From nobody Wed Feb 11 05:36:44 2026 Received: from mail-pl1-f226.google.com (mail-pl1-f226.google.com [209.85.214.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5A5F7318ED8 for ; Mon, 19 Jan 2026 11:52:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.226 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768823567; cv=none; b=G53bHCXO8zO8xnz4dhGeMhpbZ4x9dTJwGTkr+M2rXBskHvvzLcu37aboTlr55PDmJLu/2mfSXD0GPlnJ1wXGGxRkO3GBjLBRmrRZy41cU5y1PKFuEWESiFaoyHsPp86tp/dVuzMWOqxVMyDYDo2blS3M21RlhqU3+5UrnrcuLZM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768823567; c=relaxed/simple; bh=XjmEkDhy70C9BPaUIKs8e1nglyFuMhkb7Yn1iqBTdVE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hVXfEXL6bnpEAzy8Vf0zD5dOXZ6SHz6ABPXMUOU2jc5gFKkE6Fn2b6wBAyQ/EV8NFC9J8D8fmTXVaBxlNALiC7Y11UypyR+6IpIqSWVjVqqWfLoulR0RrKjMFjEH1tNQOltj/9FkKa9nO5xda7ctoEdm/83ECOEhV9EkD3CNZPM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=T2ugtdNW; arc=none smtp.client-ip=209.85.214.226 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="T2ugtdNW" Received: by mail-pl1-f226.google.com with SMTP id d9443c01a7336-2a0f3d2e503so6821965ad.3 for ; Mon, 19 Jan 2026 03:52:43 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768823563; x=1769428363; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=o/toLEsajSo6fO5hRJUdPGrIZ19DquBDTOLbcgJFlJU=; b=aTgf4XNfr7yGl8xAmo56ZZWST6UYnRINGdD81yRkdgZXWWy7U4MVS6OSDw5vAsC/jw zcso4Lf1hajZRJPgMB/InMPiIdRi2Oa2MLfMjySTm+pIyv/XBPlyoMJ3dCVqFXuArs/X /99b7arX6UaCLtA5yzEKncVRSAlaw9rrWbww/htU5I/8Dl7w05JEWj1BiNg7HNeNUlqL h8WhYYMdwT1QNqj1lCm2+galqWN/HtRhiY5tAhjcpWz56g65VqXbcWvzK+IzesWH8T9I h1DkkRU7rN4cCECkPapbcTij7/QZWFEOddb/HrygNVQEKPvzaMk/y/X+XZKl/Mflim8V eHFg== X-Forwarded-Encrypted: i=1; AJvYcCVjCRi3of87KakUkPk3hYrhXEnNWgTPXPctDCpTHMITrNP05ChE9hnG/tUjPe382a2H+AKTHwVd3BBBOE0=@vger.kernel.org X-Gm-Message-State: AOJu0Yz/qo3EEYWWxH9OJr82cwiq+Y3H5z1Pt3Frarsj22z0F9awJiDf WPEvPp/Kq3YfeketnyNjuJ1/2BwHYBNoIxLHi0s0ej0Be+eS68H+ztqzm+QWKzVDz8PDyw2LNvW 3zkM9ce//ZysRe/gduojhiOeGb9S6JMX4si7OHt+1md2x16ro+SzA5G5sF6wYNUceosfY8LWmuH uxPZFT7MK63dEDUNQacA10qbuPmRpmP/tz/8vRZTQMd+o6FjeXYSpTT5QD4Lt+p0oLZx+jJ5F7d NVbMq9WGM2xB58P3quMVdfmzLDv0zsOY2g9BWg= X-Gm-Gg: AZuq6aLirQ4wsiWsT2kG1Q//pmDtQtEu237UECtpz+Z49yLr4shCEyG2WCiPjxVSoHS MNF6r/vbbHE3JoisxCd6jc/UU66wwwGynPKndmTTgVcvw42mGYFP4qkeKRia5AFec9UYC0lU8uN JptaLsPVgtifDxwd0BwfIfJzGad8s63EjJjsd6u/0KfRk8jWR7Mnjgffwr7CrGSwMnkiCFlq82+ S3Te6sVdBUhbpzXHLyu1KZYLPB6LcmnupiRz9NsGDllY1VHkgeTEjyPs0rRmmxcmPmMRT9YwXV3 Kgv2+/bxaqJHuaMtzgMhbJaDakYwXmcw/mJdJwg9ddfMuO7jC18VKC/Mqjs9yZOTuCe7W/QCELN /Rug53wodD8HEPTnPdnpOv/MFhuR3iD+40E7880iw8S9+VqY9zWpxyTFdzQnJ/H2F2D7RfAngVz RtpIdD5ONebVYCHvhG1n3EbPyWs9gDNwoZZZhKnvvHHtpAlJlL3W9EdgJKlX2svzfS X-Received: by 2002:a17:902:dac7:b0:295:70b1:edd6 with SMTP id d9443c01a7336-2a71753f167mr74297675ad.3.1768823562643; Mon, 19 Jan 2026 03:52:42 -0800 (PST) Received: from smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com (address-144-49-247-118.dlp.protect.broadcom.com. [144.49.247.118]) by smtp-relay.gmail.com with ESMTPS id d9443c01a7336-2a7190d67dbsm14981795ad.27.2026.01.19.03.52.42 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Jan 2026 03:52:42 -0800 (PST) X-Relaying-Domain: broadcom.com X-CFilter-Loop: Reflected Received: by mail-qk1-f199.google.com with SMTP id af79cd13be357-8c53892a195so109631185a.3 for ; Mon, 19 Jan 2026 03:52:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1768823561; x=1769428361; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=o/toLEsajSo6fO5hRJUdPGrIZ19DquBDTOLbcgJFlJU=; b=T2ugtdNWNDisrr6GN2RKuU86jtUSddKHlixuERLlHiRI/ksW99ovMpjFrjE0Pq/P3M wJo4RG8CBB5OZSk4L/xjR5weV4x/VRwkaFEjX5AcW1DzulRi8hAPGfHJAQ7Hevo9rw7l vXDRWcIP5tFcuQl6dGMpctM31bo11tcSwQDK8= X-Forwarded-Encrypted: i=1; AJvYcCVrpVwIsxyh0wfwrX2zXCes5m3/hAkA5Dzcmxw0GImXGqzM2sxcr362RMst0Jt1F0g67TS0n8rCk07edIQ=@vger.kernel.org X-Received: by 2002:a05:620a:2a05:b0:8b2:e177:fb18 with SMTP id af79cd13be357-8c6a67bc788mr1083868685a.9.1768823561481; Mon, 19 Jan 2026 03:52:41 -0800 (PST) X-Received: by 2002:a05:620a:2a05:b0:8b2:e177:fb18 with SMTP id af79cd13be357-8c6a67bc788mr1083863185a.9.1768823559509; Mon, 19 Jan 2026 03:52:39 -0800 (PST) Received: from keerthanak-ph5-dev.. ([192.19.161.250]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8c6a71bf2b0sm772878885a.12.2026.01.19.03.52.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Jan 2026 03:52:38 -0800 (PST) From: Keerthana K To: stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, yoshfuji@linux-ipv6.org, dsahern@kernel.org, borisp@nvidia.com, john.fastabend@gmail.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Kuniyuki Iwashima , Sabrina Dubroca , Sasha Levin , Keerthana K Subject: [PATCH v5.15-v6.1 2/2] tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock(). Date: Mon, 19 Jan 2026 11:49:10 +0000 Message-ID: <20260119114910.1414976-3-keerthana.kalyanasundaram@broadcom.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260119114910.1414976-1-keerthana.kalyanasundaram@broadcom.com> References: <20260119114910.1414976-1-keerthana.kalyanasundaram@broadcom.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-DetectorID-Processed: b00c1d49-9d2e-4205-b15f-d015386d3d5e Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit c65f27b9c3be2269918e1cbad6d8884741f835c5 ] get_netdev_for_sock() is called during setsockopt(), so not under RCU. Using sk_dst_get(sk)->dev could trigger UAF. Let's use __sk_dst_get() and dst_dev_rcu(). Note that the only ->ndo_sk_get_lower_dev() user is bond_sk_get_lower_dev(), which uses RCU. Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") Signed-off-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet Reviewed-by: Sabrina Dubroca Link: https://patch.msgid.link/20250916214758.650211-6-kuniyu@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin [ Keerthana: Backport to v5.15-v6.1 ] Signed-off-by: Keerthana K --- net/tls/tls_device.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c index c51377a15..e79bce6db 100644 --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c @@ -125,17 +125,19 @@ static void tls_device_queue_ctx_destruction(struct t= ls_context *ctx) /* We assume that the socket is already connected */ static struct net_device *get_netdev_for_sock(struct sock *sk) { - struct dst_entry *dst =3D sk_dst_get(sk); - struct net_device *netdev =3D NULL; + struct net_device *dev, *lowest_dev =3D NULL; + struct dst_entry *dst; =20 - if (likely(dst)) { - netdev =3D netdev_sk_get_lowest_dev(dst->dev, sk); - dev_hold(netdev); + rcu_read_lock(); + dst =3D __sk_dst_get(sk); + dev =3D dst ? dst_dev_rcu(dst) : NULL; + if (likely(dev)) { + lowest_dev =3D netdev_sk_get_lowest_dev(dev, sk); + dev_hold(lowest_dev); } + rcu_read_unlock(); =20 - dst_release(dst); - - return netdev; + return lowest_dev; } =20 static void destroy_record(struct tls_record_info *record) --=20 2.43.7