err;
}

+static void rcast_free_rcu(struct rcu_head *rcu) {
+      struct udp_replicast *rcast = container_of(rcu, struct udp_replicast,
+rcu);

This line is long (over 80 columns). Please break it into 2 lines (refer to linux/Documentation/process/coding-style.rst).

I prefer it this way.

BTW:

commit bdc48fa11e46f867ea4d75fa59ee87a7f48be144
Author: Joe Perches [off-list ref]
Date:   Fri May 29 16:12:21 2020 -0700

    checkpatch/coding-style: deprecate 80-column warning

    Yes, staying withing 80 columns is certainly still _preferred_.  But
    it's not the hard limit that the checkpatch warnings imply, and other
    concerns can most certainly dominate.

    Increase the default limit to 100 characters.  Not because 100
    characters is some hard limit either, but that's certainly a "what are
    you doing" kind of value and less likely to be about the occasional
    slightly longer lines.

    Miscellanea:

     - to avoid unnecessary whitespace changes in files, checkpatch will no
       longer emit a warning about line length when scanning files unless
       --strict is also used

     - Add a bit to coding-style about alignment to open parenthesis

    Signed-off-by: Joe Perches [off-list ref]
    Signed-off-by: Linus Torvalds [off-list ref]