Commit fd9edcbc authored Feb 07, 2025 by Eric Dumazet Committed by Wentao Guan Mar 31, 2025

arp: use RCU protection in arp_xmit()

stable inclusion
from stable-v6.6.79
commit e9f4dee534eb1b225b0a120395ad9bc2afe164d3
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IBXANC

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e9f4dee534eb1b225b0a120395ad9bc2afe164d3



--------------------------------

[ Upstream commit a42b69f692165ec39db42d595f4f65a4c8f42e44 ]

arp_xmit() can be called without RTNL or RCU protection.

Use RCU protection to avoid potential UAF.

Fixes: 29a26a56 ("netfilter: Pass struct net into the netfilter hooks")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250207135841.1948589-5-edumazet@google.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit e9f4dee534eb1b225b0a120395ad9bc2afe164d3)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

parent bbaf8772

net/ipv4/arp.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -658,10 +658,12 @@ static int arp_xmit_finish(struct net net, struct sock sk, struct sk_buff *skb
		*/
		void arp_xmit(struct sk_buff *skb)
		{
		rcu_read_lock();
		/* Send it off, maybe filter it using firewalling first. */
		NF_HOOK(NFPROTO_ARP, NF_ARP_OUT,
		dev_net(skb->dev), NULL, skb, NULL, skb->dev,
		dev_net_rcu(skb->dev), NULL, skb, NULL, skb->dev,
		arp_xmit_finish);
		rcu_read_unlock();
		}
		EXPORT_SYMBOL(arp_xmit);