From nobody Mon Feb 9 15:36:23 2026 Received: from mail-qk1-f225.google.com (mail-qk1-f225.google.com [209.85.222.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F22E361FFE for ; Mon, 12 Jan 2026 06:33:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.225 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768199637; cv=none; b=hxrBXKqWhr3PaAKb+vRSnbqxBHaTY2WntyOHJ4W4doMOF/pOSu6YxKJbaLbAZczCNePHW1bQgkGSId25FBPMdGTNTRg2gpHFBzixdSTciFT9izwz5UdOEu+5p6EEODwmowcY4hbVgvM+gXcuO9oTpnWF9I/lmoSIzi2kYAv8olA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768199637; c=relaxed/simple; bh=k9ee2EKB4tUDptolbhgjzpwxMShTN6LfTKyBbETaVxU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=WFRwCa6DfbowvkCAdU4h8opb0TlDyjMzIunpiOEtMUb6DMVzbmX2DloObhEuPnV1japCjWbNXtuKKkDbmgQRjI9CG6Vn5S2c/VW+fWoHwHlzHUcG1+PNGDG3c/XDtfnwC4fIFidkmYlv+r+t8MkpBV7vAbfL6D7sACRDsKubPlg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=K8mF+/mX; arc=none smtp.client-ip=209.85.222.225 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="K8mF+/mX" Received: by mail-qk1-f225.google.com with SMTP id af79cd13be357-8c35dfee1caso77888885a.1 for ; Sun, 11 Jan 2026 22:33:52 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768199631; x=1768804431; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=TVi5uHDjVopShqD0MnuBnlMmLMJhBdagK4kolEfksCA=; b=BXGFNJwYV8D+2l91yS7WNthM2SNAim0cWg39gusNOqKzik7lMqXP62md76XuxtAgtj w/Ez5aSKZIDCAzd9DJwXC4Zepz0ul++c3h7NVnWPKpygSYi2DMmDlvQRs5zuuTduE0Vd tKQDZ/hAltPslQxvWVKr8DrwpUk03B43E+9GjHcCw5JgXehxEwW4VvXIuzY+egmbgpAQ K1c3fDP0rf07JjrbtXNOQ6e9STItUrGNxTCeYyt+U1HgFbFSYEwEPEVwc3joNx9Zs26w t88stA8aYZv2BP/D3UbHfEN6v+IXP8vp2v1zfg/A1Swmjpl0FTTzk848NkooOjbqW+vC Sfcg== X-Forwarded-Encrypted: i=1; AJvYcCV5zsVT+LxuNj/2aar4GWABRowYMuTzgY1g1UFvbTdctvvMPFCtjDhkYDIUfdjFJ96V9a40d0RBeJ2iC+c=@vger.kernel.org X-Gm-Message-State: AOJu0YzkiKdwRv/Lvs+rTzwY6y77yVuoOOdtkSSJ+fC5K/emK5F7sQ10 t+9qv2Isjn7fbABe04DKQyal22kJWAp+iZOWXfKeg6a81pylZTmLrdMx+KxIFgIrqsZPwqSD6yC Dz3KB+n+KRMJcqtenfvBvZW8pvGUtB8Plo+ad/sBUJJnCmnBF0tvvhm+ynK2o9HgYCf3GHrz+Ts OOEhLZQSAWoLh6lISbnFnA0i+E3ajxj92682bKGUB5DOeYnO91YA9JTFOHPYORclwwicD6aAig1 3YNPTO3q8kq4ZFY5nDkXnTpTdUJ8AMuI+Ehfeo= X-Gm-Gg: AY/fxX4xLz7Kz81URwvv+uepo5MdqhnOFbDELPTW3Ui7JMYenURQ8c2ZGm6+e9GN21Y L9fLQOm5/rIzcQiIqp5hWCf7DTtcluMMniIcahLQpjMda/froLXo0hQ6fdQTs4OaRZUBn28pc+J yI/FqSWUMjzUiSnP38RZ9Y9V7Whz+UVytWLh0nXlCQAJUG1Dg6FPskHBFOXdEvFlM/91H08DW9D PFUnbEtzqit1Ryz6OYEOTDAPSUh8ro5RoSQYyWTIC6pgls9Ge35bcyli3LHicSL373zmcT84nJO y0aKM44qWoINJwH/2TkX1KUicKg3vST3zUCLnupUuyPyF8QwtaVq80ajgTuhZ4t68Qth+eUPpA0 afmLHZl0J5rtukaA3s3QFZPquSq1NyC+Ccyq7W7O8nJMzUEVN4ejDIyENDDHYhj0BWZuY+K/Go3 EcOGWjDW3Sz6saK3AQ+jGdglngjkVN7bo2lKr3HYZCaO6b8OpEG0wCQDzuFzk= X-Google-Smtp-Source: AGHT+IFCQ1JUUAXI1myf2mgqgpx/Z81Q8ODVm9gSvslP8MyVMLcAASGjtp8gg7Y5N6hHAOOW8MZQQaSc6eUv X-Received: by 2002:ad4:5ecf:0:b0:795:c55c:87de with SMTP id 6a1803df08f44-89084275740mr198347566d6.5.1768199631435; Sun, 11 Jan 2026 22:33:51 -0800 (PST) Received: from smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com (address-144-49-247-2.dlp.protect.broadcom.com. [144.49.247.2]) by smtp-relay.gmail.com with ESMTPS id 6a1803df08f44-89077154510sm22298976d6.27.2026.01.11.22.33.51 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 11 Jan 2026 22:33:51 -0800 (PST) X-Relaying-Domain: broadcom.com X-CFilter-Loop: Reflected Received: by mail-qk1-f199.google.com with SMTP id af79cd13be357-8b2de66a28eso182186085a.2 for ; Sun, 11 Jan 2026 22:33:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1768199631; x=1768804431; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TVi5uHDjVopShqD0MnuBnlMmLMJhBdagK4kolEfksCA=; b=K8mF+/mXV8pxoZipXaqZuHBOfplXhyCVMjmIFaL5JrqI8jfv/vLEndkqfSR0BmIwmb 0x68Y3HenpnW+AkZpHcQ862K2LXXPCX/HqD/+ZM1kAMbZHhPNtGkt3IYcxUS73Zv6PNB nFLFMIqGvK9BagVVhkpA2J/uFuTj2pO7JsJ8s= X-Forwarded-Encrypted: i=1; AJvYcCVayNOublu1blwFuTtfEJqO8vD37lSzyzb0k2GQNnyGOY+dc5hpzI0IDgW0s2wEVnm6WKGEz3Ldoj3vC+E=@vger.kernel.org X-Received: by 2002:a05:620a:298f:b0:8b2:9aba:e86e with SMTP id af79cd13be357-8c38940c9f3mr1774032385a.10.1768199630689; Sun, 11 Jan 2026 22:33:50 -0800 (PST) X-Received: by 2002:a05:620a:298f:b0:8b2:9aba:e86e with SMTP id af79cd13be357-8c38940c9f3mr1774031285a.10.1768199630241; Sun, 11 Jan 2026 22:33:50 -0800 (PST) Received: from keerthanak-ph5-dev.. ([192.19.161.250]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8c37f4a794bsm1472324885a.9.2026.01.11.22.33.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 11 Jan 2026 22:33:49 -0800 (PST) From: Keerthana K To: stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, yoshfuji@linux-ipv6.org, dsahern@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, borisp@nvidia.com, john.fastabend@gmail.com, sashal@kernel.org, leitao@debian.org, kuniyu@amazon.com, willemb@google.com, jramaseu@redhat.com, aviadye@mellanox.com, ilyal@mellanox.com, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Sharath Chandra Vurukala , Keerthana K Subject: [PATCH v5.10.y 1/3] net: Add locking to protect skb->dev access in ip_output Date: Mon, 12 Jan 2026 06:30:37 +0000 Message-ID: <20260112063039.2968980-2-keerthana.kalyanasundaram@broadcom.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260112063039.2968980-1-keerthana.kalyanasundaram@broadcom.com> References: <20260112063039.2968980-1-keerthana.kalyanasundaram@broadcom.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-DetectorID-Processed: b00c1d49-9d2e-4205-b15f-d015386d3d5e Content-Type: text/plain; charset="utf-8" From: Sharath Chandra Vurukala [ Upstream commit 1dbf1d590d10a6d1978e8184f8dfe20af22d680a] In ip_output() skb->dev is updated from the skb_dst(skb)->dev this can become invalid when the interface is unregistered and freed, Introduced new skb_dst_dev_rcu() function to be used instead of skb_dst_dev() within rcu_locks in ip_output.This will ensure that all the skb's associated with the dev being deregistered will be transnmitted out first, before freeing the dev. Given that ip_output() is called within an rcu_read_lock() critical section or from a bottom-half context, it is safe to introduce an RCU read-side critical section within it. Multiple panic call stacks were observed when UL traffic was run in concurrency with device deregistration from different functions, pasting one sample for reference. [496733.627565][T13385] Call trace: [496733.627570][T13385] bpf_prog_ce7c9180c3b128ea_cgroupskb_egres+0x24c/0x7= f0 [496733.627581][T13385] __cgroup_bpf_run_filter_skb+0x128/0x498 [496733.627595][T13385] ip_finish_output+0xa4/0xf4 [496733.627605][T13385] ip_output+0x100/0x1a0 [496733.627613][T13385] ip_send_skb+0x68/0x100 [496733.627618][T13385] udp_send_skb+0x1c4/0x384 [496733.627625][T13385] udp_sendmsg+0x7b0/0x898 [496733.627631][T13385] inet_sendmsg+0x5c/0x7c [496733.627639][T13385] __sys_sendto+0x174/0x1e4 [496733.627647][T13385] __arm64_sys_sendto+0x28/0x3c [496733.627653][T13385] invoke_syscall+0x58/0x11c [496733.627662][T13385] el0_svc_common+0x88/0xf4 [496733.627669][T13385] do_el0_svc+0x2c/0xb0 [496733.627676][T13385] el0_svc+0x2c/0xa4 [496733.627683][T13385] el0t_64_sync_handler+0x68/0xb4 [496733.627689][T13385] el0t_64_sync+0x1a4/0x1a8 Changes in v3: - Replaced WARN_ON() with WARN_ON_ONCE(), as suggested by Willem de Bruijn. - Dropped legacy lines mistakenly pulled in from an outdated branch. Changes in v2: - Addressed review comments from Eric Dumazet - Used READ_ONCE() to prevent potential load/store tearing - Added skb_dst_dev_rcu() and used along with rcu_read_lock() in ip_output Signed-off-by: Sharath Chandra Vurukala Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20250730105118.GA26100@hu-sharathv-hyd.qualc= omm.com Signed-off-by: Jakub Kicinski [ Keerthana: Backported the patch to v5.10.y ] Signed-off-by: Keerthana K --- include/net/dst.h | 12 ++++++++++++ net/ipv4/ip_output.c | 16 +++++++++++----- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/include/net/dst.h b/include/net/dst.h index 9114272f8100..b3522d3de8c8 100644 --- a/include/net/dst.h +++ b/include/net/dst.h @@ -547,6 +547,18 @@ static inline void skb_dst_update_pmtu_no_confirm(stru= ct sk_buff *skb, u32 mtu) dst->ops->update_pmtu(dst, NULL, skb, mtu, false); } =20 +static inline struct net_device *dst_dev_rcu(const struct dst_entry *dst) +{ + /* In the future, use rcu_dereference(dst->dev) */ + WARN_ON_ONCE(!rcu_read_lock_held()); + return READ_ONCE(dst->dev); +} + +static inline struct net_device *skb_dst_dev_rcu(const struct sk_buff *skb) +{ + return dst_dev_rcu(skb_dst(skb)); +} + struct dst_entry *dst_blackhole_check(struct dst_entry *dst, u32 cookie); void dst_blackhole_update_pmtu(struct dst_entry *dst, struct sock *sk, struct sk_buff *skb, u32 mtu, bool confirm_neigh); diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index 1e430e135aa6..3369d5ab1eff 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c @@ -429,17 +429,23 @@ int ip_mc_output(struct net *net, struct sock *sk, st= ruct sk_buff *skb) =20 int ip_output(struct net *net, struct sock *sk, struct sk_buff *skb) { - struct net_device *dev =3D skb_dst(skb)->dev, *indev =3D skb->dev; + struct net_device *dev, *indev =3D skb->dev; + int ret_val; + + rcu_read_lock(); + dev =3D skb_dst_dev_rcu(skb); =20 IP_UPD_PO_STATS(net, IPSTATS_MIB_OUT, skb->len); =20 skb->dev =3D dev; skb->protocol =3D htons(ETH_P_IP); =20 - return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, - net, sk, skb, indev, dev, - ip_finish_output, - !(IPCB(skb)->flags & IPSKB_REROUTED)); + ret_val =3D NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, + net, sk, skb, indev, dev, + ip_finish_output, + !(IPCB(skb)->flags & IPSKB_REROUTED)); + rcu_read_unlock(); + return ret_val; } EXPORT_SYMBOL(ip_output); =20 --=20 2.43.7 From nobody Mon Feb 9 15:36:23 2026 Received: from mail-pj1-f97.google.com (mail-pj1-f97.google.com [209.85.216.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A7F43101B2 for ; Mon, 12 Jan 2026 06:33:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.97 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768199642; cv=none; b=FjpcG000qBz2i776QccqtSlqcXzj3Wu9kGSrOwuWRDKTxx1f9H99g+aHkqUri+/d7Wn2w9NkFC7XfK4hzNNTRNRmUWzcBFN7tHyfq9LtgQv5IXl7TiPl2hSi1OMy8xYMNkN8/eKii5ETkQEpXuowtBWSzuij/L58IWwDt2LsAAw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768199642; c=relaxed/simple; bh=RWuTHL2vG6VXYYw+aleWdAzTOjFVPPbKCGWiPi4YKYw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lCxJBuAF/QdTTJq0YO1uDME4NoVVvToBU1qxI1DmJ2+QXWMObKSyM/LyJe554Ba6C4a5U1JfyHSBBmY3TiDsYmlXr3ZQgqt1Uuq7FJmW/LQeATlhFs4wZAjQqGXzSMYnYgk5Jzef7VYZ6qJ4PEY6P7BJCUSTEtaxD5qzd/7k8i8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=D3CQ3Mxy; arc=none smtp.client-ip=209.85.216.97 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="D3CQ3Mxy" Received: by mail-pj1-f97.google.com with SMTP id 98e67ed59e1d1-34b3f61fd0cso443283a91.0 for ; Sun, 11 Jan 2026 22:33:57 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768199636; x=1768804436; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=y6I5h2vtJMAW+jL+bI0U3FZ65rr+yn6OcLWKLyGnstA=; b=jiavpNqT1oU1830kFprCee2l6lmaiZOXk4jssen2boO5z+eI1Ewryzt6Q8Fw8+UBBZ q1lu5fwo+0989wRJj/soArt1y9suLYBU2Clmlamj0ufjq4iI7nwgOLDzGT16cI13kYjC MdrFwjr3Es5UNLdbCa8N203X0LDTY9CQfRQcwncacm/6zBi1L+VdGlh+Y3XJwEra5Zy3 nbJWzs8zLJh7xKkDDWTWbSUWiCLE2UNP26c/mkIo5eTVgpAHDyXrKdYZJcpMQSq/VtBA H+WMa0HXu+pRii0mF9DUORRu4OWf+NuR6ftGS6NT7ce/r+QY4mrb0TCHzvRV8vfeovdx 1XUw== X-Forwarded-Encrypted: i=1; AJvYcCXWMMHpOibpkV2NiJ+wnEjosa04siOdLIqb4pL4lMhAtQoly+/PZCV+9EuVMEPDkCXPFLL7J8rsJWiUtH8=@vger.kernel.org X-Gm-Message-State: AOJu0Yxv5rwQlAtcnBHwHXQ32Ri6WuOtW+jYj0Pht1rUlH8LDMV/YZmP yIgp2J9TAK/bJGmcxLOd0KZig429ml+2hi9Mr590TpQ9zsZKPwNMMDxemHPerNAkcwn4geqg6rE rsBpOjfGBrd1l5LblnAlI9gvVygzLyZ6c0b8o1yfRr+KwYTWHUyG8D0RTWDWhUjEV/7gYc/xgp/ t26pj1WaGzKdgIIEu3XH+dfv9Ph5fsJiYFiG/JSZZP81NAYc93xIqBjNUvUpJDSuPxQ+X0W5mz7 NuLnaKCO9TgSX0Sf9M2jNG8WW6z8Bi3wWDG8N0= X-Gm-Gg: AY/fxX7iW7Snzqbj26fbuGbrxoEopYZjGGxRCJfNwXP4pe0tQZ9GLYT2O7RbZHUNIjD kUNBhvwPk5ktxo0vY9vc0m6t5K+cyf38s0bq0SPDbHbvwgF/CurzRmXWSeng1JsVcD9yO6n8YI8 RvUBaa3HiTlkt9x77f1kLifBA0tjUDXbv5XblVL9/PfXLkbXieZt03FQBLw60O6ZMAAr7b7qpXH DkndsFkp/FPuFS5IomxJbvEnIWByOzDnQFjpmSIK5pI1lwwZdIIbdKwvsF6bKJIA6LrJIYv6iU9 A8z8t3gYVLhHQe3XiQbfR7CWTQs7TGtuGcOyCAs0TkD+HoROKYBqFVAIG8RjgGqyG8S2ds7qPgZ SZZ8qmY2HZU/6q+yuGd0x00Qd2jfQBxmxkmxwYH+VKZhrwaIYxHpeGOcQ0XG+/sl6eN9vuU9Qud 7RyOvUfrH9sQ5WLGG77NJcf0JFgmRNrFtULpTpW8cOQme6A1+71a3opi4dfqI= X-Google-Smtp-Source: AGHT+IEkkZkD9rhmYARRySFzmeV6TaWHiCMqiDFUAP0Zq04Ya9ca1DDYkU9G57SeJaydXftZzBzbcDuzR1lL X-Received: by 2002:a17:90b:5708:b0:332:3ffe:4be5 with SMTP id 98e67ed59e1d1-34f68c3798fmr11051685a91.7.1768199636545; Sun, 11 Jan 2026 22:33:56 -0800 (PST) Received: from smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com (address-144-49-247-2.dlp.protect.broadcom.com. [144.49.247.2]) by smtp-relay.gmail.com with ESMTPS id d2e1a72fcca58-81ee9bac329sm871238b3a.7.2026.01.11.22.33.56 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 11 Jan 2026 22:33:56 -0800 (PST) X-Relaying-Domain: broadcom.com X-CFilter-Loop: Reflected Received: by mail-qk1-f198.google.com with SMTP id af79cd13be357-8c231297839so228696585a.1 for ; Sun, 11 Jan 2026 22:33:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1768199635; x=1768804435; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=y6I5h2vtJMAW+jL+bI0U3FZ65rr+yn6OcLWKLyGnstA=; b=D3CQ3Mxye8QpcUZIhbG6wp4M0lYb2Ja3TYS0hWlLWGWeK2VuosaF3kOgrH50w+ZkQh iyVDyjmFecWmrkQmvkG6jLxDoL37g8RN4ABjXZ8dLd62Fi6y5Mzmn/h0TMf3q1bwnidQ FQ0F7LALUuOj2ExAkvj1yowUDV4gzpBbFLWfI= X-Forwarded-Encrypted: i=1; AJvYcCV/WgZIYH28xjWp/vmbh+0n06EHoHNtIKqxSol30+Nc/zPqpdzvhXdATgDGM1Snaq6W1XTfzqcQWXV9Uf4=@vger.kernel.org X-Received: by 2002:a05:620a:2886:b0:878:7b3e:7bbf with SMTP id af79cd13be357-8c38937a047mr1725531885a.3.1768199634874; Sun, 11 Jan 2026 22:33:54 -0800 (PST) X-Received: by 2002:a05:620a:2886:b0:878:7b3e:7bbf with SMTP id af79cd13be357-8c38937a047mr1725529485a.3.1768199634468; Sun, 11 Jan 2026 22:33:54 -0800 (PST) Received: from keerthanak-ph5-dev.. ([192.19.161.250]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8c37f4a794bsm1472324885a.9.2026.01.11.22.33.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 11 Jan 2026 22:33:53 -0800 (PST) From: Keerthana K To: stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, yoshfuji@linux-ipv6.org, dsahern@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, borisp@nvidia.com, john.fastabend@gmail.com, sashal@kernel.org, leitao@debian.org, kuniyu@amazon.com, willemb@google.com, jramaseu@redhat.com, aviadye@mellanox.com, ilyal@mellanox.com, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Tariq Toukan , Keerthana K Subject: [PATCH v5.10.y 2/3] net: netdevice: Add operation ndo_sk_get_lower_dev Date: Mon, 12 Jan 2026 06:30:38 +0000 Message-ID: <20260112063039.2968980-3-keerthana.kalyanasundaram@broadcom.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260112063039.2968980-1-keerthana.kalyanasundaram@broadcom.com> References: <20260112063039.2968980-1-keerthana.kalyanasundaram@broadcom.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-DetectorID-Processed: b00c1d49-9d2e-4205-b15f-d015386d3d5e Content-Type: text/plain; charset="utf-8" From: Tariq Toukan [ Upstream commit 719a402cf60311b1cdff3f6320abaecdcc5e46b7] ndo_sk_get_lower_dev returns the lower netdev that corresponds to a given socket. Additionally, we implement a helper netdev_sk_get_lowest_dev() to get the lowest one in chain. Signed-off-by: Tariq Toukan Reviewed-by: Boris Pismenny Signed-off-by: Jakub Kicinski [ Keerthana: Backported the patch to v5.10.y ] Signed-off-by: Keerthana K --- include/linux/netdevice.h | 4 ++++ net/core/dev.c | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index d3a3e77a18df..c9f2a88a6c83 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -1435,6 +1435,8 @@ struct net_device_ops { struct net_device* (*ndo_get_xmit_slave)(struct net_device *dev, struct sk_buff *skb, bool all_slaves); + struct net_device* (*ndo_sk_get_lower_dev)(struct net_device *dev, + struct sock *sk); netdev_features_t (*ndo_fix_features)(struct net_device *dev, netdev_features_t features); int (*ndo_set_features)(struct net_device *dev, @@ -2914,6 +2916,8 @@ int init_dummy_netdev(struct net_device *dev); struct net_device *netdev_get_xmit_slave(struct net_device *dev, struct sk_buff *skb, bool all_slaves); +struct net_device *netdev_sk_get_lowest_dev(struct net_device *dev, + struct sock *sk); struct net_device *dev_get_by_index(struct net *net, int ifindex); struct net_device *__dev_get_by_index(struct net *net, int ifindex); struct net_device *dev_get_by_index_rcu(struct net *net, int ifindex); diff --git a/net/core/dev.c b/net/core/dev.c index c0dc524548ee..ad2be47b48a9 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -8169,6 +8169,39 @@ struct net_device *netdev_get_xmit_slave(struct net_= device *dev, } EXPORT_SYMBOL(netdev_get_xmit_slave); =20 +static struct net_device *netdev_sk_get_lower_dev(struct net_device *dev, + struct sock *sk) +{ + const struct net_device_ops *ops =3D dev->netdev_ops; + + if (!ops->ndo_sk_get_lower_dev) + return NULL; + return ops->ndo_sk_get_lower_dev(dev, sk); +} + +/** + * netdev_sk_get_lowest_dev - Get the lowest device in chain given device = and socket + * @dev: device + * @sk: the socket + * + * %NULL is returned if no lower device is found. + */ + +struct net_device *netdev_sk_get_lowest_dev(struct net_device *dev, + struct sock *sk) +{ + struct net_device *lower; + + lower =3D netdev_sk_get_lower_dev(dev, sk); + while (lower) { + dev =3D lower; + lower =3D netdev_sk_get_lower_dev(dev, sk); + } + + return dev; +} +EXPORT_SYMBOL(netdev_sk_get_lowest_dev); + static void netdev_adjacent_add_links(struct net_device *dev) { struct netdev_adjacent *iter; --=20 2.43.7 From nobody Mon Feb 9 15:36:23 2026 Received: from mail-pj1-f99.google.com (mail-pj1-f99.google.com [209.85.216.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9DF9630E0D4 for ; Mon, 12 Jan 2026 06:34:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.99 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768199648; cv=none; b=BNqeBB3vd654ngny5/Ztmb0z8AnhqlxaQC0oL9XrP/HPYs97nJuY5rDtX1DD4/Tw16qxd6ErJ/HW6qG2o9pbLra/ZO2+S9icQPPuX0zsn5L/QOqxlexMfLSa3oIG5vyhpeGDBxDr/O09AO4lL2mmkS+X17QQzwg6sjR8ZFM2b0o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768199648; c=relaxed/simple; bh=QgXU/7yNwhrctzlcitKYbDUmDIC7I+TCoOtStmFwLvY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lNCaBGsoz/Kbhz4I7klIXBsoY4wXPBOL0rpTWwLwRlW0bQND1Dsm09nddATFCD/uEBa1O9jBb2+EeyMMqMPm0p3ESy0uEOFG14fkFEE1vnoEEXcw3/E8vr/4U8Gr0SabudB2YVeVBawg7V0P1V1qH5RNyHj4i2oVnLsq3iWyRmM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=ThAgV2pu; arc=none smtp.client-ip=209.85.216.99 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="ThAgV2pu" Received: by mail-pj1-f99.google.com with SMTP id 98e67ed59e1d1-34ab8682357so603998a91.2 for ; Sun, 11 Jan 2026 22:34:01 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768199641; x=1768804441; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fj8sUP59dWob41aCsZ9BHl56sg70okF+kqjbtKr6YBw=; b=le5plKeeoQM3xzLMDfws0curfNONkggqj0cWN/uZslWVIr1H5lfmvNsSs7z41VIhoC 5AbCJXil+GjbfbVDgui0DAG3WnygJ67DM5NwiHQHG4gke44fiYY46Em6+ZbkxbNAoZJN H6FfhzKDA6rcYCC315kQIRk206R1D7X4QdqH1GRUyew/e9HI9JffOzyKxyTRq/Tpv0tE o6zidlheg58Pq+zFvP6Ms64vPLmJ30VOeJdsc8D0+Dn4EJGnVg7af97WqGlrKmkJFi7k 4q0hCtB5xrhK2A65VdyOEaek7+PF9eUNFRFkWVNu/mGBfqFw+grcBXL7r7DpSJ3On9HB InXQ== X-Forwarded-Encrypted: i=1; AJvYcCVGqYDMsmga7NhtSQJaTiosnltG+XA4MR4c/zZn3zJ53MKtJ7RmIMXA9GtGyQ8OkA/pR+18XV9b7Dy6W5Y=@vger.kernel.org X-Gm-Message-State: AOJu0YwkXS6nrXyzMbAYs5b46t8ZDuCuC+zkb3GI4Q2oMYQdtmqTnOj9 XDka0yFwUAfqxapvIHokFYL8LAqLsHC/5PfSkNVNBeNKGYAR4vfPbkH/Ta6fwt3V9/SjvyVE+ox gvYgp19VHmFVzMIGqyzMkBoFQWqfAkPa6KiJu+hOt8sA0FZArc0Vn/wiNoGk3uKV9hjjoXjKi7r rDj7PFI1KphwnKzG7FjgyiYW6POhMThuhm4vWWX/lCD5XG/XOlorsolPjC36UD0WL3y6D0Z0FFy GrL9nfCRmnpfp0rmwpCUhcAUBYmz8Z1qbQfEoI= X-Gm-Gg: AY/fxX7znjFWjVugPsBSBqpO6YZ5Q3+e305yNbAbJWKKv6yGTen/IikfTnQfo33TxKf xhNMQ2a9L69F6+0LrpqcWQUhECVzs7PxyVKA7swU6tfeGyP5Lf1YNKU+k5YMPOnBAw1eLfwIClD z5V03M9rZvlwrM9OA2Ml9szA3xZA5bpeqO2LfySVsIzUd3rrczjzecTzmClSMZ4oD/f/blabaxU FWW3MXAO5IrObhohtyN8LhmNg/fXn9w1KKzDzXqfz+Tgow019b11FhbajqARoPekjE/591ZM1dE xC07JA6zTFZqnWjkRF7axSu/3yZKQiwuj6R7wl8nT0APzh26blna25x4ZvLN0GJ279yRh0FVymk z1l6cjUaJJ8fI1RiBOGgSSGJvUt64IXCQYSKeIY3m6Gef8M1MXA2Pb5O7kuSAbdtNaKuST6jeix RpA/YiKKQC8bUcaFDPA65nNrDEw+5JrpAYnW+U7kyMNW5XzKFag+nIyNDbP1k= X-Google-Smtp-Source: AGHT+IHy9IySVWDzx9n3dDnc5x/e0DCfuzlnVzYY7sG3SSO97+dS1cpuptB+3rAFDrfv2Do8rBHl93wqNLVJ X-Received: by 2002:a17:90b:57c4:b0:340:bca2:cf82 with SMTP id 98e67ed59e1d1-34f68ca85f3mr10332680a91.4.1768199640995; Sun, 11 Jan 2026 22:34:00 -0800 (PST) Received: from smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com (address-144-49-247-2.dlp.protect.broadcom.com. [144.49.247.2]) by smtp-relay.gmail.com with ESMTPS id 98e67ed59e1d1-34f5fad00b8sm2344350a91.2.2026.01.11.22.34.00 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 11 Jan 2026 22:34:00 -0800 (PST) X-Relaying-Domain: broadcom.com X-CFilter-Loop: Reflected Received: by mail-qk1-f199.google.com with SMTP id af79cd13be357-8b10c2ea0b5so208460185a.0 for ; Sun, 11 Jan 2026 22:34:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1768199640; x=1768804440; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=fj8sUP59dWob41aCsZ9BHl56sg70okF+kqjbtKr6YBw=; b=ThAgV2pubm4Q7pp3q9FJDD2nM3KMDZhJFl7CqmIgihg7TH+444o1HybUOpKBLqZD3+ nL4uRVC4EoCVe1XcLuoRra1iGqciBAevz393+GAUWs9RYsK9Ssik64JOSGZmwHv1o8nU VeV83qVSIoBKyUDZfMlbbWO+AF0+L9W9fKRuE= X-Forwarded-Encrypted: i=1; AJvYcCXiF4d14j/mj4WxMeHgxjXsc6oZ8RrXu3jOY1bLTwr56x4QbzjRCfa16dgOnlQkZ4Z5onYG9HLdQb/8UsU=@vger.kernel.org X-Received: by 2002:ad4:5c48:0:b0:880:52f6:775e with SMTP id 6a1803df08f44-89084275c91mr188503696d6.6.1768199639725; Sun, 11 Jan 2026 22:33:59 -0800 (PST) X-Received: by 2002:ad4:5c48:0:b0:880:52f6:775e with SMTP id 6a1803df08f44-89084275c91mr188503536d6.6.1768199639235; Sun, 11 Jan 2026 22:33:59 -0800 (PST) Received: from keerthanak-ph5-dev.. ([192.19.161.250]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8c37f4a794bsm1472324885a.9.2026.01.11.22.33.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 11 Jan 2026 22:33:58 -0800 (PST) From: Keerthana K To: stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, yoshfuji@linux-ipv6.org, dsahern@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, borisp@nvidia.com, john.fastabend@gmail.com, sashal@kernel.org, leitao@debian.org, kuniyu@amazon.com, willemb@google.com, jramaseu@redhat.com, aviadye@mellanox.com, ilyal@mellanox.com, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Kuniyuki Iwashima , Sabrina Dubroca , Keerthana K Subject: [PATCH v5.10.y 3/3] tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock(). Date: Mon, 12 Jan 2026 06:30:39 +0000 Message-ID: <20260112063039.2968980-4-keerthana.kalyanasundaram@broadcom.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260112063039.2968980-1-keerthana.kalyanasundaram@broadcom.com> References: <20260112063039.2968980-1-keerthana.kalyanasundaram@broadcom.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-DetectorID-Processed: b00c1d49-9d2e-4205-b15f-d015386d3d5e Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit c65f27b9c3be2269918e1cbad6d8884741f835c5 ] get_netdev_for_sock() is called during setsockopt(), so not under RCU. Using sk_dst_get(sk)->dev could trigger UAF. Let's use __sk_dst_get() and dst_dev_rcu(). Note that the only ->ndo_sk_get_lower_dev() user is bond_sk_get_lower_dev(), which uses RCU. Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") Signed-off-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet Reviewed-by: Sabrina Dubroca Link: https://patch.msgid.link/20250916214758.650211-6-kuniyu@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin [ Keerthana: Backported the patch to v5.10.y ] Signed-off-by: Keerthana K --- net/tls/tls_device.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c index 8e89ff403073..8cf4e1651b0c 100644 --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c @@ -113,17 +113,19 @@ static void tls_device_queue_ctx_destruction(struct t= ls_context *ctx) /* We assume that the socket is already connected */ static struct net_device *get_netdev_for_sock(struct sock *sk) { - struct dst_entry *dst =3D sk_dst_get(sk); - struct net_device *netdev =3D NULL; + struct net_device *dev, *lowest_dev =3D NULL; + struct dst_entry *dst; =20 - if (likely(dst)) { - netdev =3D dst->dev; - dev_hold(netdev); + rcu_read_lock(); + dst =3D __sk_dst_get(sk); + dev =3D dst ? dst_dev_rcu(dst) : NULL; + if (likely(dev)) { + lowest_dev =3D netdev_sk_get_lowest_dev(dev, sk); + dev_hold(lowest_dev); } + rcu_read_unlock(); =20 - dst_release(dst); - - return netdev; + return lowest_dev; } =20 static void destroy_record(struct tls_record_info *record) --=20 2.43.7