flow_dissector: use RCU protection to fetch dev_net()

[ Upstream commit afec62cd0a4191cde6dd3a75382be4d51a38ce9b ]

__skb_flow_dissect() can be called from arbitrary contexts.

It must extend its RCU protection section to include
the call to dev_net(), which can become dev_net_rcu().

This makes sure the net structure can not disappear under us.

Fixes: 9b52e3f267a6 ("flow_dissector: handle no-skb use case")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250205155120.1676781-10-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index fba8eb1bb28154243156ccb9e2d0c4977edd1625..de17f1323238162ae4886e6023f83cbc3ecb7cea 100644 (file)
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -1004,10 +1004,12 @@ bool __skb_flow_dissect(const struct net *net,
                                              FLOW_DISSECTOR_KEY_BASIC,
                                              target_container);
 
+       rcu_read_lock();
+
        if (skb) {
                if (!net) {
                        if (skb->dev)
-                               net = dev_net(skb->dev);
+                               net = dev_net_rcu(skb->dev);
                        else if (skb->sk)
                                net = sock_net(skb->sk);
                }
@@ -1018,7 +1020,6 @@ bool __skb_flow_dissect(const struct net *net,
                enum netns_bpf_attach_type type = NETNS_BPF_FLOW_DISSECTOR;
                struct bpf_prog_array *run_array;
 
-               rcu_read_lock();
                run_array = rcu_dereference(init_net.bpf.run_array[type]);
                if (!run_array)
                        run_array = rcu_dereference(net->bpf.run_array[type]);
@@ -1046,17 +1047,17 @@ bool __skb_flow_dissect(const struct net *net,
                        prog = READ_ONCE(run_array->items[0].prog);
                        result = bpf_flow_dissect(prog, &ctx, n_proto, nhoff,
                                                  hlen, flags);
-                       if (result == BPF_FLOW_DISSECTOR_CONTINUE)
-                               goto dissect_continue;
-                       __skb_flow_bpf_to_target(&flow_keys, flow_dissector,
-                                                target_container);
-                       rcu_read_unlock();
-                       return result == BPF_OK;
+                       if (result != BPF_FLOW_DISSECTOR_CONTINUE) {
+                               __skb_flow_bpf_to_target(&flow_keys, flow_dissector,
+                                                        target_container);
+                               rcu_read_unlock();
+                               return result == BPF_OK;
+                       }
                }
-dissect_continue:
-               rcu_read_unlock();
        }
 
+       rcu_read_unlock();
+
        if (dissector_uses_key(flow_dissector,
                               FLOW_DISSECTOR_KEY_ETH_ADDRS)) {
                struct ethhdr *eth = eth_hdr(skb);