When IPV6_MROUTE_MULTIPLE_TABLES is enabled, calls to ip6mr_get_table()
must be done under RCU or RTNL lock.

Fixes: d1db275dd3f6 ("ipv6: ip6mr: support multiple tables")
Signed-off-by: Stefan Wiehler <stefan.wiehler@nokia.com>
---
 net/ipv6/ip6mr.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index b54353bee2f8..af921e9731ec 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -1845,7 +1845,9 @@ int ip6_mroute_getsockopt(struct sock *sk, int optname, sockptr_t optval,
 	    inet_sk(sk)->inet_num != IPPROTO_ICMPV6)
 		return -EOPNOTSUPP;
 
+	rcu_read_lock();
 	mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT);
+	rcu_read_unlock();
 	if (!mrt)
 		return -ENOENT;
 
-- 
2.42.0

On Mon, 14 Oct 2024 17:05:54 +0200 Stefan Wiehler wrote:
> +	rcu_read_lock();
>  	mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT);
> +	rcu_read_unlock();
>  	if (!mrt)
>  		return -ENOENT;

presumably you're trying to protect mrt with RCU?
so using mrt after unlocking is not right, you gotta hold the lock
longer
-- 
pw-bot: cr

>> +     rcu_read_lock();
>>       mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT);
>> +     rcu_read_unlock();
>>       if (!mrt)
>>               return -ENOENT;
> 
> presumably you're trying to protect mrt with RCU?
> so using mrt after unlocking is not right, you gotta hold the lock
> longer

Thanks, you're right of course, I'll be fixing this everywhere and send a v6
shortly; also with more extensive reasoning for this series in the cover
letter.

Kind regards,

Stefan