diff options
| author | Eric Dumazet <edumazet@google.com> | 2025-02-07 13:58:38 +0000 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-02-21 14:01:16 +0100 |
| commit | 022cac1c693add610ae76ede03adf4d9d5a2cf21 (patch) | |
| tree | 87272e8b788c13bead41647dfe70181027dad054 /include/net | |
| parent | 18e77fccfcf9b80f6cc8bf47025886c7cdc4c37f (diff) | |
| download | linux-022cac1c693add610ae76ede03adf4d9d5a2cf21.tar.gz linux-022cac1c693add610ae76ede03adf4d9d5a2cf21.tar.bz2 linux-022cac1c693add610ae76ede03adf4d9d5a2cf21.zip | |
vrf: use RCU protection in l3mdev_l3_out()
[ Upstream commit 6d0ce46a93135d96b7fa075a94a88fe0da8e8773 ]
l3mdev_l3_out() can be called without RCU being held:
raw_sendmsg()
ip_push_pending_frames()
ip_send_skb()
ip_local_out()
__ip_local_out()
l3mdev_ip_out()
Add rcu_read_lock() / rcu_read_unlock() pair to avoid
a potential UAF.
Fixes: a8e3e1a9f020 ("net: l3mdev: Add hook to output path")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250207135841.1948589-7-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'include/net')
| -rw-r--r-- | include/net/l3mdev.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/include/net/l3mdev.h b/include/net/l3mdev.h index 031c661aa14d..bdfa9d414360 100644 --- a/include/net/l3mdev.h +++ b/include/net/l3mdev.h @@ -198,10 +198,12 @@ struct sk_buff *l3mdev_l3_out(struct sock *sk, struct sk_buff *skb, u16 proto) if (netif_is_l3_slave(dev)) { struct net_device *master; + rcu_read_lock(); master = netdev_master_upper_dev_get_rcu(dev); if (master && master->l3mdev_ops->l3mdev_l3_out) skb = master->l3mdev_ops->l3mdev_l3_out(master, sk, skb, proto); + rcu_read_unlock(); } return skb; |