diff mbox series

[net,6/8] vrf: use RCU protection in l3mdev_l3_out()

Message ID 20250207135841.1948589-7-edumazet@google.com (mailing list archive)
State Accepted
Commit 6d0ce46a93135d96b7fa075a94a88fe0da8e8773
Delegated to: Netdev Maintainers
Headers show
Series net: second round to use dev_net_rcu() | expand

Checks

Context Check Description
netdev/series_format success Posting correctly formatted
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 16 this patch: 16
netdev/build_tools success Errors and warnings before: 26 (+1) this patch: 26 (+1)
netdev/cc_maintainers success CCed 6 of 6 maintainers
netdev/build_clang success Errors and warnings before: 3879 this patch: 3879
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 2618 this patch: 2618
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 12 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2025-02-07--21-00 (tests: 890)

Commit Message

Eric Dumazet Feb. 7, 2025, 1:58 p.m. UTC 
l3mdev_l3_out() can be called without RCU being held:

raw_sendmsg()
 ip_push_pending_frames()
  ip_send_skb()
   ip_local_out()
    __ip_local_out()
     l3mdev_ip_out()

Add rcu_read_lock() / rcu_read_unlock() pair to avoid
a potential UAF.

Fixes: a8e3e1a9f020 ("net: l3mdev: Add hook to output path")
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 include/net/l3mdev.h | 2 ++
 1 file changed, 2 insertions(+)

Comments

David Ahern Feb. 7, 2025, 8:45 p.m. UTC | #1 
On 2/7/25 6:58 AM, Eric Dumazet wrote:
> l3mdev_l3_out() can be called without RCU being held:
> 
> raw_sendmsg()
>  ip_push_pending_frames()
>   ip_send_skb()
>    ip_local_out()
>     __ip_local_out()
>      l3mdev_ip_out()
> 
> Add rcu_read_lock() / rcu_read_unlock() pair to avoid
> a potential UAF.
> 
> Fixes: a8e3e1a9f020 ("net: l3mdev: Add hook to output path")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> ---
>  include/net/l3mdev.h | 2 ++
>  1 file changed, 2 insertions(+)
> 

Reviewed-by: David Ahern <dsahern@kernel.org>
Kuniyuki Iwashima Feb. 10, 2025, 1:27 a.m. UTC | #2 
From: Eric Dumazet <edumazet@google.com>
Date: Fri,  7 Feb 2025 13:58:38 +0000
> l3mdev_l3_out() can be called without RCU being held:
> 
> raw_sendmsg()
>  ip_push_pending_frames()
>   ip_send_skb()
>    ip_local_out()
>     __ip_local_out()
>      l3mdev_ip_out()
> 
> Add rcu_read_lock() / rcu_read_unlock() pair to avoid
> a potential UAF.
> 
> Fixes: a8e3e1a9f020 ("net: l3mdev: Add hook to output path")
> Signed-off-by: Eric Dumazet <edumazet@google.com>

Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>

I wondered why syzbot didn't notice this and I confirmed that
list_first_or_null_rcu() doesn't have RCU annotation.
diff mbox series

Patch

diff --git a/include/net/l3mdev.h b/include/net/l3mdev.h
index 2d6141f28b53097fe452cbdaf5faa977fc6e6782..f7fe796e8429a5e633f7540430675a728ed4de66 100644
--- a/include/net/l3mdev.h
+++ b/include/net/l3mdev.h
@@ -198,10 +198,12 @@  struct sk_buff *l3mdev_l3_out(struct sock *sk, struct sk_buff *skb, u16 proto)
 	if (netif_is_l3_slave(dev)) {
 		struct net_device *master;
 
+		rcu_read_lock();
 		master = netdev_master_upper_dev_get_rcu(dev);
 		if (master && master->l3mdev_ops->l3mdev_l3_out)
 			skb = master->l3mdev_ops->l3mdev_l3_out(master, sk,
 								skb, proto);
+		rcu_read_unlock();
 	}
 
 	return skb;