diff mbox series

[net,4/8] arp: use RCU protection in arp_xmit()

Message ID 20250207135841.1948589-5-edumazet@google.com (mailing list archive)
State Accepted
Commit a42b69f692165ec39db42d595f4f65a4c8f42e44
Delegated to: Netdev Maintainers
Headers show
Series net: second round to use dev_net_rcu() | expand

Checks

Context Check Description
netdev/series_format success Posting correctly formatted
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers fail 1 blamed authors not CCed: ebiederm@xmission.com; 1 maintainers not CCed: ebiederm@xmission.com
netdev/build_clang success Errors and warnings before: 2 this patch: 2
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 13 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2025-02-07--21-00 (tests: 890)

Commit Message

Eric Dumazet Feb. 7, 2025, 1:58 p.m. UTC 
arp_xmit() can be called without RTNL or RCU protection.

Use RCU protection to avoid potential UAF.

Fixes: 29a26a568038 ("netfilter: Pass struct net into the netfilter hooks")
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 net/ipv4/arp.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

David Ahern Feb. 7, 2025, 8:43 p.m. UTC | #1 
On 2/7/25 6:58 AM, Eric Dumazet wrote:
> arp_xmit() can be called without RTNL or RCU protection.
> 
> Use RCU protection to avoid potential UAF.
> 
> Fixes: 29a26a568038 ("netfilter: Pass struct net into the netfilter hooks")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> ---
>  net/ipv4/arp.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 

Reviewed-by: David Ahern <dsahern@kernel.org>
Kuniyuki Iwashima Feb. 10, 2025, 1:17 a.m. UTC | #2 
From: Eric Dumazet <edumazet@google.com>
Date: Fri,  7 Feb 2025 13:58:36 +0000
> arp_xmit() can be called without RTNL or RCU protection.
> 
> Use RCU protection to avoid potential UAF.
> 
> Fixes: 29a26a568038 ("netfilter: Pass struct net into the netfilter hooks")
> Signed-off-by: Eric Dumazet <edumazet@google.com>

Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
diff mbox series

Patch

diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index cb9a7ed8abd3ab17403f226ea7e31ea2bae52a9f..f23a1ec6694cb2f1bd60f28faa357fcad83c165a 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -659,10 +659,12 @@  static int arp_xmit_finish(struct net *net, struct sock *sk, struct sk_buff *skb
  */
 void arp_xmit(struct sk_buff *skb)
 {
+	rcu_read_lock();
 	/* Send it off, maybe filter it using firewalling first.  */
 	NF_HOOK(NFPROTO_ARP, NF_ARP_OUT,
-		dev_net(skb->dev), NULL, skb, NULL, skb->dev,
+		dev_net_rcu(skb->dev), NULL, skb, NULL, skb->dev,
 		arp_xmit_finish);
+	rcu_read_unlock();
 }
 EXPORT_SYMBOL(arp_xmit);