From nobody Mon Feb 9 10:38:32 2026 Received: from mail-qt1-f227.google.com (mail-qt1-f227.google.com [209.85.160.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 549133126A0 for ; Mon, 12 Jan 2026 06:38:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.227 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768199941; cv=none; b=T62jDy6P1E5hTW/V8RmbmT5cGyUsUF/M1rQSikvITK7l8I3UcbqUq2ipa3NzeiBlACnxar9NSZp31pydRn0OrAJHmwf5mL3m1/gph3crT4P2vZXPRUbLeDu5V92unJNOf1MUaIs84AskGO0NICWZb+QUngqlIIAaojphLYSiBfw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768199941; c=relaxed/simple; bh=7s21PiKqoDI2UWcnusRjQAy1HY+xab4PIu+TPyMO0+E=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hlu0Qecc6G1Bz6ZUt7tWFDBEiKpu1KGLYdFD3rITpMVgwgQt+OZxzLG5g/rVaxgsbo8RpcgEnRHW2/rvhYVZUSw2e0hYZ0y5DA8VcbNgiBfTv+h1YuLJrjliCmvjwOCCtp4ear8TnaAnoQx/lOv1n2WtokwfA8W01Zsc0sQSjdk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=e56/LkqZ; arc=none smtp.client-ip=209.85.160.227 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="e56/LkqZ" Received: by mail-qt1-f227.google.com with SMTP id d75a77b69052e-4ffb463e252so2045241cf.2 for ; Sun, 11 Jan 2026 22:38:56 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768199935; x=1768804735; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=N7MKZiatBshCjLhK/wnOMzSh/LSYhDXgYWq/2BVz61M=; b=q1lMtQNRUpazPhDUbc2g8tZvTSdzXUiMmjqC395440YBmZoiRHiaeF1VoO993v3wiN rdtl+kRg7QJaHl1+49ohsVSo0+bYCTL/lSTpWsqV4x1CUBvMtvm2oB/vMTM7cAPBdu5T zE9omkG+D8zjlxfJK1UAY7F/px8WIQUorJ8tNNiwNe9oPb6BCE2PwqmHNHTIL1rv3jzr /d9vWdqQlIZd9w5be/EKD6Ylfb6JvaxZlrjc6CSr7x8aq1mybX/sN9Mabf1BGk8n/cD6 XYjPf1zuYu66TQXBKsf8S8Dh+fIwEJTYAn14qN4YRzP0hs1Ufi4w85PueSOobB0eJuUx v/Lg== X-Forwarded-Encrypted: i=1; AJvYcCXvRuIUD7NMCymNdbAJku3YBX9L7YuZX65DND9ziX9Ngz5THnYryt87KV6fP46a85IU0lp0OvY6NdgbId4=@vger.kernel.org X-Gm-Message-State: AOJu0YwWRyHiwX6xoQMpxzzn0qmitB3/hwvT2CznxK8C3qXtjXDnWKWd YSwbaZN30MI7I2ZP1mkKw/mM/hUEo48H19muT/6ub2Ri5HbEO9odtNm12i1DXr+A+c6DuwOGAdf uHxYwEjkxX6ThaN+4K6P+jYDy9fQWgt/+5Gvk2dAUhqCyXgiVJe9asrIIR9D6KfNx3ik46ZpKiw NEpDhAKyUxRMQi1HDALXJQ7BbFIjja/S57UTNpWKwuQm7YWT8aRxk8NxVF2UtlKLNEUSL3287Kn X6+ZwbQIuo/3nSYyz8kZcFuwuHkwK4oM/mf6Tw= X-Gm-Gg: AY/fxX7P8bAJpTBg/uzE5DHLj9O7fu9j4D4v98hvfwbPBDJzMu72XDngaEa/1FR3ZX8 h9bWK/g2hmMwpPueoLOAGnqQ8iqbnmY10OQPOfwKWrbf/dsLm/mLEXPy7h4JlljIDGlMnM2KESN IxXFAxfGMvT+Kevvj165rHJIg9cLuCI/9avd5OuKor5Pc06lEm2QASe19zsHvppy4dKybrXTB5Y Cu8wWwmQeYGTu4Jh0PnD0z8LydJQrb9EmuHn3bKaobphUtFMqfARw8ZJlRiX46caXNIJXcCMnJz TO0BkxPS6e4RaYgxCKzrhHiB0SStB2ZJ3LYAX8D4dzoUFEoaR+Oa7IaARYcjiRatkLKcC4tcAlh NorSfX1qJFd+eEKOYMNoAuHaQNZWU0NM6sdlg+Ppe2YHIgw1jQxe0/+SL7v4zFz/f6XuSeSAVEq xXpaJZmYaBhmopGtHgIQrabAw/Rjg3C3IEueC3XkyH4NtHkxbhnkFPmKj1OVs= X-Google-Smtp-Source: AGHT+IF8InuIbQiNtC2Y0jI/hlMy8cpN8Gl6z2S+ar/HGttdirPU3a5Ih8Kr4T5Qu39ihTasmFGQxtJbRYew X-Received: by 2002:a05:622a:211:b0:4ee:2580:9bc5 with SMTP id d75a77b69052e-4ffb47cfe1amr193990411cf.2.1768199935342; Sun, 11 Jan 2026 22:38:55 -0800 (PST) Received: from smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com (address-144-49-247-2.dlp.protect.broadcom.com. [144.49.247.2]) by smtp-relay.gmail.com with ESMTPS id 6a1803df08f44-890770946f9sm21971556d6.5.2026.01.11.22.38.55 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 11 Jan 2026 22:38:55 -0800 (PST) X-Relaying-Domain: broadcom.com X-CFilter-Loop: Reflected Received: by mail-qk1-f200.google.com with SMTP id af79cd13be357-8c1625bbc20so144375185a.2 for ; Sun, 11 Jan 2026 22:38:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1768199934; x=1768804734; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=N7MKZiatBshCjLhK/wnOMzSh/LSYhDXgYWq/2BVz61M=; b=e56/LkqZF4GWYhNHsXsPgJWL8h2qbQcCjs9PfEIKX8owrMpfS+I0RLCztZU3/rnALU oi4J2a8j/nAWgp9WwG1JFSdNvsgJnZMtQzq3Sv4a7MFdWwVRiC/cFmi5shcvZpfsoymD S5emzRvKLMd80+3VZvTjD7X5HuH5NlpoFS+w4= X-Forwarded-Encrypted: i=1; AJvYcCUernzga1ruNH2Cm24y6jyCfIeVmdhGG1KE1wGsp91VfSc/Z9CZprYrT1g+MJQNYRUVVk2BkeDJeuEjWn8=@vger.kernel.org X-Received: by 2002:a05:620a:298c:b0:8a1:a5c5:ef18 with SMTP id af79cd13be357-8c389416d63mr1635579585a.7.1768199934535; Sun, 11 Jan 2026 22:38:54 -0800 (PST) X-Received: by 2002:a05:620a:298c:b0:8a1:a5c5:ef18 with SMTP id af79cd13be357-8c389416d63mr1635577985a.7.1768199934054; Sun, 11 Jan 2026 22:38:54 -0800 (PST) Received: from keerthanak-ph5-dev.. ([192.19.161.250]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-890770e2833sm126594216d6.18.2026.01.11.22.38.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 11 Jan 2026 22:38:53 -0800 (PST) From: Keerthana K To: stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, yoshfuji@linux-ipv6.org, dsahern@kernel.org, borisp@nvidia.com, john.fastabend@gmail.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Sharath Chandra Vurukala , Keerthana K Subject: [PATCH v5.15-v6.1 1/2] net: Add locking to protect skb->dev access in ip_output Date: Mon, 12 Jan 2026 06:35:45 +0000 Message-ID: <20260112063546.2969089-2-keerthana.kalyanasundaram@broadcom.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260112063546.2969089-1-keerthana.kalyanasundaram@broadcom.com> References: <20260112063546.2969089-1-keerthana.kalyanasundaram@broadcom.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-DetectorID-Processed: b00c1d49-9d2e-4205-b15f-d015386d3d5e Content-Type: text/plain; charset="utf-8" From: Sharath Chandra Vurukala [ Upstream commit 1dbf1d590d10a6d1978e8184f8dfe20af22d680a] In ip_output() skb->dev is updated from the skb_dst(skb)->dev this can become invalid when the interface is unregistered and freed, Introduced new skb_dst_dev_rcu() function to be used instead of skb_dst_dev() within rcu_locks in ip_output.This will ensure that all the skb's associated with the dev being deregistered will be transnmitted out first, before freeing the dev. Given that ip_output() is called within an rcu_read_lock() critical section or from a bottom-half context, it is safe to introduce an RCU read-side critical section within it. Multiple panic call stacks were observed when UL traffic was run in concurrency with device deregistration from different functions, pasting one sample for reference. [496733.627565][T13385] Call trace: [496733.627570][T13385] bpf_prog_ce7c9180c3b128ea_cgroupskb_egres+0x24c/0x7= f0 [496733.627581][T13385] __cgroup_bpf_run_filter_skb+0x128/0x498 [496733.627595][T13385] ip_finish_output+0xa4/0xf4 [496733.627605][T13385] ip_output+0x100/0x1a0 [496733.627613][T13385] ip_send_skb+0x68/0x100 [496733.627618][T13385] udp_send_skb+0x1c4/0x384 [496733.627625][T13385] udp_sendmsg+0x7b0/0x898 [496733.627631][T13385] inet_sendmsg+0x5c/0x7c [496733.627639][T13385] __sys_sendto+0x174/0x1e4 [496733.627647][T13385] __arm64_sys_sendto+0x28/0x3c [496733.627653][T13385] invoke_syscall+0x58/0x11c [496733.627662][T13385] el0_svc_common+0x88/0xf4 [496733.627669][T13385] do_el0_svc+0x2c/0xb0 [496733.627676][T13385] el0_svc+0x2c/0xa4 [496733.627683][T13385] el0t_64_sync_handler+0x68/0xb4 [496733.627689][T13385] el0t_64_sync+0x1a4/0x1a8 Changes in v3: - Replaced WARN_ON() with WARN_ON_ONCE(), as suggested by Willem de Bruijn. - Dropped legacy lines mistakenly pulled in from an outdated branch. Changes in v2: - Addressed review comments from Eric Dumazet - Used READ_ONCE() to prevent potential load/store tearing - Added skb_dst_dev_rcu() and used along with rcu_read_lock() in ip_output Signed-off-by: Sharath Chandra Vurukala Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20250730105118.GA26100@hu-sharathv-hyd.qualc= omm.com Signed-off-by: Jakub Kicinski [ Keerthana: Backported the patch to v5.15-v6.1 ] Signed-off-by: Keerthana K --- include/net/dst.h | 12 ++++++++++++ net/ipv4/ip_output.c | 16 +++++++++++----- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/include/net/dst.h b/include/net/dst.h index 3a1a6f94a..20a76e532 100644 --- a/include/net/dst.h +++ b/include/net/dst.h @@ -555,6 +555,18 @@ static inline void skb_dst_update_pmtu_no_confirm(stru= ct sk_buff *skb, u32 mtu) dst->ops->update_pmtu(dst, NULL, skb, mtu, false); } =20 +static inline struct net_device *dst_dev_rcu(const struct dst_entry *dst) +{ + /* In the future, use rcu_dereference(dst->dev) */ + WARN_ON_ONCE(!rcu_read_lock_held()); + return READ_ONCE(dst->dev); +} + +static inline struct net_device *skb_dst_dev_rcu(const struct sk_buff *skb) +{ + return dst_dev_rcu(skb_dst(skb)); +} + struct dst_entry *dst_blackhole_check(struct dst_entry *dst, u32 cookie); void dst_blackhole_update_pmtu(struct dst_entry *dst, struct sock *sk, struct sk_buff *skb, u32 mtu, bool confirm_neigh); diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index 543d02910..79cf1385e 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c @@ -420,17 +420,23 @@ int ip_mc_output(struct net *net, struct sock *sk, st= ruct sk_buff *skb) =20 int ip_output(struct net *net, struct sock *sk, struct sk_buff *skb) { - struct net_device *dev =3D skb_dst(skb)->dev, *indev =3D skb->dev; + struct net_device *dev, *indev =3D skb->dev; + int ret_val; + + rcu_read_lock(); + dev =3D skb_dst_dev_rcu(skb); =20 IP_UPD_PO_STATS(net, IPSTATS_MIB_OUT, skb->len); =20 skb->dev =3D dev; skb->protocol =3D htons(ETH_P_IP); =20 - return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, - net, sk, skb, indev, dev, - ip_finish_output, - !(IPCB(skb)->flags & IPSKB_REROUTED)); + ret_val =3D NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, + net, sk, skb, indev, dev, + ip_finish_output, + !(IPCB(skb)->flags & IPSKB_REROUTED)); + rcu_read_unlock(); + return ret_val; } EXPORT_SYMBOL(ip_output); =20 --=20 2.43.7 From nobody Mon Feb 9 10:38:32 2026 Received: from mail-yw1-f226.google.com (mail-yw1-f226.google.com [209.85.128.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4BFA4311C01 for ; Mon, 12 Jan 2026 06:39:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.226 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768199941; cv=none; b=CmcXQELYeL98uo3o+yqcigvPq047gqjN7dBt630q56PCeGAWuOsLSVbaq0NEtdIscRYfoBayNtNogaAQWoraQr/PhxVeyL31LVJLg+J+W+sPXuAVc7ggx1EDN/4k4n5nMRph3WBxOuiIIpLkZnJoY0/w/xUHMX8QgJCSa8dW9mE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768199941; c=relaxed/simple; bh=XjmEkDhy70C9BPaUIKs8e1nglyFuMhkb7Yn1iqBTdVE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=EJHKH+n6hleASNPLERdiAd1K/nsNsG/1lc3FgnfwZO9/hWyydqvQskEoK2Jd4b/z+GMVmgS4t8oXuz1btg8A+Sm99QITbKIPmudw9mJ67kjwiAAvzFdlsSENVQVPkdD5tG8vxZq6ogvygLGlqNT5lCoUxuc3CZzpT9aZnRNePAE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=T6ThGJ9F; arc=none smtp.client-ip=209.85.128.226 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="T6ThGJ9F" Received: by mail-yw1-f226.google.com with SMTP id 00721157ae682-790633e6491so3698317b3.2 for ; Sun, 11 Jan 2026 22:39:00 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768199939; x=1768804739; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=o/toLEsajSo6fO5hRJUdPGrIZ19DquBDTOLbcgJFlJU=; b=qa/rDRDckAflv1pQN8b3X4pj9dEFvKa1ZpZTKX2o2XsMh//HbnbQ0F+wtb5T6OAor1 3hG9YAt764HOiK1sYEV+w08/dnan62drW8FRxNpvNuRAWf2r06kSNv7+PbF3kBWKxFor CYoSs52T5BPbXWGsHLFkZlGzs0fYK6TE2meFN1fUYD9De2dLWyIjrFwIi/urxlTzhifx QEtwO1sQh3RObncACI4+j2mmce2oJOsCL+CDXfrga17dsEcYaXmB0MiKbOairTlAShrW fOA3nGydBV/7Nl3drS1AG9Qh+LzTtEcjMBQk0feXIqlybIc4WcEOvBTwnTI/0uvGIZFs BNqQ== X-Forwarded-Encrypted: i=1; AJvYcCUzhmEcBGRE180zd/hS8GoYy3SQPXa4HFBY79j4qmv3e3Skz5qAbo4AbEEv9MNcFmudYWcmQ0Qd6Mkmmrc=@vger.kernel.org X-Gm-Message-State: AOJu0YxBRdSF3839UOKSrOa+aclkpJvCHxd58IetrrqR4vq4wYqFyq9B kfWo0gDnqU+ySXI9cLitWNoDiZvbmSleljWPbZlFCjgjM6L38zR7/HGlyFZmA3U+DV+Ui+Uw8P1 FRZbN3Re9NJhbDTKYh4pptzlHavyFPFhDng26i48IMoxYLmzdxFcOvrh9ZQuRTfe1nhR35JBZKU BU8foNYoIJf72oAcEjWZHHEPSYk/xjzkUsuh5/vKzW9W6zcPuN801Id6r7UWaLaoVgoUDc4Z+Kp G7Rv6P7F4NvvPiDNqCs62viHMJjwShYQPPrdNA= X-Gm-Gg: AY/fxX5goeTeKLeXzVUYBI4k7o5NtWLFi6FS8giJcIxpH0PAjUbGVgMuyRZe+dTGpoO nOZSJpcBwrYMtJNsnP31mjuItXuvEAywHqsnFfDjLyHY6b6v9mMakd1rTGb/E3WYNlJFZ5z+3Gj nOHUJhlqnWBFZ097fYQ7pLQSbZw/yqqczA9lSsAXcpGKEEfFzZI5mmKnA/sE41NwtxrK13skm7l ANkYQYaNNGzsZQW36HLwSO6qmTbziGjWljr0muyNGAQ8GI1PDQAKjtpQtDPRpIwndK+yEEUiyT1 ikxnSDJoHjLeK+XTvBAs3xeDGBSlYSFG+RoP5H9v/XNjZ4wObKWppkwrKmpkvVUswm2AlIzBmXX 7RIW3AquwDtEq6gw++BDWbWZJXtjHmxxWpsU4O+hq/4dRUfh5BFj+RpJIBmFTB/dahJShlo9zQ0 d9XWoRTmbIfzTYgIvIFQSrzzlpl4ZyEztOkSLcL3uEtlEWiYOxvuKCOGWUcHHl+6Gh X-Google-Smtp-Source: AGHT+IF3C21x257t146ZILOOy3OIYZb0lHnKJB9KX7tbn6f8IikEhQWQ4tMJmMxntuqJuxxrCfronQaa8Ekl X-Received: by 2002:a05:690c:a4cc:10b0:78d:6aae:9cf0 with SMTP id 00721157ae682-790b570180bmr102970977b3.9.1768199939196; Sun, 11 Jan 2026 22:38:59 -0800 (PST) Received: from smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com (address-144-49-247-118.dlp.protect.broadcom.com. [144.49.247.118]) by smtp-relay.gmail.com with ESMTPS id 00721157ae682-790aa6b2b23sm12821737b3.16.2026.01.11.22.38.58 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 11 Jan 2026 22:38:59 -0800 (PST) X-Relaying-Domain: broadcom.com X-CFilter-Loop: Reflected Received: by mail-qt1-f200.google.com with SMTP id d75a77b69052e-4ed83a05863so21199851cf.2 for ; Sun, 11 Jan 2026 22:38:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1768199938; x=1768804738; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=o/toLEsajSo6fO5hRJUdPGrIZ19DquBDTOLbcgJFlJU=; b=T6ThGJ9FNIC6rMU07ILVmsrUuHVwUkSiQ2lPUMoR+OPEv1PV94ggUYzce+ft5+IO+o Krwe3l543dqa6cfVGaLTs/DI4NsFjmrGdverjfdZa94qmiQA1gfXIj4fCpHZhMD8kMJM H9CzfCEuj9pY6D3IRtrdJwYK/Ged64JSoL1yY= X-Forwarded-Encrypted: i=1; AJvYcCXkHLpfbxdJ65Q2PinOoYgc+nQOEF/lp1hiRXTK3ckiH/VmZ2kVjg2ue8m9ibXdmdfwD77owvri2gidQ6I=@vger.kernel.org X-Received: by 2002:a05:622a:408:b0:4f1:d267:dd2b with SMTP id d75a77b69052e-4ffb47d22b1mr178117461cf.1.1768199938525; Sun, 11 Jan 2026 22:38:58 -0800 (PST) X-Received: by 2002:a05:622a:408:b0:4f1:d267:dd2b with SMTP id d75a77b69052e-4ffb47d22b1mr178117401cf.1.1768199938113; Sun, 11 Jan 2026 22:38:58 -0800 (PST) Received: from keerthanak-ph5-dev.. ([192.19.161.250]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-890770e2833sm126594216d6.18.2026.01.11.22.38.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 11 Jan 2026 22:38:57 -0800 (PST) From: Keerthana K To: stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, yoshfuji@linux-ipv6.org, dsahern@kernel.org, borisp@nvidia.com, john.fastabend@gmail.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Kuniyuki Iwashima , Sabrina Dubroca , Sasha Levin , Keerthana K Subject: [PATCH v5.15-v6.1 2/2] tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock(). Date: Mon, 12 Jan 2026 06:35:46 +0000 Message-ID: <20260112063546.2969089-3-keerthana.kalyanasundaram@broadcom.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260112063546.2969089-1-keerthana.kalyanasundaram@broadcom.com> References: <20260112063546.2969089-1-keerthana.kalyanasundaram@broadcom.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-DetectorID-Processed: b00c1d49-9d2e-4205-b15f-d015386d3d5e Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit c65f27b9c3be2269918e1cbad6d8884741f835c5 ] get_netdev_for_sock() is called during setsockopt(), so not under RCU. Using sk_dst_get(sk)->dev could trigger UAF. Let's use __sk_dst_get() and dst_dev_rcu(). Note that the only ->ndo_sk_get_lower_dev() user is bond_sk_get_lower_dev(), which uses RCU. Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") Signed-off-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet Reviewed-by: Sabrina Dubroca Link: https://patch.msgid.link/20250916214758.650211-6-kuniyu@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin [ Keerthana: Backport to v5.15-v6.1 ] Signed-off-by: Keerthana K --- net/tls/tls_device.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c index c51377a15..e79bce6db 100644 --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c @@ -125,17 +125,19 @@ static void tls_device_queue_ctx_destruction(struct t= ls_context *ctx) /* We assume that the socket is already connected */ static struct net_device *get_netdev_for_sock(struct sock *sk) { - struct dst_entry *dst =3D sk_dst_get(sk); - struct net_device *netdev =3D NULL; + struct net_device *dev, *lowest_dev =3D NULL; + struct dst_entry *dst; =20 - if (likely(dst)) { - netdev =3D netdev_sk_get_lowest_dev(dst->dev, sk); - dev_hold(netdev); + rcu_read_lock(); + dst =3D __sk_dst_get(sk); + dev =3D dst ? dst_dev_rcu(dst) : NULL; + if (likely(dev)) { + lowest_dev =3D netdev_sk_get_lowest_dev(dev, sk); + dev_hold(lowest_dev); } + rcu_read_unlock(); =20 - dst_release(dst); - - return netdev; + return lowest_dev; } =20 static void destroy_record(struct tls_record_info *record) --=20 2.43.7