From: Eric Dumazet Date: Fri, 7 Feb 2025 13:58:35 +0000 (+0000) Subject: neighbour: use RCU protection in __neigh_notify() X-Git-Tag: v5.10.235~177 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8666e9aab801328c1408a19fbf4070609dc0695a;p=thirdparty%2Fkernel%2Fstable.git neighbour: use RCU protection in __neigh_notify() [ Upstream commit becbd5850c03ed33b232083dd66c6e38c0c0e569 ] __neigh_notify() can be called without RTNL or RCU protection. Use RCU protection to avoid potential UAF. Fixes: 426b5303eb43 ("[NETNS]: Modify the neighbour table code so it handles multiple network namespaces") Signed-off-by: Eric Dumazet Reviewed-by: David Ahern Reviewed-by: Kuniyuki Iwashima Link: https://patch.msgid.link/20250207135841.1948589-4-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- diff --git a/net/core/neighbour.c b/net/core/neighbour.c index bd017b220cfed..f04ba63e98515 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -3369,10 +3369,12 @@ static const struct seq_operations neigh_stat_seq_ops = { static void __neigh_notify(struct neighbour *n, int type, int flags, u32 pid) { - struct net *net = dev_net(n->dev); struct sk_buff *skb; int err = -ENOBUFS; + struct net *net; + rcu_read_lock(); + net = dev_net_rcu(n->dev); skb = nlmsg_new(neigh_nlmsg_size(), GFP_ATOMIC); if (skb == NULL) goto errout; @@ -3385,9 +3387,11 @@ static void __neigh_notify(struct neighbour *n, int type, int flags, goto errout; } rtnl_notify(skb, net, 0, RTNLGRP_NEIGH, NULL, GFP_ATOMIC); - return; + goto out; errout: rtnl_set_sk_err(net, RTNLGRP_NEIGH, err); +out: + rcu_read_unlock(); } void neigh_app_ns(struct neighbour *n)