Commit 14f04352 authored by Eric Dumazet's avatar Eric Dumazet Committed by Wentao Guan
Browse files

ipv6: mcast: add RCU protection to mld_newpack() 

stable inclusion
from stable-v6.6.79
commit 1b91c597b0214b1b462eb627ec02658c944623f2
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IBXANC

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1b91c597b0214b1b462eb627ec02658c944623f2



--------------------------------

[ Upstream commit a527750d877fd334de87eef81f1cb5f0f0ca3373 ]

mld_newpack() can be called without RTNL or RCU being held.

Note that we no longer can use sock_alloc_send_skb() because
ipv6.igmp_sk uses GFP_KERNEL allocations which can sleep.

Instead use alloc_skb() and charge the net->ipv6.igmp_sk
socket under RCU protection.

Fixes: b8ad0cbc ("[NETNS][IPV6] mcast - handle several network namespace")
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20250212141021.1663666-1-edumazet@google.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
(cherry picked from commit 1b91c597b0214b1b462eb627ec02658c944623f2)
Signed-off-by: default avatarWentao Guan <guanwentao@uniontech.com>
parent 1b7a2d20

net/ipv6/mcast.c

+10 −4
Original line number Diff line number Diff line
@@ -1729,21 +1729,19 @@ static struct sk_buff *mld_newpack(struct inet6_dev *idev, unsigned int mtu) 
	struct net_device *dev = idev->dev;

	int hlen = LL_RESERVED_SPACE(dev);

	int tlen = dev->needed_tailroom;

	struct net *net = dev_net(dev);

	const struct in6_addr *saddr;

	struct in6_addr addr_buf;

	struct mld2_report *pmr;

	struct sk_buff *skb;

	unsigned int size;

	struct sock *sk;

	int err;

	struct net *net;



	sk = net->ipv6.igmp_sk;

	/* we assume size > sizeof(ra) here

	 * Also try to not allocate high-order pages for big MTU

	 */

	size = min_t(int, mtu, PAGE_SIZE / 2) + hlen + tlen;

	skb = sock_alloc_send_skb(sk, size, 1, &err);

	skb = alloc_skb(size, GFP_KERNEL);

	if (!skb)

		return NULL;
@@ -1751,6 +1749,12 @@ static struct sk_buff *mld_newpack(struct inet6_dev *idev, unsigned int mtu) 
	skb_reserve(skb, hlen);

	skb_tailroom_reserve(skb, mtu, tlen);



	rcu_read_lock();



	net = dev_net_rcu(dev);

	sk = net->ipv6.igmp_sk;

	skb_set_owner_w(skb, sk);



	if (ipv6_get_lladdr(dev, &addr_buf, IFA_F_TENTATIVE)) {

		/* <draft-ietf-magma-mld-source-05.txt>:

		 * use unspecified address as the source address
@@ -1762,6 +1766,8 @@ static struct sk_buff *mld_newpack(struct inet6_dev *idev, unsigned int mtu) 


	ip6_mc_hdr(sk, skb, dev, saddr, &mld2_all_mcr, NEXTHDR_HOP, 0);



	rcu_read_unlock();



	skb_put_data(skb, ra, sizeof(ra));



	skb_set_transport_header(skb, skb_tail_pointer(skb) - skb->data);