From nobody Mon Feb 9 13:04:07 2026 Received: from mail-oa1-f99.google.com (mail-oa1-f99.google.com [209.85.160.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C19E4319859 for ; Mon, 12 Jan 2026 06:49:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.99 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768200547; cv=none; b=cujylIezJzNQWiipVfTJ8TAvupB8d04KEomzNg9aJpACf11YuSOd9BHXOT1dps2V3CM/f/961temb0fDdUOOSFp06jd8jCsO31sTCfaYUp5gG5hlsbpbT9XD7b8UiOi/y1HX7aCjIaXLrP89M7tAdS6Sca7MnC7KdI7FktgHVeo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768200547; c=relaxed/simple; bh=jYBzilHy4uOLFSnJiriQsA7w6X3PlTJkV/wPDhkmaOQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TrND90a7zW4t4iqekOJG1HPQWsuzqNQiwQF5SmUNxU8klNze/3gton8UR6ZXzjyGqIKyQDrlSbvJmVunEJ0aESTIMhFl4mUEv3madlA3xztEwjCNBfdZEaWAk5DkRTBGDBk9qkj+q3AJgILKOBnMhcr2Gw5YiQg4FohI1ShB6bg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=PT+5uNcx; arc=none smtp.client-ip=209.85.160.99 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="PT+5uNcx" Received: by mail-oa1-f99.google.com with SMTP id 586e51a60fabf-3f9f8b33c30so92629fac.1 for ; Sun, 11 Jan 2026 22:49:03 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768200542; x=1768805342; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=hCVdv4m2I2tGw1NCiXtF6yNB9U/7aaThOP/Q2QRKRAI=; b=EyPID+hb1gf3w973Pod+Lo4fyTrai6+m5kQHLdXcldkcI7TiCMX2JpvGijuqdGWt9G Ij1n7p+7WIyh0wuJtx212Mr5ZdRscUDWTBip06hUG3KxxKwf5VINmLgJpaEw9rVH/ppS IoReTjyRhgCv1b9faRtNaPHx+uuMLDblNzNSptN2ATgO4e65dJTtYJmlVyA1iVJB0HF3 sSLxQAsTgz+IcxVySeExDeZ6yNqr1JAPUrsR/oofE0g1dnG6iQewlmsbzjQQpOwcPjj+ j4iUMMRqmMGWFULdfuanvMBtEzOWGJj9jZkimPxPAZRC8zkji45FyYDvU+r2oJ8t9OW2 KNWg== X-Forwarded-Encrypted: i=1; AJvYcCUoo92sVXmMUlsajNw+nscg/kWFEIf0FSuQUHiSRvbndgE2ppkruf9R2Ykgm0xlqIOO23yWGSElEFjTPlY=@vger.kernel.org X-Gm-Message-State: AOJu0YzEHJZRLTnJIXjHzdifybHpMSMvg00E9FjnIg9wAde9dXk855hD Gn84fcUfXJUjj0XmXznW7FBW1FkNX3kKHtmGARQ7xxVtGciO7xJG6YFMxj6+HmhyDONxQ1W901+ L0muOn4MHKeRggZYoQkw2NsTBRF8NqpWNDDsJ0HmPdM1HJbVoqjiO2OlQhEqk5okJWD63/l5ylN 0s6t/6m/ltQeBWckrQYGN3FsYXbAnQwqWepbEdmhDplRrzTwKJQMaRnHonYaZmQR8nFYNbxW/Wb Da2qEDxqAT6pYoDn860Bj3iYNmqJW3jvTJhcLc= X-Gm-Gg: AY/fxX4RS8V72LKPHaec+1c8hZRy63Ybzettl9eXzhobqHoSIEiYfZtwgmp4lU+670j LDBd/BWH7D9W8DKv1Ree71dwIyfhLyBnlkGdDkjsbRTT1I4x67g9k+c6WOrHctiJP4hPKADp0ox HKmZ8Ss9wp2Ok2lV7QGaazNNTL320OlWz+Aoj+l3Qv5TTECAAstdRopVZbZIMFt7qjI1lnF57as Dv+7jd2ILAquzFeeVbDzkSJDCbyeVLCnqdTnEAgOxnsfNeV+4ip2EnfwEbzIFFOdrt2yxGm++06 gOsRNmSWB/TNwjf0jnE/+icv551LPGdab7bUmr929oi86hCqpD3NEvz1qsuEt91S5ColvzUottF fzJwTracO/vAc3T+EhkiKlXlgowd/vPz7Rafpx26f0qpKCaHYK/M3wWz+Cb+K7PqSfYyImOc9Eg IcdpNawq60AAOnEK7qdFFvO93yOTvkEdoZxeErKBNW/6tz8RJ7dEa+qUy8b+A= X-Google-Smtp-Source: AGHT+IEh/KDb15Vkh2Lr1ErTRYTQgkpSbFX9IUr/iXIDr5kGx1tCDdbLBHeYbfsn1CKD+2eUgDxFWpu3+wvk X-Received: by 2002:a05:6871:451a:b0:3e7:e982:f02e with SMTP id 586e51a60fabf-3ffc0ae5bacmr7494223fac.4.1768200542435; Sun, 11 Jan 2026 22:49:02 -0800 (PST) Received: from smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com (address-144-49-247-2.dlp.protect.broadcom.com. [144.49.247.2]) by smtp-relay.gmail.com with ESMTPS id 586e51a60fabf-3ffa4e3ee85sm2048217fac.6.2026.01.11.22.49.00 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 11 Jan 2026 22:49:02 -0800 (PST) X-Relaying-Domain: broadcom.com X-CFilter-Loop: Reflected Received: by mail-qv1-f70.google.com with SMTP id 6a1803df08f44-88fce043335so25125966d6.2 for ; Sun, 11 Jan 2026 22:49:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1768200540; x=1768805340; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=hCVdv4m2I2tGw1NCiXtF6yNB9U/7aaThOP/Q2QRKRAI=; b=PT+5uNcxngRgtkPosqafT0zam8FN1ZFd5eArmbJHBwTIxBNNZ290z8cJcQ0dRla4xI YHUUJyjWXJ+EaOcqk0zE5p4eXOSZH6jzRc3z2R5Q6FF3twiQiNfTJdxqNVoUSuzv/QGv oKd5rlj0qUMC076DfuuC76cqcPUU64BP/DlDc= X-Forwarded-Encrypted: i=1; AJvYcCViFfP/D807jxwNk9+c48/FomleC5Huxu6BbG9qRgN+EpZyu5RDtz9auzL4pPyx0mYjl4nNLs173GUQbR4=@vger.kernel.org X-Received: by 2002:ad4:5f0c:0:b0:880:6fa4:f55c with SMTP id 6a1803df08f44-890842a447bmr200994276d6.6.1768200540085; Sun, 11 Jan 2026 22:49:00 -0800 (PST) X-Received: by 2002:ad4:5f0c:0:b0:880:6fa4:f55c with SMTP id 6a1803df08f44-890842a447bmr200994186d6.6.1768200539673; Sun, 11 Jan 2026 22:48:59 -0800 (PST) Received: from keerthanak-ph5-dev.. ([192.19.161.250]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-890770e472csm131125426d6.23.2026.01.11.22.48.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 11 Jan 2026 22:48:59 -0800 (PST) From: Keerthana K To: stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, dsahern@kernel.org, borisp@nvidia.com, john.fastabend@gmail.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Sharath Chandra Vurukala , Sasha Levin , Keerthana K Subject: [PATCH Internal v6.6.y 1/2] net: Add locking to protect skb->dev access in ip_output Date: Mon, 12 Jan 2026 06:45:53 +0000 Message-ID: <20260112064554.2969656-2-keerthana.kalyanasundaram@broadcom.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260112064554.2969656-1-keerthana.kalyanasundaram@broadcom.com> References: <20260112064554.2969656-1-keerthana.kalyanasundaram@broadcom.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-DetectorID-Processed: b00c1d49-9d2e-4205-b15f-d015386d3d5e Content-Type: text/plain; charset="utf-8" From: Sharath Chandra Vurukala [ Upstream commit 1dbf1d590d10a6d1978e8184f8dfe20af22d680a] In ip_output() skb->dev is updated from the skb_dst(skb)->dev this can become invalid when the interface is unregistered and freed, Introduced new skb_dst_dev_rcu() function to be used instead of skb_dst_dev() within rcu_locks in ip_output.This will ensure that all the skb's associated with the dev being deregistered will be transnmitted out first, before freeing the dev. Given that ip_output() is called within an rcu_read_lock() critical section or from a bottom-half context, it is safe to introduce an RCU read-side critical section within it. Multiple panic call stacks were observed when UL traffic was run in concurrency with device deregistration from different functions, pasting one sample for reference. [496733.627565][T13385] Call trace: [496733.627570][T13385] bpf_prog_ce7c9180c3b128ea_cgroupskb_egres+0x24c/0x7= f0 [496733.627581][T13385] __cgroup_bpf_run_filter_skb+0x128/0x498 [496733.627595][T13385] ip_finish_output+0xa4/0xf4 [496733.627605][T13385] ip_output+0x100/0x1a0 [496733.627613][T13385] ip_send_skb+0x68/0x100 [496733.627618][T13385] udp_send_skb+0x1c4/0x384 [496733.627625][T13385] udp_sendmsg+0x7b0/0x898 [496733.627631][T13385] inet_sendmsg+0x5c/0x7c [496733.627639][T13385] __sys_sendto+0x174/0x1e4 [496733.627647][T13385] __arm64_sys_sendto+0x28/0x3c [496733.627653][T13385] invoke_syscall+0x58/0x11c [496733.627662][T13385] el0_svc_common+0x88/0xf4 [496733.627669][T13385] do_el0_svc+0x2c/0xb0 [496733.627676][T13385] el0_svc+0x2c/0xa4 [496733.627683][T13385] el0t_64_sync_handler+0x68/0xb4 [496733.627689][T13385] el0t_64_sync+0x1a4/0x1a8 Changes in v3: - Replaced WARN_ON() with WARN_ON_ONCE(), as suggested by Willem de Bruijn. - Dropped legacy lines mistakenly pulled in from an outdated branch. Changes in v2: - Addressed review comments from Eric Dumazet - Used READ_ONCE() to prevent potential load/store tearing - Added skb_dst_dev_rcu() and used along with rcu_read_lock() in ip_output Signed-off-by: Sharath Chandra Vurukala Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20250730105118.GA26100@hu-sharathv-hyd.qualc= omm.com Signed-off-by: Jakub Kicinski Stable-dep-of: 833d4313bc1e ("mptcp: reset blackhole on success with non-lo= opback ifaces") Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman [ Keerthana: Backported the patch to v6.6.y ] Signed-off-by: Keerthana K --- include/net/dst.h | 12 ++++++++++++ net/ipv4/ip_output.c | 17 ++++++++++++----- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/include/net/dst.h b/include/net/dst.h index 60fb5d2fa..55d1be268 100644 --- a/include/net/dst.h +++ b/include/net/dst.h @@ -569,6 +569,18 @@ static inline void skb_dst_update_pmtu_no_confirm(stru= ct sk_buff *skb, u32 mtu) dst->ops->update_pmtu(dst, NULL, skb, mtu, false); } =20 +static inline struct net_device *dst_dev_rcu(const struct dst_entry *dst) +{ + /* In the future, use rcu_dereference(dst->dev) */ + WARN_ON_ONCE(!rcu_read_lock_held()); + return READ_ONCE(dst->dev); +} + +static inline struct net_device *skb_dst_dev_rcu(const struct sk_buff *skb) +{ + return dst_dev_rcu(skb_dst(skb)); +} + struct dst_entry *dst_blackhole_check(struct dst_entry *dst, u32 cookie); void dst_blackhole_update_pmtu(struct dst_entry *dst, struct sock *sk, struct sk_buff *skb, u32 mtu, bool confirm_neigh); diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index b8cfe6afc..802d4f2ca 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c @@ -425,15 +425,20 @@ int ip_mc_output(struct net *net, struct sock *sk, st= ruct sk_buff *skb) =20 int ip_output(struct net *net, struct sock *sk, struct sk_buff *skb) { - struct net_device *dev =3D skb_dst(skb)->dev, *indev =3D skb->dev; + struct net_device *dev, *indev =3D skb->dev; + int ret_val; =20 + rcu_read_lock(); + dev =3D skb_dst_dev_rcu(skb); skb->dev =3D dev; skb->protocol =3D htons(ETH_P_IP); =20 - return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, - net, sk, skb, indev, dev, - ip_finish_output, - !(IPCB(skb)->flags & IPSKB_REROUTED)); + ret_val =3D NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, + net, sk, skb, indev, dev, + ip_finish_output, + !(IPCB(skb)->flags & IPSKB_REROUTED)); + rcu_read_unlock(); + return ret_val; } EXPORT_SYMBOL(ip_output); =20 --=20 2.43.7 From nobody Mon Feb 9 13:04:07 2026 Received: from mail-pg1-f225.google.com (mail-pg1-f225.google.com [209.85.215.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D624531691C for ; Mon, 12 Jan 2026 06:49:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.225 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768200548; cv=none; b=V0EQC8Whx4UXvctifw0a6QUWzUjjuhzbUCgJ3SZL/klLNTD0PIdPB1UZBaKQEa4hGZffC1C2uxIL8ycEvmUXsOSmDUpHiD11uxJABeslWOeoSpGq2BIOQWht+XWc3Rra8dSEHd9RHi6dTF+KjZa+hPU0vGnv4ZcJ1IJ9XqfkTkM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768200548; c=relaxed/simple; bh=/NupvgywEukBz4QryS1IcnmPfJQHRj4TZPz9BZQSMgM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=day0fsLmbh2iSlNao9QarpGMESMz3VhS/Ul2W6WqIRXR6HLkDBkJVNWwsYUVCvLa+edaBcVDB0mByFgUB2nV7Kq8c9NIdR84/L/eMiKGUmgjYU2P0XKRYkPkLxOkLUWHaK0VhHwWpoEXVuj8HtBaV8jhWE2iQru4fnVjS2FydDA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=HULDzgV0; arc=none smtp.client-ip=209.85.215.225 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="HULDzgV0" Received: by mail-pg1-f225.google.com with SMTP id 41be03b00d2f7-c1b5b65f832so119050a12.3 for ; Sun, 11 Jan 2026 22:49:06 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768200544; x=1768805344; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=jPMqt7OubTukSzfJGmFa7NplH3SyhzWtPIziyN+vzQc=; b=hcPY8HKCJcZtja4D/gssumyc5ZESvitrEJltUmlVheJb17uD0gOdUPz/ZkUBN8+6g3 JtC0n64UAh9nRgG/dSknjpxPOauhuZfjJHv8KPZV7aos8dzjZaWnqpSRMIQGU4FbJjVq MH1w6AWDL5sKSVGiC/RBpYAX7vcgYQWP5Tbns8jXl1KK1/luaOd/lqViuLXLUtBaRf/4 /7cTqxCdZXzqCxmZZskJ07Q1dz5+ux94dMHS4qZUI0EJmzojVyJtSp6bbiiSWNSoknDW 7i5RmTLUQ7un7rHXigUgyAxhElMrg4SajgRfxnKX5NHl89+dRHwTcaOVi5Y9NwyjkeTX 7yxQ== X-Forwarded-Encrypted: i=1; AJvYcCUlz6DKOrJd8iNWCRvdLiEnEFu4JjD8Yyyk1PWfpT14xzBCDnNxYImyBbk+TCVaBtElY9TznKVbR4FpNQY=@vger.kernel.org X-Gm-Message-State: AOJu0YykAAHZqKjlV4EaeuFSMa2NaK318D4QRhdb0V7BfJ99gd0kH8RE 322H+UNjjMkVjN0yWMIeqP4VgCFGRcmbZdCso8ME4pK7/AvlzsUN6eCnTHAjOv7zGCvtm4VQw6t jAjvn2HufkG8+490Vwf+z/SH/lq3P3p1uNQ/qFq7jxmp0nso1grjuA/PEkGghcdkO7m2G5QnpN7 z0PHWNquV2xyI9HajfjKLkCzgQk/V73qylxmsxZAs/UcigM3QwBt8/FUkWw3EmskkcviB0oK9Nf OQ4qz5Iqpdz3QFatKA3662xa7SWXSx/ph7XpVI= X-Gm-Gg: AY/fxX4DOrwaHIUpDMbxlypdsYVR9MgXIyugKVwHWz1FzGr7/8WY6pPRXAf5ixdJCQU BQh9B+MOxgqgw6jRAteAGJ/lGWHImDeabTI/mQ8XP2XO8eRD9iQUag5euFTv5khzrR5l7RzsDAg gPdEIWwA18qcM2SImRIXspSGsMtuZK00Jsk5QEzkBajTbnwRkvqkR+Lw+9IrI8lQdVGtA3qbvMm CC812jOpWCQmmgS8WIeooADOcfa2VmqAShcmn3fWDP6lNt895aQcdTt4nSNl+HPomN8h6EtTfAt OCnDnHBa2KnB2BkDX5Ae1QaFfiWIq6sxDPXCxvw2LJVC89tGslYvkGAroqofFmBGAYYJsbCgwyK kmlJFaLIS1AbsNOdzyL3Z45ZkXqac/HpGgJC0j3IWFgC1tEX11mSw7VVHm3t38UK/JtkA3I3+S6 4nLE940+hiHobQuLrbfIyFBhTdDAH3vHcEy/AG+wLQLpOfAzmZWsHJO0a54j8= X-Google-Smtp-Source: AGHT+IHyp3XZsMgXVPtkh/JwofZU9aEnXPAGhKKRWZ8yzwTianx/aaAAYxY6RtFXb5eTNRVQQQtKkw7rmwQc X-Received: by 2002:a05:6a00:2294:b0:81e:baa3:1fd6 with SMTP id d2e1a72fcca58-81ebaa3233dmr4911661b3a.4.1768200544058; Sun, 11 Jan 2026 22:49:04 -0800 (PST) Received: from smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com (address-144-49-247-2.dlp.protect.broadcom.com. [144.49.247.2]) by smtp-relay.gmail.com with ESMTPS id d2e1a72fcca58-81f3cac3bdesm787118b3a.6.2026.01.11.22.49.03 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 11 Jan 2026 22:49:04 -0800 (PST) X-Relaying-Domain: broadcom.com X-CFilter-Loop: Reflected Received: by mail-qv1-f70.google.com with SMTP id 6a1803df08f44-88fd7ddba3fso24055696d6.1 for ; Sun, 11 Jan 2026 22:49:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1768200543; x=1768805343; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=jPMqt7OubTukSzfJGmFa7NplH3SyhzWtPIziyN+vzQc=; b=HULDzgV0xNjjSDM0vQDvUI6wFElpZDOEMzhjLyc0Zk2D0LMSxBEPRLi4ELVQC2Zckj +t0+mYjt0a+14Ys/HHcXrEkZecSP7mRKLNoLAbvQ34qFg1tmnQlWVTfUaw17GkjwMuvP tY4Ic7ug4kHP2ApvIjskPOrgGh9/eHxqAw+/M= X-Forwarded-Encrypted: i=1; AJvYcCWQT2l/aZBrGZQvpUvE2sfdcrBXEmUVJK2pn7gq31VpiD3Glk7B/aJhyoIBLJjgGMz0yk6UB3LsfJHir9c=@vger.kernel.org X-Received: by 2002:a05:6214:2481:b0:70d:e7e1:840f with SMTP id 6a1803df08f44-890842cb736mr185047226d6.3.1768200542666; Sun, 11 Jan 2026 22:49:02 -0800 (PST) X-Received: by 2002:a05:6214:2481:b0:70d:e7e1:840f with SMTP id 6a1803df08f44-890842cb736mr185047146d6.3.1768200542333; Sun, 11 Jan 2026 22:49:02 -0800 (PST) Received: from keerthanak-ph5-dev.. ([192.19.161.250]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-890770e472csm131125426d6.23.2026.01.11.22.48.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 11 Jan 2026 22:49:01 -0800 (PST) From: Keerthana K To: stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, dsahern@kernel.org, borisp@nvidia.com, john.fastabend@gmail.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Kuniyuki Iwashima , Sabrina Dubroca , Sasha Levin , Keerthana K Subject: [PATCH v6.6.y 2/2] tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock(). Date: Mon, 12 Jan 2026 06:45:54 +0000 Message-ID: <20260112064554.2969656-3-keerthana.kalyanasundaram@broadcom.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260112064554.2969656-1-keerthana.kalyanasundaram@broadcom.com> References: <20260112064554.2969656-1-keerthana.kalyanasundaram@broadcom.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-DetectorID-Processed: b00c1d49-9d2e-4205-b15f-d015386d3d5e Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit c65f27b9c3be2269918e1cbad6d8884741f835c5 ] get_netdev_for_sock() is called during setsockopt(), so not under RCU. Using sk_dst_get(sk)->dev could trigger UAF. Let's use __sk_dst_get() and dst_dev_rcu(). Note that the only ->ndo_sk_get_lower_dev() user is bond_sk_get_lower_dev(), which uses RCU. Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") Signed-off-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet Reviewed-by: Sabrina Dubroca Link: https://patch.msgid.link/20250916214758.650211-6-kuniyu@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin [ Keerthana: Backport to v6.6.y ] Signed-off-by: Keerthana K --- net/tls/tls_device.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c index 4f72fd26a..55b46df65 100644 --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c @@ -125,17 +125,19 @@ static void tls_device_queue_ctx_destruction(struct t= ls_context *ctx) /* We assume that the socket is already connected */ static struct net_device *get_netdev_for_sock(struct sock *sk) { - struct dst_entry *dst =3D sk_dst_get(sk); - struct net_device *netdev =3D NULL; + struct net_device *dev, *lowest_dev =3D NULL; + struct dst_entry *dst; =20 - if (likely(dst)) { - netdev =3D netdev_sk_get_lowest_dev(dst->dev, sk); - dev_hold(netdev); + rcu_read_lock(); + dst =3D __sk_dst_get(sk); + dev =3D dst ? dst_dev_rcu(dst) : NULL; + if (likely(dev)) { + lowest_dev =3D netdev_sk_get_lowest_dev(dev, sk); + dev_hold(lowest_dev); } + rcu_read_unlock(); =20 - dst_release(dst); - - return netdev; + return lowest_dev; } =20 static void destroy_record(struct tls_record_info *record) --=20 2.43.7