ipv4: icmp: convert to dev_net_rcu()

[ Upstream commit 4b8474a0951e605d2a27a2c483da4eb4b8c63760 ]

__icmp_send() must ensure rcu_read_lock() is held, as spotted
by Jakub.

Other ICMP uses of dev_net() seem safe, change them to dev_net_rcu()
to get LOCKDEP support.

Fixes: dde1bc0e6f86 ("[NETNS]: Add namespace for ICMP replying code.")
Closes: https://lore.kernel.org/netdev/20250203153633.46ce0337@kernel.org/
Reported-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250205155120.1676781-9-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index a6adf6a2ec4b574ee477d7e2bbeb91e3332c5afb..a21d32b3ae6c368666e584d3f1fecd74b9656998 100644 (file)
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -403,10 +403,10 @@ static void icmp_push_reply(struct sock *sk,
 
 static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb)
 {
-       struct ipcm_cookie ipc;
        struct rtable *rt = skb_rtable(skb);
-       struct net *net = dev_net(rt->dst.dev);
+       struct net *net = dev_net_rcu(rt->dst.dev);
        bool apply_ratelimit = false;
+       struct ipcm_cookie ipc;
        struct flowi4 fl4;
        struct sock *sk;
        struct inet_sock *inet;
@@ -609,12 +609,14 @@ void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info,
        struct sock *sk;
 
        if (!rt)
-               goto out;
+               return;
+
+       rcu_read_lock();
 
        if (rt->dst.dev)
-               net = dev_net(rt->dst.dev);
+               net = dev_net_rcu(rt->dst.dev);
        else if (skb_in->dev)
-               net = dev_net(skb_in->dev);
+               net = dev_net_rcu(skb_in->dev);
        else
                goto out;
 
@@ -783,7 +785,8 @@ out_unlock:
        icmp_xmit_unlock(sk);
 out_bh_enable:
        local_bh_enable();
-out:;
+out:
+       rcu_read_unlock();
 }
 EXPORT_SYMBOL(__icmp_send);
 
@@ -832,7 +835,7 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
         * avoid additional coding at protocol handlers.
         */
        if (!pskb_may_pull(skb, iph->ihl * 4 + 8)) {
-               __ICMP_INC_STATS(dev_net(skb->dev), ICMP_MIB_INERRORS);
+               __ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
                return;
        }
 
@@ -866,7 +869,7 @@ static enum skb_drop_reason icmp_unreach(struct sk_buff *skb)
        struct net *net;
        u32 info = 0;
 
-       net = dev_net(skb_dst(skb)->dev);
+       net = dev_net_rcu(skb_dst(skb)->dev);
 
        /*
         *      Incomplete header ?
@@ -977,7 +980,7 @@ out_err:
 static enum skb_drop_reason icmp_redirect(struct sk_buff *skb)
 {
        if (skb->len < sizeof(struct iphdr)) {
-               __ICMP_INC_STATS(dev_net(skb->dev), ICMP_MIB_INERRORS);
+               __ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
                return SKB_DROP_REASON_PKT_TOO_SMALL;
        }
 
@@ -1009,7 +1012,7 @@ static enum skb_drop_reason icmp_echo(struct sk_buff *skb)
        struct icmp_bxm icmp_param;
        struct net *net;
 
-       net = dev_net(skb_dst(skb)->dev);
+       net = dev_net_rcu(skb_dst(skb)->dev);
        /* should there be an ICMP stat for ignored echos? */
        if (READ_ONCE(net->ipv4.sysctl_icmp_echo_ignore_all))
                return SKB_NOT_DROPPED_YET;
@@ -1038,9 +1041,9 @@ static enum skb_drop_reason icmp_echo(struct sk_buff *skb)
 
 bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr)
 {
+       struct net *net = dev_net_rcu(skb->dev);
        struct icmp_ext_hdr *ext_hdr, _ext_hdr;
        struct icmp_ext_echo_iio *iio, _iio;
-       struct net *net = dev_net(skb->dev);
        struct inet6_dev *in6_dev;
        struct in_device *in_dev;
        struct net_device *dev;
@@ -1179,7 +1182,7 @@ static enum skb_drop_reason icmp_timestamp(struct sk_buff *skb)
        return SKB_NOT_DROPPED_YET;
 
 out_err:
-       __ICMP_INC_STATS(dev_net(skb_dst(skb)->dev), ICMP_MIB_INERRORS);
+       __ICMP_INC_STATS(dev_net_rcu(skb_dst(skb)->dev), ICMP_MIB_INERRORS);
        return SKB_DROP_REASON_PKT_TOO_SMALL;
 }
 
@@ -1196,7 +1199,7 @@ int icmp_rcv(struct sk_buff *skb)
 {
        enum skb_drop_reason reason = SKB_DROP_REASON_NOT_SPECIFIED;
        struct rtable *rt = skb_rtable(skb);
-       struct net *net = dev_net(rt->dst.dev);
+       struct net *net = dev_net_rcu(rt->dst.dev);
        struct icmphdr *icmph;
 
        if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {
@@ -1369,9 +1372,9 @@ int icmp_err(struct sk_buff *skb, u32 info)
        struct iphdr *iph = (struct iphdr *)skb->data;
        int offset = iph->ihl<<2;
        struct icmphdr *icmph = (struct icmphdr *)(skb->data + offset);
+       struct net *net = dev_net_rcu(skb->dev);
        int type = icmp_hdr(skb)->type;
        int code = icmp_hdr(skb)->code;
-       struct net *net = dev_net(skb->dev);
 
        /*
         * Use ping_err to handle all icmp errors except those