net: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels

JIRA: https://issues.redhat.com/browse/RHEL-84573
Upstream Status: net.git commit 92191dd
CVE: CVE-2025-21768

Conflicts: ignore ioam and rpl since we don't support them on rhel9.
For seg6 we have context conflicts due to missing commit 40475b6
("net: ipv6: seg6_iptunnel: mitigate 2-realloc issue").

commit 92191dd
Author: Jakub Kicinski <kuba@kernel.org>
Date:   Wed Jan 29 19:15:19 2025 -0800

    net: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels

    Some lwtunnels have a dst cache for post-transformation dst.
    If the packet destination did not change we may end up recording
    a reference to the lwtunnel in its own cache, and the lwtunnel
    state will never be freed.

    Discovered by the ioam6.sh test, kmemleak was recently fixed
    to catch per-cpu memory leaks. I'm not sure if rpl and seg6
    can actually hit this, but in principle I don't see why not.

    Fixes: 8cb3bf8 ("ipv6: ioam: Add support for the ip6ip6 encapsulation")
    Fixes: 6c8702c ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels")
    Fixes: a7a29f9 ("net: ipv6: add rpl sr tunnel")
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20250130031519.2716843-2-kuba@kernel.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Signed-off-by: Hangbin Liu <haliu@redhat.com>

Author: Hangbin Liu

net/ipv6/seg6_iptunnel.c

@@ -556,9 +556,12 @@ static int seg6_output_core(struct net *net, struct sock *sk,
 			goto drop;
 		}
 
-		local_bh_disable();
-		dst_cache_set_ip6(&slwt->cache, dst, &fl6.saddr);
-		local_bh_enable();
+		/* cache only if we don't create a dst reference loop */
+		if (orig_dst->lwtstate != dst->lwtstate) {
+			local_bh_disable();
+			dst_cache_set_ip6(&slwt->cache, dst, &fl6.saddr);
+			local_bh_enable();
+		}
 	}
 
 	skb_dst_drop(skb);