From nobody Mon Feb 9 14:37:00 2026 Received: from mail-pj1-f98.google.com (mail-pj1-f98.google.com [209.85.216.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 34789313E33 for ; Mon, 12 Jan 2026 06:52:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.98 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768200771; cv=none; b=WMeLofQ4x8uyIai9pU9oUMRGonWiSltkx9+26GTAbcs9FCxJYq9NSocoXZBWuC7zhqtRtb4YW7vMmhL760ozPTRKPJJkMA/kMP1u7qulKjn7lFdkIVeOI+5EhstKyzkwaiXIWonTdO9qXTvHgE4CLxnmw0U+X2frGxkNG1P0lpE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768200771; c=relaxed/simple; bh=pvMCEzJj4SGW1oTw7LLKdutJEZeqLk/uCFRUpyapQq8=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=oSZ8ck3BPENaeMK68b42l88tL82PU4Pjy1x3XextQURbxdgjzF1yMZ1SzRxrCjpB0gcKtVF60dYGqOIRzmaJyOnx4hwVffasm/UivTHsIlK8zhvTbF17HUrWvBIjhm64NgfAJWoZq5GlH9FAgSz/p/PO7E8j0/EETnvcEmVOPBg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=PTEjG4FG; arc=none smtp.client-ip=209.85.216.98 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="PTEjG4FG" Received: by mail-pj1-f98.google.com with SMTP id 98e67ed59e1d1-34c37a107b3so192548a91.3 for ; Sun, 11 Jan 2026 22:52:50 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768200769; x=1768805569; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:dkim-signature:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FLfXk/1BlceWtah76vfkztbqcGBEs/TIQ6b4f9GZ4FY=; b=b95y9IjSmcioAgvMv6b6Fe7rU87NtmQPzjqHyPajle4DFqN1KBpcCxHdcf3Vb//ZxA 6oTS0l7LV/lgSkkJVo30eHKj5JT3DcWZGAY9e33Rf+Q1YkS/wN/3pG5Qlyf7j0ecULgI RzmoXmSdwcWeDlyypETjIxtSwOKtaQsR/k2t8CIQiOZ4jTn8BDj1HfzRjxEeWiXIWFYe iOVNyfa22mDT09RAOymzp1g2lufuw8JgcbS4iZlSMeAuY0GRjq+ngMhMMt6gT6Gxmthb 0Zz1ujDcxjOvhQUXYiO5Thq0U+zckII2lVpWWy1sR+s1Iv+GUtzWwD1dwKeM4N1EGiqy UgUw== X-Forwarded-Encrypted: i=1; AJvYcCXbH5PVWkJkMmue2Xc0PMmsAqF3DnWwZg6zNWHhmkBHhCG+LDNROGL266q/z2Qd5chqLUyTbzFWPDuabys=@vger.kernel.org X-Gm-Message-State: AOJu0Yy2iq4opc3IC+ELkiooJ8IqDuBaUsIeFAF7sNYZeaMEIM1CwVbR jBbYtDuz1DK+IfkXeZYwzpr/MKBvv/Vp5/FI5D3JbHCzOW3193vxjMXL6pL4keAq8OGU5XLen3N ttnqV1wrTJDYrfp9aMm7bObRr0mDDHsgcN02iXErN+cP9UGoWpN+FqVALU+6eHLA6XbDbI635Hd Utg8fyyLFh3lCC/ZESAk12dDOGl3iMM6VYgJSPY9xCTKlijYoe2fqp3/giIgB1T01fEMlU16xgo YMLd4tCDLvuY48geQ2HFF0RyNiuAtMLk9BZVWE= X-Gm-Gg: AY/fxX6f2eIMuaWNxjlaplDv2aFKn/8vgrAiWue9gaGeDBQTSt5ceUpAI4AUGEGaWXZ c/ISXnzF8Kah6NVi3iJnzJCSO1jpk9VXoJh1oZ7rCs6zBUYyGvoYpPKzdx/QU/ZJ3RmrYHfMmYz PylFZnJWPO8mtosiDPLMmFZe4ad0QGCMxvMBLprn/yJsbGf4is0Ra/+YcdjqUG2OcpppEtbOv4E FFbB0JaPt5oMSVhJTJYVWtR2rTwLvu3qlqg5tY3dBCB+lmfCSrlITbQI1bM4CPaIZ9x5hZKhBv/ c41IdtB7JAJV+hUABtfpqVEtZn7N8oVNvDHOdGCA5Oyi/9ANXJAp89SrzAkP1g39Y8vrgpUFuLy 3HFexcufP8RcudhSZzD3KI3bfrtniPRW98dWJRYxN+ZLPrurlcU5NV5KV8oq9uUqpThCAVqMC0U D2k/T1/15UESqGXRZH/CbyRQ8w6doUdynFICFgRnrsmpT0JBmRocPZbIYVB/c= X-Google-Smtp-Source: AGHT+IHumOT0YMQOcb+XhDPLHhAJDN4mHk069kIbPMYA1RUJBiD4CwoFCcvCOclj4f+nVY3hnJ0pzWgxiOgL X-Received: by 2002:a17:90b:2d50:b0:341:124f:4745 with SMTP id 98e67ed59e1d1-34f68d22540mr11363709a91.6.1768200769508; Sun, 11 Jan 2026 22:52:49 -0800 (PST) Received: from smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com (address-144-49-247-2.dlp.protect.broadcom.com. [144.49.247.2]) by smtp-relay.gmail.com with ESMTPS id 98e67ed59e1d1-34f5fb501dasm2475267a91.8.2026.01.11.22.52.49 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 11 Jan 2026 22:52:49 -0800 (PST) X-Relaying-Domain: broadcom.com X-CFilter-Loop: Reflected Received: by mail-qk1-f199.google.com with SMTP id af79cd13be357-8bbb6031cfdso203701185a.1 for ; Sun, 11 Jan 2026 22:52:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1768200768; x=1768805568; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=FLfXk/1BlceWtah76vfkztbqcGBEs/TIQ6b4f9GZ4FY=; b=PTEjG4FGTFl9K/FTiSEh+uQk/LOyR7P3c2UCg09bzWy50kHT26bMkYHqupAWbRTY2s Q9sERmZl+3vO5RmtBnfT/Kxv7mVWzftvlDKuvRTFQHBuA1jJW/euaQr9U5xHFbG6HPho e6R3k2nXZhMEw5VxHOdxYy8cc2YP2Vf4uNLto= X-Forwarded-Encrypted: i=1; AJvYcCU90WL7OUnHDhwilQqPMgakSoBLepGvf1oDpPeH7lwfwrB8c2WuKF949zGptvEA74G7hWwITmxPVmIoO6w=@vger.kernel.org X-Received: by 2002:a05:620a:2804:b0:8b2:f090:b165 with SMTP id af79cd13be357-8c389388a4emr1707613985a.4.1768200768198; Sun, 11 Jan 2026 22:52:48 -0800 (PST) X-Received: by 2002:a05:620a:2804:b0:8b2:f090:b165 with SMTP id af79cd13be357-8c389388a4emr1707611785a.4.1768200767714; Sun, 11 Jan 2026 22:52:47 -0800 (PST) Received: from keerthanak-ph5-dev.. ([192.19.161.250]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8c37f4a6b4fsm1442738085a.2.2026.01.11.22.52.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 11 Jan 2026 22:52:47 -0800 (PST) From: Keerthana K To: stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: borisp@nvidia.com, john.fastabend@gmail.com, kuba@kernel.org, davem@davemloft.net, edumazet@google.com, pabeni@redhat.com, horms@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Kuniyuki Iwashima , Sabrina Dubroca , Sasha Levin , Keerthana K Subject: [PATCH v6.12.y] tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock(). Date: Mon, 12 Jan 2026 06:49:44 +0000 Message-ID: <20260112064944.2969750-1-keerthana.kalyanasundaram@broadcom.com> X-Mailer: git-send-email 2.43.7 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-DetectorID-Processed: b00c1d49-9d2e-4205-b15f-d015386d3d5e Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit c65f27b9c3be2269918e1cbad6d8884741f835c5 ] get_netdev_for_sock() is called during setsockopt(), so not under RCU. Using sk_dst_get(sk)->dev could trigger UAF. Let's use __sk_dst_get() and dst_dev_rcu(). Note that the only ->ndo_sk_get_lower_dev() user is bond_sk_get_lower_dev(), which uses RCU. Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") Signed-off-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet Reviewed-by: Sabrina Dubroca Link: https://patch.msgid.link/20250916214758.650211-6-kuniyu@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin [ Keerthana: Backport to v6.12.y ] Signed-off-by: Keerthana K --- net/tls/tls_device.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c index 0af7b3c52..99d503e03 100644 --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c @@ -123,17 +123,19 @@ static void tls_device_queue_ctx_destruction(struct t= ls_context *ctx) /* We assume that the socket is already connected */ static struct net_device *get_netdev_for_sock(struct sock *sk) { - struct dst_entry *dst =3D sk_dst_get(sk); - struct net_device *netdev =3D NULL; + struct net_device *dev, *lowest_dev =3D NULL; + struct dst_entry *dst; =20 - if (likely(dst)) { - netdev =3D netdev_sk_get_lowest_dev(dst->dev, sk); - dev_hold(netdev); + rcu_read_lock(); + dst =3D __sk_dst_get(sk); + dev =3D dst ? dst_dev_rcu(dst) : NULL; + if (likely(dev)) { + lowest_dev =3D netdev_sk_get_lowest_dev(dev, sk); + dev_hold(lowest_dev); } + rcu_read_unlock(); =20 - dst_release(dst); - - return netdev; + return lowest_dev; } =20 static void destroy_record(struct tls_record_info *record) --=20 2.43.7