From nobody Tue Apr 7 14:06:11 2026 Received: from mail-qk1-f227.google.com (mail-qk1-f227.google.com [209.85.222.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6F0063876A4 for ; Thu, 26 Feb 2026 04:00:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.227 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772078427; cv=none; b=KFKf1Lfsk/B3v1QsNCn86Vp4ex9EirH0e40I6P8x2q2VkELSSPJ+EZ8cPuCJ+LrXWF1JNou4Ra8r77BPARGhOHBgjclZuFGFxEpQsT6wELPNFica2LJ0cZvsEmvGWMtbu3TTZ+op2EvwOtLRc/C1TqiuP9J2TIohR8s/bo5VtG8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772078427; c=relaxed/simple; bh=p4ObQhsGaquv0/UOLFNM3wnBoRUtCqhdQS05+BaaZZM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=ZQunYoAl4ZzR6K/H/YIlX5Wf+V5tyF7C72+ARfzJ1aNjrRybLvFkPkIYBCeGNLFZ04CIM0O/1SPdglcrmy5QF5BXKRJbWNtx2VhH7jFdgdw6vmBlg/WQu1k/DE/0m4TSolPyWJIatmikHyh/DEj7Hd6N3oH+mzmUaIolRzFMxhM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=WklApPxm; arc=none smtp.client-ip=209.85.222.227 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="WklApPxm" Received: by mail-qk1-f227.google.com with SMTP id af79cd13be357-8cb3e17d979so4156885a.2 for ; Wed, 25 Feb 2026 20:00:26 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772078425; x=1772683225; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:dkim-signature:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=95I2cawC7z6ZKTb4xOnbEbjbg0EhuyvB5ErtjRNQPtM=; b=KOYt+ogSbDZ8DK0NmC4RtqAo5dN60ilYVfHB63kvVd4YqJwZbX859pAkX3FeER10Sf H0ZVl88VjTcie86D50yjkMjiYgtgYC3VG7TSvcmjDKV4bhQAGW1NoJvedqi4CY4AEb7i 6zdiUXJt72+xvb1r0bpthaL6A4A3co1HLFP92zK8GDOe9mGX9RH0DYXk6Y0sclf3E9bz f5Z6Nzku8BUWrFrvxdfW4+rb/cryorGoQuu+N6AeXoiJ0c95T8yHxWUvAiG+ZS8rivs5 a5krXhouA191nD63AJE8+WzgcBL/YZtE9UgcKpH/mvMxp6vAo22wM64SwO5iB9Ccaqat ITbw== X-Forwarded-Encrypted: i=1; AJvYcCV5kYei6W3qqhhZK0fu24kpNNa7WGIzMmSX17s5yoqvJcD0+wqjhjyIPE1YlzzsrTUisXF1vVBdFK23Ofo=@vger.kernel.org X-Gm-Message-State: AOJu0YzxR1o85tcVzrYVq7DP97y1Ry3rj3KTDiajG+R3oyLqDnhqJLcv tLIjtcr9ZNv/E8QtBa0G/0orA8XKh8Kr+2//d6wLfrCec1QHkIFKZcjrcDtRp+PhQvJcgvMzyNP 3XmFVRMcqeJhNxftxwAxpYCzhe82dV8QKcE0GQpOnQ+UxG8a0jOqw7XzaHGBaQSpae1F3y83jK4 Hkl55hZFUlMRBxVXT31mVLqvvaIXSPKX8tgnJ9Oz/wG2diXtA1fI/llF436FxFHxQC57Hzs315Q ZAykTlcyTt4Yu/SIq+P8TuB2A4SRfdQaDQru8I= X-Gm-Gg: ATEYQzyQ4O/kQWJOoyRstFNe5SISE69fL5daloJKW9RwLcZxhYD4qdYvEEAdPQ71C1c qejAjqyDQIyww4gEG7Qal85X+tMIaMPfEGk1+fgiKF8JOWWBOgIEOGAu7Q1q52Sye+m6ro9S+3F 0PO6vZ6tdsy2hE/tgJyoOhxNUdhU9r/ib371Uz0VzRZTN4QMFnOBJbR3Yz1Ry4AFjEY+AFJd9Ub ak9+ASZedH9RRjgOX0/QZxXOMvU/PuC7VPwPgVK9WBJ6sThvTW5jn0EnO64JDMMcdShKTcM979i yLCxf31BN4RbZN2HVvZQDOnb8zvWB9OeYMV9Ijx9LxU6qsBRVRGVkbBrYuVJxPB1sUP5+3HF+R3 Xx8ekantoRGJQK93tpituH9tdpViSo9u4TTyUxgHSRDEJMx8IsA3fVnHa9D4H3Wi3kV2ddem+jN ZDpjLFI4IeBy7Yh4OjVNe6l20f5CfH8cY0c4UH+Lt4k/h0xdescTEN+X6QZJWfJ+H6lMoRkVVEe Q== X-Received: by 2002:a05:6214:8088:b0:899:bbd1:da65 with SMTP id 6a1803df08f44-899bbd1e0edmr42347076d6.4.1772078424957; Wed, 25 Feb 2026 20:00:24 -0800 (PST) Received: from smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com (address-144-49-247-95.dlp.protect.broadcom.com. [144.49.247.95]) by smtp-relay.gmail.com with ESMTPS id 6a1803df08f44-899c71467cdsm880116d6.5.2026.02.25.20.00.24 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Feb 2026 20:00:24 -0800 (PST) X-Relaying-Domain: broadcom.com X-CFilter-Loop: Reflected Received: by mail-qv1-f71.google.com with SMTP id 6a1803df08f44-899b4b45befso4084106d6.2 for ; Wed, 25 Feb 2026 20:00:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1772078424; x=1772683224; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=95I2cawC7z6ZKTb4xOnbEbjbg0EhuyvB5ErtjRNQPtM=; b=WklApPxmZXhj7LY16WedIdJfdIZTmDz6yNQvigM3CoVgCp5jxsMxNoS22MykmNVs9E 3HKi6hsbSnqmTfE9hg5YzKCsnDDUHnnoGA/zQheBuTMfITKy67k2QspNgl+H1Zxpn4RV MozT6w+2iCPSika4BEAK7JjGppiOwLCBDUS2Y= X-Forwarded-Encrypted: i=1; AJvYcCUP3xkYGJx/qUm2I1ttaTD/sybLdrxBIzlrEGrOhskCJrgJrUyWRYqHNUb2gV75PhhQRvOAz9GtpUtCPw4=@vger.kernel.org X-Received: by 2002:a05:620a:6910:b0:8cb:52c2:6f19 with SMTP id af79cd13be357-8cb8ca764b3mr1787882085a.7.1772078422360; Wed, 25 Feb 2026 20:00:22 -0800 (PST) X-Received: by 2002:a05:620a:6910:b0:8cb:52c2:6f19 with SMTP id af79cd13be357-8cb8ca764b3mr1787874285a.7.1772078421559; Wed, 25 Feb 2026 20:00:21 -0800 (PST) Received: from keerthanak-ph5-dev.. ([192.19.161.250]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8cbbf6541f1sm103331185a.3.2026.02.25.20.00.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Feb 2026 20:00:20 -0800 (PST) From: Keerthana K To: stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: davem@davemloft.net, dsahern@kernel.org, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, kafai@fb.com, weiwan@google.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Sasha Levin , Keerthana K , Shivani Agarwal Subject: [PATCH v3 v6.1-v6.6] ipv6: use RCU in ip6_xmit() Date: Thu, 26 Feb 2026 03:55:08 +0000 Message-ID: <20260226035508.3222136-1-keerthana.kalyanasundaram@broadcom.com> X-Mailer: git-send-email 2.43.7 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-DetectorID-Processed: b00c1d49-9d2e-4205-b15f-d015386d3d5e Content-Type: text/plain; charset="utf-8" From: Eric Dumazet [ Upstream commit 9085e56501d93af9f2d7bd16f7fcfacdde47b99c ] Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent possible UAF. Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()") Signed-off-by: Eric Dumazet Reviewed-by: David Ahern Link: https://patch.msgid.link/20250828195823.3958522-4-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin Signed-off-by: Keerthana K Signed-off-by: Shivani Agarwal --- Changes in v3: - Updated authors net/ipv6/ip6_output.c | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index f7a225da8525..4ea4da0e71c9 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -258,35 +258,36 @@ bool ip6_autoflowlabel(struct net *net, const struct = ipv6_pinfo *np) int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl= 6, __u32 mark, struct ipv6_txoptions *opt, int tclass, u32 priority) { - struct net *net =3D sock_net(sk); const struct ipv6_pinfo *np =3D inet6_sk(sk); struct in6_addr *first_hop =3D &fl6->daddr; struct dst_entry *dst =3D skb_dst(skb); - struct net_device *dev =3D dst->dev; struct inet6_dev *idev =3D ip6_dst_idev(dst); struct hop_jumbo_hdr *hop_jumbo; int hoplen =3D sizeof(*hop_jumbo); + struct net *net =3D sock_net(sk); unsigned int head_room; + struct net_device *dev; struct ipv6hdr *hdr; u8 proto =3D fl6->flowi6_proto; int seg_len =3D skb->len; - int hlimit =3D -1; + int ret, hlimit =3D -1; u32 mtu; =20 + rcu_read_lock(); + + dev =3D dst_dev_rcu(dst); head_room =3D sizeof(struct ipv6hdr) + hoplen + LL_RESERVED_SPACE(dev); if (opt) head_room +=3D opt->opt_nflen + opt->opt_flen; =20 if (unlikely(head_room > skb_headroom(skb))) { - /* Make sure idev stays alive */ - rcu_read_lock(); + /* idev stays alive while we hold rcu_read_lock(). */ skb =3D skb_expand_head(skb, head_room); if (!skb) { IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); - rcu_read_unlock(); - return -ENOBUFS; + ret =3D -ENOBUFS; + goto unlock; } - rcu_read_unlock(); } =20 if (opt) { @@ -348,17 +349,21 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *s= kb, struct flowi6 *fl6, * skb to its handler for processing */ skb =3D l3mdev_ip6_out((struct sock *)sk, skb); - if (unlikely(!skb)) - return 0; + if (unlikely(!skb)) { + ret =3D 0; + goto unlock; + } =20 /* hooks should never assume socket lock is held. * we promote our socket to non const */ - return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, - net, (struct sock *)sk, skb, NULL, dev, - dst_output); + ret =3D NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, + net, (struct sock *)sk, skb, NULL, dev, + dst_output); + goto unlock; } =20 + ret =3D -EMSGSIZE; skb->dev =3D dev; /* ipv6_local_error() does not require socket lock, * we promote our socket to non const @@ -367,7 +372,9 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb= , struct flowi6 *fl6, =20 IP6_INC_STATS(net, idev, IPSTATS_MIB_FRAGFAILS); kfree_skb(skb); - return -EMSGSIZE; +unlock: + rcu_read_unlock(); + return ret; } EXPORT_SYMBOL(ip6_xmit); =20 --=20 2.43.7