From nobody Mon Jun 8 16:31:19 2026 Received: from m16.mail.163.com (m16.mail.163.com [117.135.210.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AB840305660; Thu, 28 May 2026 03:06:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=117.135.210.5 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779937619; cv=none; b=j9U952iQNZDJAFYa55I/PLBrzkLo6CgTQK30hdJyqk7TLeQ3Ov5ObxRGmHEeNnwMAdAlwhQryY7D8Ak16WuSL1/s2huO6T2T5ws2YMxHnDBRZtcJ9ddRqB3eRS/HsuOYIcf7d4DoiMBfzpqtpG/aqOuBzyiiet49r8x+2gBpato= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779937619; c=relaxed/simple; bh=TcIV9BaWJZBJf+siaIArVIvsEA4HBZ3tRlG/JYdRbMI=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=QjzLjVV3SlWEzdvYrQnMd+FOW2+LARBwYKzEYC1ORauIgxl/BX7/+deJqlWrn4qG/9LoVgAbnWo32PvVW08gXfTZntaTnSYbElH34RshUbZtbcFPoE++ua7YAT6ltd9rYWgl8Mlqu77LkKI184sEPp0Di6ZxoEgivg0D+fBYR7Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=163.com; spf=pass smtp.mailfrom=163.com; dkim=pass (1024-bit key) header.d=163.com header.i=@163.com header.b=X4rpzlym; arc=none smtp.client-ip=117.135.210.5 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=163.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=163.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=163.com header.i=@163.com header.b="X4rpzlym" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:To:Subject:Date:Message-Id:MIME-Version; bh=pS T2nE1ZdntpdiRrgvI6nKA2ljNSTqu3KfCGCuxvpw4=; b=X4rpzlymQDSDUFmCrE 8NCJyYYtx3nPtMy6I+4Mb2nPo2vl2lxZKa0r/x17+aeuE1IKQc1a0NEjDKnDfQqg DSsz4Kckob3Ohs7mwfgksa3CIS5Knq4JpwbGbCN6W2YmJVzpf4ew7yrogEgagtIP TCuBodTKjsvOqhUALYNZVPGek= Received: from pek-lpg-core5.wrs.com (unknown []) by gzga-smtp-mtada-g0-2 (Coremail) with SMTP id _____wAHZewSsRdqsskMAA--.1791S2; Thu, 28 May 2026 11:05:55 +0800 (CST) From: Robert Garcia To: stable@vger.kernel.org, Eric Dumazet Cc: Jakub Kicinski , David Ahern , Paolo Abeni , Martin KaFai Lau , Wei Wang , "David S . Miller" , Robert Garcia , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 6.6.y] ipv4: start using dst_dev_rcu() Date: Thu, 28 May 2026 11:05:54 +0800 Message-Id: <20260528030554.3147155-1-rob_garcia@163.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: _____wAHZewSsRdqsskMAA--.1791S2 X-Coremail-Antispam: 1Uf129KBjvJXoWxJF4kGrW3Kw47Cw47Xr47Arb_yoWrGr1Upr n8tFZ3trWUXr1UW3ykAF4kZryagw4kGasxuw18A3yag3WDX3ZYyFy8trWaqF4F9FWYyFWY qF1jvF47Aw1UJaDanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0pRAnY8UUUUU= X-CM-SenderInfo: 5uresw5dufxti6rwjhhfrp/xtbDARTRPWoXsRTN7AAA3A Content-Type: text/plain; charset="utf-8" From: Eric Dumazet [ Upstream commit 6ad8de3cefdb6ffa6708b21c567df0dbf82c43a8 ] Change icmpv4_xrlim_allow(), ip_defrag() to prevent possible UAF. Change ipmr_prepare_xmit(), ipmr_queue_fwd_xmit(), ip_mr_output(), ipv4_neigh_lookup() to use lockdep enabled dst_dev_rcu(). Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()") Signed-off-by: Eric Dumazet Reviewed-by: David Ahern Link: https://patch.msgid.link/20250828195823.3958522-9-edumazet@google.com Signed-off-by: Jakub Kicinski [ Minor modifications made to adapt current code. ] Signed-off-by: Robert Garcia --- net/ipv4/icmp.c | 4 ++-- net/ipv4/ip_fragment.c | 6 ++++-- net/ipv4/ipmr.c | 4 ++-- net/ipv4/route.c | 4 ++-- 4 files changed, 10 insertions(+), 8 deletions(-) diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c index 3fcf11f83d87..29a2162398e7 100644 --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c @@ -319,16 +319,16 @@ static bool icmpv4_xrlim_allow(struct net *net, struc= t rtable *rt, return true; =20 /* No rate limit on loopback */ + rcu_read_lock(); if (dst->dev && (dst->dev->flags&IFF_LOOPBACK)) goto out; =20 - rcu_read_lock(); peer =3D inet_getpeer_v4(net->ipv4.peers, fl4->daddr, l3mdev_master_ifindex_rcu(dst->dev)); rc =3D inet_peer_xrlim_allow(peer, READ_ONCE(net->ipv4.sysctl_icmp_ratelimit)); - rcu_read_unlock(); out: + rcu_read_unlock(); if (!rc) __ICMP_INC_STATS(net, ICMP_MIB_RATELIMITHOST); else diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c index 484edc8513e4..efc50d21d954 100644 --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c @@ -488,13 +488,15 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_bu= ff *skb, /* Process an incoming IP datagram fragment. */ int ip_defrag(struct net *net, struct sk_buff *skb, u32 user) { - struct net_device *dev =3D skb->dev ? : skb_dst(skb)->dev; - int vif =3D l3mdev_master_ifindex_rcu(dev); + struct net_device *dev; struct ipq *qp; + int vif; =20 __IP_INC_STATS(net, IPSTATS_MIB_REASMREQDS); =20 /* Lookup (or create) queue header */ + dev =3D skb->dev ? : skb_dst_dev_rcu(skb); + vif =3D l3mdev_master_ifindex_rcu(dev); qp =3D ip_find(net, ip_hdr(skb), user, vif); if (qp) { int ret; diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c index af9412a507cf..948e826900fa 100644 --- a/net/ipv4/ipmr.c +++ b/net/ipv4/ipmr.c @@ -1905,7 +1905,7 @@ static void ipmr_queue_xmit(struct net *net, struct m= r_table *mrt, goto out_free; } =20 - encap +=3D LL_RESERVED_SPACE(dev) + rt->dst.header_len; + encap +=3D LL_RESERVED_SPACE(dst_dev_rcu(&rt->dst)) + rt->dst.header_len; =20 if (skb_cow(skb, encap)) { ip_rt_put(rt); @@ -1942,7 +1942,7 @@ static void ipmr_queue_xmit(struct net *net, struct m= r_table *mrt, * result in receiving multiple packets. */ NF_HOOK(NFPROTO_IPV4, NF_INET_FORWARD, - net, NULL, skb, skb->dev, dev, + net, NULL, skb, skb->dev, dst_dev_rcu(&rt->dst), ipmr_forward_finish); return; =20 diff --git a/net/ipv4/route.c b/net/ipv4/route.c index f134c59f839e..0ea017bcea47 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -416,11 +416,11 @@ static struct neighbour *ipv4_neigh_lookup(const stru= ct dst_entry *dst, const void *daddr) { const struct rtable *rt =3D container_of(dst, struct rtable, dst); - struct net_device *dev =3D dst->dev; + struct net_device *dev; struct neighbour *n; =20 rcu_read_lock(); - + dev =3D dst_dev_rcu(dst); if (likely(rt->rt_gw_family =3D=3D AF_INET)) { n =3D ip_neigh_gw4(dev, rt->rt_gw4); } else if (rt->rt_gw_family =3D=3D AF_INET6) { --=20 2.34.1