ipv4: use RCU protection in ip_dst_mtu_maybe_forward()

[ Upstream commit 071d8012869b6af352acca346ade13e7be90a49f ]

ip_dst_mtu_maybe_forward() must use RCU protection to make
sure the net structure it reads does not disappear.

Fixes: f87c10a8aa1e8 ("ipv4: introduce ip_dst_mtu_maybe_forward and protect forwarding path against pmtu spoofing")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250205155120.1676781-4-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/include/net/ip.h b/include/net/ip.h
index d92d3bc3ec0e25731ee3917ef9db5f0ade56952b..fe4f8543811433e34d7578b514138fa3548fb39e 100644 (file)
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -465,9 +465,12 @@ static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst,
                                                    bool forwarding)
 {
        const struct rtable *rt = dst_rtable(dst);
-       struct net *net = dev_net(dst->dev);
-       unsigned int mtu;
+       unsigned int mtu, res;
+       struct net *net;
+
+       rcu_read_lock();
 
+       net = dev_net_rcu(dst->dev);
        if (READ_ONCE(net->ipv4.sysctl_ip_fwd_use_pmtu) ||
            ip_mtu_locked(dst) ||
            !forwarding) {
@@ -491,7 +494,11 @@ static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst,
 out:
        mtu = min_t(unsigned int, mtu, IP_MAX_MTU);
 
-       return mtu - lwtunnel_headroom(dst->lwtstate, mtu);
+       res = mtu - lwtunnel_headroom(dst->lwtstate, mtu);
+
+       rcu_read_unlock();
+
+       return res;
 }
 
 static inline unsigned int ip_skb_dst_mtu(struct sock *sk,