Commit bbaf8772 authored Feb 07, 2025 by Eric Dumazet Committed by Wentao Guan Mar 31, 2025

neighbour: use RCU protection in __neigh_notify()

stable inclusion
from stable-v6.6.79
commit 1cbb2aa90cd3fba15ad7efb5cdda28f3d1082379
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IBXANC

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1cbb2aa90cd3fba15ad7efb5cdda28f3d1082379



--------------------------------

[ Upstream commit becbd5850c03ed33b232083dd66c6e38c0c0e569 ]

__neigh_notify() can be called without RTNL or RCU protection.

Use RCU protection to avoid potential UAF.

Fixes: 426b5303 ("[NETNS]: Modify the neighbour table code so it handles multiple network namespaces")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250207135841.1948589-4-edumazet@google.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 1cbb2aa90cd3fba15ad7efb5cdda28f3d1082379)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

parent c6fc8a36

net/core/neighbour.c

+6 −2

Original line number	Diff line number	Diff line
		@@ -3508,10 +3508,12 @@ static const struct seq_operations neigh_stat_seq_ops = {
		static void __neigh_notify(struct neighbour *n, int type, int flags,
		u32 pid)
		{
		struct net *net = dev_net(n->dev);
		struct sk_buff *skb;
		int err = -ENOBUFS;
		struct net *net;

		rcu_read_lock();
		net = dev_net_rcu(n->dev);
		skb = nlmsg_new(neigh_nlmsg_size(), GFP_ATOMIC);
		if (skb == NULL)
		goto errout;
		@@ -3524,9 +3526,11 @@ static void __neigh_notify(struct neighbour *n, int type, int flags,
		goto errout;
		}
		rtnl_notify(skb, net, 0, RTNLGRP_NEIGH, NULL, GFP_ATOMIC);
		return;
		goto out;
		errout:
		rtnl_set_sk_err(net, RTNLGRP_NEIGH, err);
		out:
		rcu_read_unlock();
		}

		void neigh_app_ns(struct neighbour *n)