Commit 1b7a2d20 authored by Eric Dumazet's avatar Eric Dumazet Committed by Wentao Guan
Browse files

ipv6: mcast: extend RCU protection in igmp6_send() 

stable inclusion
from stable-v6.6.79
commit 81b25a07ebf53f9ef4ca8f3d96a8ddb94561dd5a
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IBXANC

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=81b25a07ebf53f9ef4ca8f3d96a8ddb94561dd5a



--------------------------------

[ Upstream commit 087c1faa594fa07a66933d750c0b2610aa1a2946 ]

igmp6_send() can be called without RTNL or RCU being held.

Extend RCU protection so that we can safely fetch the net pointer
and avoid a potential UAF.

Note that we no longer can use sock_alloc_send_skb() because
ipv6.igmp_sk uses GFP_KERNEL allocations which can sleep.

Instead use alloc_skb() and charge the net->ipv6.igmp_sk
socket under RCU protection.

Fixes: b8ad0cbc ("[NETNS][IPV6] mcast - handle several network namespace")
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250207135841.1948589-9-edumazet@google.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
(cherry picked from commit 81b25a07ebf53f9ef4ca8f3d96a8ddb94561dd5a)
Signed-off-by: default avatarWentao Guan <guanwentao@uniontech.com>
parent 70238e58

net/ipv6/mcast.c

+15 −16
Original line number Diff line number Diff line
@@ -2121,21 +2121,21 @@ static void mld_send_cr(struct inet6_dev *idev) 


static void igmp6_send(struct in6_addr *addr, struct net_device *dev, int type)

{

	struct net *net = dev_net(dev);

	struct sock *sk = net->ipv6.igmp_sk;

	const struct in6_addr *snd_addr, *saddr;

	int err, len, payload_len, full_len;

	struct in6_addr addr_buf;

	struct inet6_dev *idev;

	struct sk_buff *skb;

	struct mld_msg *hdr;

	const struct in6_addr *snd_addr, *saddr;

	struct in6_addr addr_buf;

	int hlen = LL_RESERVED_SPACE(dev);

	int tlen = dev->needed_tailroom;

	int err, len, payload_len, full_len;

	u8 ra[8] = { IPPROTO_ICMPV6, 0,

		     IPV6_TLV_ROUTERALERT, 2, 0, 0,

		     IPV6_TLV_PADN, 0 };

	struct flowi6 fl6;

	struct dst_entry *dst;

	struct flowi6 fl6;

	struct net *net;

	struct sock *sk;



	if (type == ICMPV6_MGM_REDUCTION)

		snd_addr = &in6addr_linklocal_allrouters;
@@ -2146,19 +2146,21 @@ static void igmp6_send(struct in6_addr *addr, struct net_device *dev, int type) 
	payload_len = len + sizeof(ra);

	full_len = sizeof(struct ipv6hdr) + payload_len;



	rcu_read_lock();

	IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_OUTREQUESTS);

	rcu_read_unlock();

	skb = alloc_skb(hlen + tlen + full_len, GFP_KERNEL);



	skb = sock_alloc_send_skb(sk, hlen + tlen + full_len, 1, &err);

	rcu_read_lock();



	net = dev_net_rcu(dev);

	idev = __in6_dev_get(dev);

	IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTREQUESTS);

	if (!skb) {

		rcu_read_lock();

		IP6_INC_STATS(net, __in6_dev_get(dev),

			      IPSTATS_MIB_OUTDISCARDS);

		IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);

		rcu_read_unlock();

		return;

	}

	sk = net->ipv6.igmp_sk;

	skb_set_owner_w(skb, sk);



	skb->priority = TC_PRIO_CONTROL;

	skb_reserve(skb, hlen);
@@ -2183,9 +2185,6 @@ static void igmp6_send(struct in6_addr *addr, struct net_device *dev, int type) 
					 IPPROTO_ICMPV6,

					 csum_partial(hdr, len, 0));



	rcu_read_lock();

	idev = __in6_dev_get(skb->dev);



	icmpv6_flow_init(sk, &fl6, type,

			 &ipv6_hdr(skb)->saddr, &ipv6_hdr(skb)->daddr,

			 skb->dev->ifindex);