From nobody Mon May 25 01:57:59 2026 Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B968D4A23 for ; Tue, 19 May 2026 12:35:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779194158; cv=none; b=axy1nAGouYaUfwshEanBuUbM1GLEP785pFxraIj4MYi0pRs06ExpCtKSBgbKxHnoIxXYunJDSwBH1G1e6KzRGs0gDieaLTtCIjgouMAreCaUI/1m6nh7qjrkYPNDRsjU9B4cihEfNNpQlaWO+UH4fTVuvZZLtmsOC/rEjuDolWY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779194158; c=relaxed/simple; bh=Lwq1J62OW8JDcXkwUnsvUVkfs3+XE4erfsJrd0tlMuc=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=lsJWYRIjm5As+3l0t/josg4rjxEIPvSDZKAH2lcFqLzSgQbJeaNBt0T4O84wqaKbWTri3MieH9oFUJZpl2f+afhegNWt1ac/DGuCPP/nIvLGYdWdckxtJvsWE00X02IP/ZoX/1UxuVVnS9ukZE5Z32UNCFj/ZFcIuBR+jCBEFWI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fZivagJr; arc=none smtp.client-ip=209.85.214.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fZivagJr" Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-2bd9c3b550aso22996905ad.2 for ; Tue, 19 May 2026 05:35:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779194156; x=1779798956; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NC88S+CqkDEv2HbPYj6bcWrEKRInj078OJU7Uw7Ad6o=; b=fZivagJr73DZePSJ3HASnQFf4YT8auxVi98o+vSh2QvA8UxhOsZV7s3cYnYrKmh8on k7QPk4sP8Fep3zoC0KaHaW24gUAszwwiHeJMFOjPgkc2DuHBI303LombdB+p9SaBnhZP HkXSBYkovB3kjmqKT6k/jKAENrFlHh5TPPvqaw6ypWCJAAYgbqTfNqrtEK1+P62++CWS bXsS3ylCZ3cLYwc9fXF4gs3dxJTIKpvnK5LttiryK0nDim/K5dnLjBev6pfY2TpJneL6 fFmRMoNkX+3fmk7h4m/UI0KcoFwbLXuCmXz8eIMyCbjdaSNwom8ZsjkTw+6quNCO9gUQ cFNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779194156; x=1779798956; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=NC88S+CqkDEv2HbPYj6bcWrEKRInj078OJU7Uw7Ad6o=; b=SEYrwmOyk1IuVw+qveJNkJZKVMZQkhqLf5AbxdrsBtd2PmXt8SNFXkkaYl2cSELWrY MzSyii9wrK3WNZN3EndBIJwCe8AoSbHn4kuzhwsCY8+lniV6E44Gcm5XI1mu92Wz0NFS Fxqxfhd24lN3XK2xqK6YUbL0gyS5HOwjqrdZeDCdXFlBL+5KxkpND77aCDQS4BWWLQjU vObqTOpUmJy/2oLZbpWOrI6BaVAI0XciKrv6fscXaSi2Ka8CijVHMi5feRJ1e3ESUdqM nm+0B/ubx4yZ/R7DZm8Y2VtIq1F7aLZnWftL+MtBBbZ5/o81NdgIHEXe0vxCrlYOh9Np Gv1A== X-Forwarded-Encrypted: i=1; AFNElJ/hBLqhWDJn1R8xHvtpTLPeVeyV51I4x0OKIFz8JGVXHGuCXd/0S+dpGHP191D4VSvrVUmSLic8PEmDYXI=@vger.kernel.org X-Gm-Message-State: AOJu0Yzgr6BKAZZ69qQ7iiwmkWu2mr6rNhikIQCYtVxFf81mqb0ESAuw Yxy/dGGf3fg6neHKF2w24Nl3fL5FBpj0ZlNpkcJWow/YAcd43zy/HqdW X-Gm-Gg: Acq92OG33xkldPvv95V7JZvNrHKOzzuUFQ4UXtSB9Uo9Jckhoz5vOLmyvk95XDP4prQ VKmAKuO2NzU9t09S91F6X7RLWbS27RfW+/ZyrBr6k3ynAmSDa+H9/u1dH5MkQUlEomU7JoVao9D UUAU8bcInxDO4R91IPtIiYV0EuygNEHft3ev+nfmPRad/kzI+0gmeRjMOV2kA3/6Im3Qx0DvhqZ Fi7rU5Q6d6zaM+lc6wf1C768D3oaqT08M1Gn+Vhd7LgjngNBNGPK7kdPYgvTCjzEjpRLUGEwYGv elGAuM09IfiO6yPvZRvlRSvBuMs5rUPBLhatyoW4hXq/fpIULSBRkS2wgpMrrSr3arIO0ZAu9Jd YxI1i74/jU6B51396tXfCytYvC1IxXfx1XPedIIrCSYuPGU+SMsPl/LzwNziSYW362y/RP3FsuH A3q+xo59s0q9szrHuQDqQDpNUWpwGcZL1simH8s+JdwVf2nVCduU0hds0FjmY= X-Received: by 2002:a17:902:da8a:b0:2bd:eb0d:efb7 with SMTP id d9443c01a7336-2bdeb0df7b4mr80270315ad.1.1779194155920; Tue, 19 May 2026 05:35:55 -0700 (PDT) Received: from csl-conti-dell7858.ntu.edu.sg ([155.69.195.57]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2bd5bd5fc60sm193216245ad.9.2026.05.19.05.35.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 May 2026 05:35:55 -0700 (PDT) From: Maoyi Xie To: Jakub Kicinski , "David S . Miller" , Paolo Abeni , Eric Dumazet , David Ahern Cc: Kuniyuki Iwashima , Steffen Klassert , Shaw Leon , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH net v3 1/2] ip6: vti: Use ip6_tnl.net in vti6_changelink(). Date: Tue, 19 May 2026 20:35:46 +0800 Message-Id: <20260519123547.2055911-2-maoyixie.tju@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260519123547.2055911-1-maoyixie.tju@gmail.com> References: <20260519123547.2055911-1-maoyixie.tju@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima ip netns add ns1 ip netns add ns2 ip -n ns1 link add vti6_test type vti6 remote ::1 local ::2 key 7 ip -n ns1 link set vti6_test netns ns2 ip -n ns2 link set vti6_test type vti6 remote ::3 local ::4 key 9 ip netns del ns2 ip netns del ns1 [ 132.495484] ------------[ cut here ]------------ [ 132.497609] kernel BUG at net/core/dev.c:12376! After commit 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of rtnl_link_ops"), vti6_newlink() correctly resolves the per-netns vti6 hash via link_net. vti6_changelink() and vti6_update() were not converted in that series and still read dev_net(dev) / dev_net(t->dev), which diverge from the device's creation netns after IFLA_NET_NS_FD migration. The result is a stale per-netns hash entry; cleanup_net() of the original netns then walks freed memory. Reachable from an unprivileged user namespace ("unshare --user --map-root-user --net"); cross-tenant scope on container hosts. Fixes: 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of rtnl_link_o= ps") Reported-by: Maoyi Xie Reviewed-by: Eric Dumazet Cc: stable@vger.kernel.org # v5.15+ Signed-off-by: Kuniyuki Iwashima --- net/ipv6/ip6_vti.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c index ad5290be4..dcb257411 100644 --- a/net/ipv6/ip6_vti.c +++ b/net/ipv6/ip6_vti.c @@ -722,10 +722,11 @@ vti6_tnl_change(struct ip6_tnl *t, const struct __ip6= _tnl_parm *p, static int vti6_update(struct ip6_tnl *t, struct __ip6_tnl_parm *p, bool keep_mtu) { - struct net *net =3D dev_net(t->dev); - struct vti6_net *ip6n =3D net_generic(net, vti6_net_id); + struct net *net =3D t->net; + struct vti6_net *ip6n; int err; + ip6n =3D net_generic(net, vti6_net_id); vti6_tnl_unlink(ip6n, t); synchronize_net(); err =3D vti6_tnl_change(t, p, keep_mtu); @@ -1031,11 +1032,12 @@ static int vti6_changelink(struct net_device *dev, = struct nlattr *tb[], struct nlattr *data[], struct netlink_ext_ack *extack) { - struct ip6_tnl *t; + struct ip6_tnl *t =3D netdev_priv(dev); + struct net *net =3D t->net; struct __ip6_tnl_parm p; - struct net *net =3D dev_net(dev); - struct vti6_net *ip6n =3D net_generic(net, vti6_net_id); + struct vti6_net *ip6n; + ip6n =3D net_generic(net, vti6_net_id); if (dev =3D=3D ip6n->fb_tnl_dev) return -EINVAL; -- 2.34.1 From nobody Mon May 25 01:57:59 2026 Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8C2AC369D78 for ; Tue, 19 May 2026 12:36:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779194162; cv=none; b=t9XoEDja/c+R2BhS+OKDMEP5KmtwD4oXTBaK0vrwQ1unel6pzgMqE4jQv0IFGYEVIGFN0Ke5wgGND7qIJzJ8Aikotmv7rsyVblPuCAfomlP0C+t/huEoxDJ+fXpsI9VK8RB8l0m4bMuQxLSXvj6Na2uXL076n+ZrT7rPAGzKNKg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779194162; c=relaxed/simple; bh=lIc9IvGukuTxrcKPyEANUt/P7j7/XDF0to6T1xKrVwg=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=VFmuuktCaDUZKXh+14y6SLvp8LQKwD7KceaqoIsyG34Ptah6fXT/MbNiKxzXn6v39FRhDsd10wIKI2IySmblk0m/m4u8wIepONIuIYGeWRV6vQ2XnqX8Vm10JwaYdifxBLwSvpDLPdRIECdi+xBFt99k4y3c0XuYPifIax2slbY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=RxdNV23U; arc=none smtp.client-ip=209.85.214.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="RxdNV23U" Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-2b4583f0a1aso21764785ad.3 for ; Tue, 19 May 2026 05:36:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779194159; x=1779798959; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WnqfNLPf1FZpTLzCn6yNj1v+FRpfxLX1loWYM78LAiU=; b=RxdNV23U+rPsSJ2il8ENIcIFV40H/lty0OrdzTXSVqMXYIz66s5o3jbYDXuRgDRHZc mocdfsHTWeH9IxBBe0SpTmTOyhbvkoQYYcewzG1coz4ZXz9ebX1CjusnhKYHmlIAKyHG APx13kdteRvuESCs92OtIkWtLS64LSRezJpseyRGKI+MwXAvBcnDuCeLpXWa1lf1qcLV s94bvNCIl2PF6LeweFQBTzIQ6Xk74SazVQE0VsSY7VtGWCxu7IZZa7oc3ZMPTkFLf5z9 Aibou2FWyPxzTDquj6XAkfcb3Bs2SJ7ePLXMFsP97O+thyIjOqZtrtz29wNF/n+9vyWE 1hdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779194159; x=1779798959; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=WnqfNLPf1FZpTLzCn6yNj1v+FRpfxLX1loWYM78LAiU=; b=N0jIDuZA6TMeHeYtuTY1zK10znfPmP7WVQxPfI2UcctM5p7S3TcZ9cUn9cwo3on13I 7ScexMMpZH3bz44TzX6EH53zLIBpae5oI2QpbAOeJEA4Ck+T4a7E71dnl2lf6YlJEFda WAnAVNoJ5eGg9JsdflzahlLI66/WSypPfc3Iky/G9n6YrzMXLJJclNvmmySDjlUTsDMV o3FYMgiObK/CXWT6OeCZounOqhlkvxrVJW7AlcYvADp5EsQTwgXckH/+3MCO9FQT+p3h s1b787R3Ni8K+4reEcrQOn0JKiT4HzWHJWRcTxxXDiQ8B+dKEUetuiLtPNrCeWvHXRew 00ng== X-Forwarded-Encrypted: i=1; AFNElJ8eXXHZI7FJeCM4mR615iCcDLZTGTywaoF2tfQJS0AEaG35086IH6XSBa1/e7X1nvH+Ri59Rc5DLGqmv5c=@vger.kernel.org X-Gm-Message-State: AOJu0YzkZItCZohbE+dx0W/kqStvXXTN6x08ra1h/+H6GGIxgWXMd518 tfeo4pDju7DTwiMfZWApsPBfYlF0b/SuTRu7LPr0g//Ia+yaOxiKiNIE X-Gm-Gg: Acq92OHTnIwXHtOqM6s809hYT6QbRIpm2gVgROn3EQlc2ndLP/rBVMcx/b1bu/OZ3gO /dW9fPok+dSKHaidW5zOFhrakFbU3pP5phpWZan687wWYZdlIl1Ad6JSPbTquYJTFNDzFJdK325 CrSwW++liGP3k2V53nZ4v2hoGg7xijfPVKwHxqkrJUJfZZuCQ/r5JUheyXKjKx/AANBlfnG66xX HmV1A54T6Jig/ghGVDH29T56Fnhfz3G//tJM5bxzZlIr8HWA21UPAWZ1eF83rLAOxg7vBwDa7nQ qerlygVqzG7L3hyFBrxa7l6k3c/vdgs4dWj9N+yw2OUmOg6fAXmk6Pq19kw35+LgIWS1WJaYVAZ AFMMuHTKiMeXGtYy0akDykfgTDJ3ebAVQaBEIfW0zwbKr0yO9aHf84SYbP+7SHFJh6a53wUQWFg PjHfGN0TEb0q+aGkCgIDrXTW5ZGLaM4J6ZIsrGiVHvbXqTTpUY X-Received: by 2002:a17:903:950:b0:2bd:a3c5:6d96 with SMTP id d9443c01a7336-2bda3c56ef9mr147376025ad.14.1779194158910; Tue, 19 May 2026 05:35:58 -0700 (PDT) Received: from csl-conti-dell7858.ntu.edu.sg ([155.69.195.57]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2bd5bd5fc60sm193216245ad.9.2026.05.19.05.35.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 May 2026 05:35:58 -0700 (PDT) From: Maoyi Xie To: Jakub Kicinski , "David S . Miller" , Paolo Abeni , Eric Dumazet , David Ahern Cc: Kuniyuki Iwashima , Steffen Klassert , Shaw Leon , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH net v3 2/2] ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate(). Date: Tue, 19 May 2026 20:35:47 +0800 Message-Id: <20260519123547.2055911-3-maoyixie.tju@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260519123547.2055911-1-maoyixie.tju@gmail.com> References: <20260519123547.2055911-1-maoyixie.tju@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" After "ip6: vti: Use ip6_tnl.net in vti6_changelink()." in the same series, vti6_update() unlinks and relinks the tunnel through t->net. vti6_siocdevprivate() still uses dev_net(dev) for the collision lookup. For a tunnel migrated through IFLA_NET_NS_FD, dev_net(dev) is the new namespace, not t->net. The SIOCCHGTUNNEL path on a migrated tunnel then proceeds as follows: net =3D dev_net(dev) /* migrated netns */ t =3D vti6_locate(net, &p1, false) /* misses target in t->net */ ... t =3D netdev_priv(dev) vti6_update(t, &p1, false) /* mutates t->net's hash */ A caller in the migrated netns sets the migrated tunnel's parameters to those of a tunnel that lives only in the creation netns. The collision check in dev_net(dev) sees nothing. vti6_update() then prepends the migrated tunnel at the head of the creation netns hash bucket for those parameters. Subsequent lookups in the creation netns resolve to the migrated device. xfrm receive delivers packets matching those parameters through a device the caller controls. Reachable from an unprivileged user namespace ("unshare --user --map-root-user --net"). Cross tenant scope on container hosts. Use t->net for the SIOCCHGTUNNEL path on a non fallback device. The lookup then matches the namespace vti6_update() operates on. SIOCADDTUNNEL and SIOCCHGTUNNEL on the fallback device retain dev_net(dev), which equals init_net for the fallback. Fixes: 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of rtnl_link_o= ps") Suggested-by: Jakub Kicinski Cc: stable@vger.kernel.org # v5.15+ Signed-off-by: Maoyi Xie --- net/ipv6/ip6_vti.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c --- a/net/ipv6/ip6_vti.c +++ b/net/ipv6/ip6_vti.c @@ -834,15 +834,19 @@ vti6_siocdevprivate(struct net_device *dev, struct if= req *ifr, void __user *data if (p.proto !=3D IPPROTO_IPV6 && p.proto !=3D 0) break; vti6_parm_from_user(&p1, &p); - t =3D vti6_locate(net, &p1, cmd =3D=3D SIOCADDTUNNEL); if (dev !=3D ip6n->fb_tnl_dev && cmd =3D=3D SIOCCHGTUNNEL) { + struct ip6_tnl *self =3D netdev_priv(dev); + + t =3D vti6_locate(self->net, &p1, false); if (t) { if (t->dev !=3D dev) { err =3D -EEXIST; break; } } else - t =3D netdev_priv(dev); + t =3D self; err =3D vti6_update(t, &p1, false); + } else { + t =3D vti6_locate(net, &p1, cmd =3D=3D SIOCADDTUNNEL); } if (t) { -- 2.34.1