Commit f44aabdd authored Mar 11, 2025 by Eric Dumazet Committed by Liu Jian Mar 11, 2025

vrf: use RCU protection in l3mdev_l3_out()

mainline inclusion
from mainline-v6.14-rc3
commit 6d0ce46a93135d96b7fa075a94a88fe0da8e8773
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPCA6
CVE: CVE-2025-21791

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6d0ce46a93135d96b7fa075a94a88fe0da8e8773



-------------------------------------------------

l3mdev_l3_out() can be called without RCU being held:

raw_sendmsg()
 ip_push_pending_frames()
  ip_send_skb()
   ip_local_out()
    __ip_local_out()
     l3mdev_ip_out()

Add rcu_read_lock() / rcu_read_unlock() pair to avoid
a potential UAF.

Fixes: a8e3e1a9 ("net: l3mdev: Add hook to output path")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250207135841.1948589-7-edumazet@google.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Liu Jian <liujian56@huawei.com>

parent 09e19251

include/net/l3mdev.h

+2 −0

Original line number	Diff line number	Diff line
		@@ -181,10 +181,12 @@ struct sk_buff l3mdev_l3_out(struct sock sk, struct sk_buff *skb, u16 proto)
		if (netif_is_l3_slave(dev)) {
		struct net_device *master;

		rcu_read_lock();
		master = netdev_master_upper_dev_get_rcu(dev);
		if (master && master->l3mdev_ops->l3mdev_l3_out)
		skb = master->l3mdev_ops->l3mdev_l3_out(master, sk,
		skb, proto);
		rcu_read_unlock();
		}

		return skb;