From nobody Sun May 24 20:34:47 2026 Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3FF1C3E7BDE for ; Thu, 21 May 2026 13:06:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779368765; cv=none; b=OFPewmlCRm0Cr0uOTauyK0Ns45OrUUEI9kuJDn+gWOTXDG8XXkdbLiz3ewmV5uoUkLNxi2W1PwuY7DCUDxlRV7VsKjclbhy2salHG4hp3AtVlDDsX0TatAmtqwfmizAXRcji6Pdk0TSAYzUXjCR6otK1gEJILLE5VRqhDHxNleY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779368765; c=relaxed/simple; bh=o0+Uc1eRtmlTav0dVo/A4qHTGC+dTGpAF8PyhhZm7+I=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ei1LJ2bYizI+js7fOieH9FXo0OnoLaPz1dYYMSrSLEPf85pxfIy7/entDTt3/F5H2DIkGJkgKT9X6rsx24bgkpsVXlYnOFW1drNx4o+jIwqpOkysbE98mN2qW639kBoIo/QcM5efyE7S+LkBBTT+RuPCJuDhLyscOA+omiMOl4s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=cK7in4bI; arc=none smtp.client-ip=209.85.210.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="cK7in4bI" Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-83537a80ab6so4060622b3a.1 for ; Thu, 21 May 2026 06:06:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779368763; x=1779973563; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+tgtXH02C6zRbkOdG+i0RmY3ValCYoij0GD+Hz/Vc9g=; b=cK7in4bIs4TuLszQ+fRTJ9Dt/L4Qu5FTqdp04ooxQdsPZ8RQCd+2HFL2Cq2/LEZVVM y2q59LUKw8s8Mk3HMs8PIiktc9HlIPGqb87XfAplqjQPYmeVnokD2kYIYUj5O8LpHjAW Ga6a3tZvZkErmKSq36JZth6fCMsyJ4yy11nrg2v2qt46Ial/K3vwG64BYv8SSavyiXwv I45fASOzlO+UYoRV48ufEtAMZ3JeB7iWkbdywMIrHVHkq4USKV5MfJFxPTmS1e6sl0ui 0JaanlzthHvDXlzIoutM+SJkuwmfcmAiyy1648pJssPvG2CF2Lvv/AyCMcXA6iWQR3RN 0Pww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779368763; x=1779973563; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=+tgtXH02C6zRbkOdG+i0RmY3ValCYoij0GD+Hz/Vc9g=; b=XKS/9bN4ze8fKEjPavaxgoBo1aEzpxk7XCRyuNIGFLmz/Ftc7+mxpfB9IfQ1TNOjmY U0qzIJeIYbleE8hpB6Lu+GOTBzcp1CgJeYxRqgN6rjnUzI0wc2tu65MMzaGsWfb+pD6S CX9bOsf2hia1vGPZmVB157DcMYqcslRFthVzzsQLdo/2c6dbHfi0DW+pdnODRKama8Pt +vPXHQ0df9TKYd3d9gSjXKEw0K2LHb/7sP7wj1fDg2fJnfjk1EjI8tA41h9/9Wy3J7DO P698pLGSKMCFFTKQ//OIQrWerEBrOBUzGq28pOZuT4S3Dd45nu7PhuxSvXT/ZskXjRB3 HoeA== X-Forwarded-Encrypted: i=1; AFNElJ/XXIH5DvdbLRFC3774t8pOnLx5MZi9x4mQVsjzdcgjVYAEJMU8/nqhAqUHgpL2RYXeqS4fBE5kQWlkevs=@vger.kernel.org X-Gm-Message-State: AOJu0YxYPnYSYTPXDHJNuuS4HOkbI4QFBDV0DkA+z+9XDny0kW/slpOy Ac9hO3tmI2HB6m6PoBkKeSkONUJmGYYfflMIyJJ82IBBFrttt2bs5TPQ X-Gm-Gg: Acq92OHgiMOsLPDU6YwHL96jNz2p0KGkPjyKTfaW870wXQzPbfvZkgEq2K/B4BXHfaf zuviu6HWLQvm44mwU08BTAAVCj16z/liq/minFpjl2YjhcCJzL0k73X1oUAQmW9WfKXm//kFBl/ ZPwGEkzB9Mbo1S31n0Dxwk1T+7P6zuwvwSlxQOjZWJ2RdcUFYSojz5LPMZiLoFZsb3XtlCkENOr UU+LwliMbs0ORVg2oslgvFlLQQ9g7eR75dPHCmkfaQjBapnWtkq6qSjpo0cy9QWgUTaPZNUUspA MKTkx+0qpYUsP0rxizhLrAmomjicgcyx6cOh6YF7AFpFD7xxwJgldknsnLLlfuSpr4JO40Vm6uy zKjJ/CyMAl6R0Wv2ZBfSn9ebn1zl/zfvpjrgmbr+cdLJt2QJT0L2tfuayYB4faplKHGMV2LRCOf p00h6zmLOhJvt+qXni9zsbkquar5RCkypuRmJqN2HKuA5xBEqS X-Received: by 2002:a05:6a00:850:b0:835:41f3:f449 with SMTP id d2e1a72fcca58-8414acda757mr2821717b3a.13.1779368763468; Thu, 21 May 2026 06:06:03 -0700 (PDT) Received: from csl-conti-dell7858.ntu.edu.sg ([155.69.195.57]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-841549be20fsm1693993b3a.12.2026.05.21.06.06.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 06:06:03 -0700 (PDT) From: Maoyi Xie To: Jakub Kicinski , "David S . Miller" , Paolo Abeni , Eric Dumazet , David Ahern Cc: Kuniyuki Iwashima , Steffen Klassert , Xiao Liang , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH net v4 1/2] ip6: vti: Use ip6_tnl.net in vti6_changelink(). Date: Thu, 21 May 2026 21:05:54 +0800 Message-Id: <20260521130555.3421684-2-maoyixie.tju@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260521130555.3421684-1-maoyixie.tju@gmail.com> References: <20260521130555.3421684-1-maoyixie.tju@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima ip netns add ns1 ip netns add ns2 ip -n ns1 link add vti6_test type vti6 remote ::1 local ::2 key 7 ip -n ns1 link set vti6_test netns ns2 ip -n ns2 link set vti6_test type vti6 remote ::3 local ::4 key 9 ip netns del ns2 ip netns del ns1 [ 132.495484] ------------[ cut here ]------------ [ 132.497609] kernel BUG at net/core/dev.c:12376! Commit 61220ab34948 ("vti6: Enable namespace changing") dropped NETIF_F_NETNS_LOCAL from vti6 devices. A vti6 tunnel can then move through IFLA_NET_NS_FD. After the move dev_net(dev) points at the new netns while t->net stays at the creation netns. vti6_changelink() and vti6_update() still use dev_net(dev) and dev_net(t->dev). They unlink from one per netns hash and relink into another. The creation netns is left with a stale entry. cleanup_net() of that netns later walks freed memory. Reachable from an unprivileged user namespace (unshare --user --map-root-user --net). Cross tenant scope on container hosts. Fixes: 61220ab34948 ("vti6: Enable namespace changing") Reported-by: Maoyi Xie Reviewed-by: Eric Dumazet Cc: stable@vger.kernel.org # v5.15+ Signed-off-by: Kuniyuki Iwashima --- net/ipv6/ip6_vti.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c index ad5290be4dd6..dcb257411d6e 100644 --- a/net/ipv6/ip6_vti.c +++ b/net/ipv6/ip6_vti.c @@ -722,10 +722,11 @@ vti6_tnl_change(struct ip6_tnl *t, const struct __ip6= _tnl_parm *p, static int vti6_update(struct ip6_tnl *t, struct __ip6_tnl_parm *p, bool keep_mtu) { - struct net *net =3D dev_net(t->dev); - struct vti6_net *ip6n =3D net_generic(net, vti6_net_id); + struct net *net =3D t->net; + struct vti6_net *ip6n; int err; =20 + ip6n =3D net_generic(net, vti6_net_id); vti6_tnl_unlink(ip6n, t); synchronize_net(); err =3D vti6_tnl_change(t, p, keep_mtu); @@ -1031,11 +1032,12 @@ static int vti6_changelink(struct net_device *dev, = struct nlattr *tb[], struct nlattr *data[], struct netlink_ext_ack *extack) { - struct ip6_tnl *t; + struct ip6_tnl *t =3D netdev_priv(dev); + struct net *net =3D t->net; struct __ip6_tnl_parm p; - struct net *net =3D dev_net(dev); - struct vti6_net *ip6n =3D net_generic(net, vti6_net_id); + struct vti6_net *ip6n; =20 + ip6n =3D net_generic(net, vti6_net_id); if (dev =3D=3D ip6n->fb_tnl_dev) return -EINVAL; =20 --=20 2.34.1 From nobody Sun May 24 20:34:47 2026 Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0883D3ED113 for ; Thu, 21 May 2026 13:06:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779368768; cv=none; b=iYrEqP+CCpXSttBe9GPiwfMrCaRxddgoOms+N/CgMp6XnAB0Ry5uzNnrxVDcUxsVmyySH2nBJpPr0CXrsqYqex8u+fLu2Y6jrqKw+Jx7YUIZ2TlUAda/mHAUwmPf47EkS5s5HxUVJjDg+5lw9ApxpuvuXW/A/FzfTdECvxs4ghM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779368768; c=relaxed/simple; bh=qY+plYrHUjyEKlEwdjvB+Ilsps0ZT2pjPeZqXaLCeD8=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=EKagogrpbusK8e2P+2Cjmqm+4UUeSXZWWMBbGejiMDMHTX0IgsZ/mJUaOufGOwqyq/kJtnN2Kdl8G6iNNaK1S//MheO8kLcNHSkb4mVXCehiUyG+q71nweQPgqxuMuHxB7ECP+EkbAa6OBsG3k7i09qPncZgnGD8l+xP9wn2lbA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=lYEULBhT; arc=none smtp.client-ip=209.85.210.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="lYEULBhT" Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-835386ff122so6237534b3a.3 for ; Thu, 21 May 2026 06:06:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779368766; x=1779973566; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=M7dYXWxYJ/dsjCJq8MPbJ/YlkTALMLc3dGOHkkHfnHE=; b=lYEULBhT41yP7oCnoZ984Au+TwRDfq10EG7j7JJ5w76Tjw+kkVQP1hwacrLoifpiAn IrDM5GrH2/UC9DorpTiP7V4UFNkmWuro6oTB0nEHRCIYMJtz02JDh+9efF/w46x/xbID HYXrytq9WlDGC/KslYIKc8pMSkbM+cj7EetJYg1uMoVKrqSCSoOcZKtKmSDfAgLdCpXO GMQIBzi/Bee8cgTYjioVciVBvK/hELmliGHQoaBTPytuIOf5J19nAH+scEHjFb4od+c7 6lv4Ebjhok5bHFQjARCTtVxbWoLH52iwCh6rVzykNWQFrNbAgZBbex9kgYJXUsUTXwgV lt0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779368766; x=1779973566; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=M7dYXWxYJ/dsjCJq8MPbJ/YlkTALMLc3dGOHkkHfnHE=; b=hwB+xbxSPySUr6qN/RuUPsfJ7WQyiroORorJfTZ+cnunjxJX/Gl4/8Gw1PhaN0ca9s dsgP/0DaQAYUY6NKNfvpJQ1qhWOT1D4AURnRgm5sfX9Pyzre/tPogPoVhCRTKrteYmZC bYrk4ORMb8gdUZJ3f7KBKDFojwHpaN1C1skXGP17lcoOR6M3y37WmPM4CjxlUC1L2SZX iE1RrOGITyjEoxsYuL46Ray3myU/w3L2uK3TXx3FlTkWNPlkeEamnWnwYtXj3PafsOu1 C0vMziiWHX7hfzi0G2i0B+rDszju3XMrtHccYcKwVR/SJ7EvN+2/JGYoK5ZjmXV+uCDm EpPQ== X-Forwarded-Encrypted: i=1; AFNElJ8WRG7CRRmw/4VIXTQvP7frT+eiA17NHPvN7y03PsY8irvklADhV17TOL21M2EmaXI0IDRuBGI9vk0ztsY=@vger.kernel.org X-Gm-Message-State: AOJu0YyQtG0BxKsKVFkmwc4QEPwcgrOvFSFQB7XbQjevwgT67QJxk2PS aDm7lVZQSfJEkSQh2CehU4o7s3g02XOkU4kReikNhYz+kPX9fw57k6oA X-Gm-Gg: Acq92OHE0YbMAj4RIaR67/DoGno/mynVsAvIojZNlGgaG1YNQ3SKssncLqph5V/ezZY ygWmNf4m/bnZPXXSm8x7YfAiLTvyacUZtRsnjHxGNNjxCfLujDYdiIV8k/Gnt1ANr2GwLMa2oDY 0nlq/szn+vTxRZb/jdBs/QvvJ+fhkf7rb6Ikz353UPyjS5OSg9gl2pP8WHOeFVkn2YJzEv7cVp9 gzdElGYGV7kj999YSAtEy2QkCxo8TNT0/eovwbRKvUHzRC+EmRae/2MeafQ2WHgMDS6U30ZHROP Kb0QrmGtnqXza/smBNP3lwktZJ3qn+dLPNRFSz1WTcbQ2o1YOt+IVdHlyvr39f8p1UVSm4N5vK/ +diz+Pm+u+kAI68CsrVC0QVQYxjKmAOpLQ4mzjQ9Zm8B6dgtjy7YnPnHj81kRgGWlnhI8dhn3DZ fLKpUHHzIstyvMBmxeBIyCzPFI9J7yRBm2ZVyAP8nGvOcpXho1 X-Received: by 2002:a05:6a00:419b:b0:82f:1369:7268 with SMTP id d2e1a72fcca58-8414adf69admr3131200b3a.30.1779368766276; Thu, 21 May 2026 06:06:06 -0700 (PDT) Received: from csl-conti-dell7858.ntu.edu.sg ([155.69.195.57]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-841549be20fsm1693993b3a.12.2026.05.21.06.06.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 06:06:05 -0700 (PDT) From: Maoyi Xie To: Jakub Kicinski , "David S . Miller" , Paolo Abeni , Eric Dumazet , David Ahern Cc: Kuniyuki Iwashima , Steffen Klassert , Xiao Liang , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH net v4 2/2] ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate(). Date: Thu, 21 May 2026 21:05:55 +0800 Message-Id: <20260521130555.3421684-3-maoyixie.tju@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260521130555.3421684-1-maoyixie.tju@gmail.com> References: <20260521130555.3421684-1-maoyixie.tju@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" After patch 1/2 in this series, vti6_update() unlinks and relinks the tunnel through t->net. vti6_siocdevprivate() still uses dev_net(dev) for the collision lookup. For a tunnel moved through IFLA_NET_NS_FD, dev_net(dev) is the new netns, not t->net. SIOCCHGTUNNEL on a migrated tunnel then runs: net =3D dev_net(dev) /* migrated netns */ t =3D vti6_locate(net, &p1, false) /* misses target in t->net */ ... t =3D netdev_priv(dev) vti6_update(t, &p1, false) /* mutates t->net's hash */ A caller in the migrated netns picks params that match a tunnel in the creation netns. The lookup in dev_net(dev) finds nothing. vti6_update() prepends the migrated tunnel at the head of the creation netns hash bucket for those params. Later lookups in the creation netns resolve to the migrated device. xfrm receive delivers the matched packets through a device the caller controls. Reachable from an unprivileged user namespace (unshare --user --map-root-user --net). Cross tenant scope on container hosts. Switch the SIOCCHGTUNNEL path on a non fallback device to use t->net for the lookup. The lookup now matches the netns vti6_update() operates on. Also add ns_capable(self->net->user_ns, CAP_NET_ADMIN) before the lookup. The check at the top of the case is against dev_net(dev)->user_ns, which after migration is the attacker's netns. A caller there can pick params absent from self->net, the lookup returns NULL, t becomes self, and vti6_update() inserts the device into the creation netns hash. The new check requires CAP_NET_ADMIN in the creation netns user_ns too. SIOCADDTUNNEL and SIOCCHGTUNNEL on the fallback device keep dev_net(dev), which equals init_net there. Fixes: 61220ab34948 ("vti6: Enable namespace changing") Suggested-by: Jakub Kicinski Suggested-by: Xiao Liang Cc: stable@vger.kernel.org # v5.15+ Signed-off-by: Maoyi Xie --- net/ipv6/ip6_vti.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c index dcb257411d6e..df793c8bfffb 100644 --- a/net/ipv6/ip6_vti.c +++ b/net/ipv6/ip6_vti.c @@ -835,17 +835,24 @@ vti6_siocdevprivate(struct net_device *dev, struct if= req *ifr, void __user *data if (p.proto !=3D IPPROTO_IPV6 && p.proto !=3D 0) break; vti6_parm_from_user(&p1, &p); - t =3D vti6_locate(net, &p1, cmd =3D=3D SIOCADDTUNNEL); if (dev !=3D ip6n->fb_tnl_dev && cmd =3D=3D SIOCCHGTUNNEL) { + struct ip6_tnl *self =3D netdev_priv(dev); + + err =3D -EPERM; + if (!ns_capable(self->net->user_ns, CAP_NET_ADMIN)) + break; + t =3D vti6_locate(self->net, &p1, false); if (t) { if (t->dev !=3D dev) { err =3D -EEXIST; break; } } else - t =3D netdev_priv(dev); + t =3D self; =20 err =3D vti6_update(t, &p1, false); + } else { + t =3D vti6_locate(net, &p1, cmd =3D=3D SIOCADDTUNNEL); } if (t) { err =3D 0; --=20 2.34.1