neighbour: use RCU protection in __neigh_notify()

[ Upstream commit becbd5850c03ed33b232083dd66c6e38c0c0e569 ]

__neigh_notify() can be called without RTNL or RCU protection.

Use RCU protection to avoid potential UAF.

Fixes: 426b5303eb43 ("[NETNS]: Modify the neighbour table code so it handles multiple network namespaces")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250207135841.1948589-4-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index bd017b220cfeda5f6f4fb53341d621162aab3c0d..f04ba63e985153d04742a273f8f78301dfe1163c 100644 (file)
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -3369,10 +3369,12 @@ static const struct seq_operations neigh_stat_seq_ops = {
 static void __neigh_notify(struct neighbour *n, int type, int flags,
                           u32 pid)
 {
-       struct net *net = dev_net(n->dev);
        struct sk_buff *skb;
        int err = -ENOBUFS;
+       struct net *net;
 
+       rcu_read_lock();
+       net = dev_net_rcu(n->dev);
        skb = nlmsg_new(neigh_nlmsg_size(), GFP_ATOMIC);
        if (skb == NULL)
                goto errout;
@@ -3385,9 +3387,11 @@ static void __neigh_notify(struct neighbour *n, int type, int flags,
                goto errout;
        }
        rtnl_notify(skb, net, 0, RTNLGRP_NEIGH, NULL, GFP_ATOMIC);
-       return;
+       goto out;
 errout:
        rtnl_set_sk_err(net, RTNLGRP_NEIGH, err);
+out:
+       rcu_read_unlock();
 }
 
 void neigh_app_ns(struct neighbour *n)