| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250911030620.1284754-2-kuniyu@google.com>
Date: Thu, 11 Sep 2025 03:05:29 +0000
From: Kuniyuki Iwashima <kuniyu@...gle.com>
To: "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>
Cc: Simon Horman <horms@...nel.org>, Kuniyuki Iwashima <kuniyu@...gle.com>,
Kuniyuki Iwashima <kuni1840@...il.com>, netdev@...r.kernel.org
Subject: [PATCH v1 net 1/8] net: Add sk_dst_dev_rcu() and sk_dst_dev_get().
dst->dev is safe under RTNL or RCU.
syzbot demonstrated that an unsafe use of sk_dst_get()->dev
leads to use-after-free.
Let's add two helpers to fix such issues.
Signed-off-by: Kuniyuki Iwashima <kuniyu@...gle.com>
---
include/net/sock.h | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/include/net/sock.h b/include/net/sock.h
index fb13322a11fc..e1ae975c1920 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -2157,6 +2157,25 @@ sk_dst_get(const struct sock *sk)
return dst;
}
+static inline struct net_device *sk_dst_dev_rcu(const struct sock *sk)
+{
+ struct dst_entry *dst = __sk_dst_get(sk);
+
+ return dst ? dst_dev_rcu(dst) : NULL;
+}
+
+static inline struct net_device *sk_dst_dev_get(const struct sock *sk)
+{
+ struct net_device *dev;
+
+ rcu_read_lock();
+ dev = sk_dst_dev_rcu(sk);
+ dev_hold(dev);
+ rcu_read_unlock();
+
+ return dev;
+}
+
static inline void __dst_negative_advice(struct sock *sk)
{
struct dst_entry *dst = __sk_dst_get(sk);
--
2.51.0.384.g4c02a37b29-goog
Powered by blists - more mailing lists