From: Haoze Xie Several l3mdev slave-side helpers resolve an upper device and then use l3mdev_ops without first proving that the resolved device is still a valid L3 master. During slave transition, an RCU reader can transiently observe an upper that is not an L3 master. Guard the affected slave-resolved paths by requiring the resolved upper to still be an L3 master before using l3mdev_ops, while keeping existing L3 RX handler providers intact. Fixes: fdeea7be88b1 ("net: vrf: Set slave's private flag before linking") Cc: stable@kernel.org Reported-by: Yifan Wu Reported-by: Juefei Pu Co-developed-by: Yuan Tan Signed-off-by: Yuan Tan Suggested-by: Xin Liu Tested-by: Haoze Xie Signed-off-by: Haoze Xie Signed-off-by: Ao Zhou --- Changes in v3: - Extend the same guard to l3mdev_l3_rcv() and l3mdev_l3_out(). - Keep existing IFF_L3MDEV_RX_HANDLER providers such as ipvlan_l3s working by only applying the extra master check to the slave-resolved upper case in l3mdev_l3_rcv(). - v2 Link: https://lore.kernel.org/all/429dd4a81d4ca5624ab9f6d7b53c5fe08552c734.1775443332.git.royenheart@gmail.com/ Changes in v2: - Point Fixes to the VRF slave ordering change identified in review. - Add David Ahern's Reviewed-by trailer in that revision. - v1 Link: https://lore.kernel.org/all/b3b88cddc7e79d4b43756b26ae5db965678f3ba9.1775062214.git.royenheart@gmail.com/ include/net/l3mdev.h | 18 +++++++++++------- net/l3mdev/l3mdev.c | 2 +- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/include/net/l3mdev.h b/include/net/l3mdev.h index 710e98665eb3..aed52bf03956 100644 --- a/include/net/l3mdev.h +++ b/include/net/l3mdev.h @@ -180,14 +180,17 @@ struct sk_buff *l3mdev_l3_rcv(struct sk_buff *skb, u16 proto) { struct net_device *master = NULL; - if (netif_is_l3_slave(skb->dev)) + if (netif_is_l3_slave(skb->dev)) { master = netdev_master_upper_dev_get_rcu(skb->dev); - else if (netif_is_l3_master(skb->dev) || - netif_has_l3_rx_handler(skb->dev)) + if (master && netif_is_l3_master(master) && + master->l3mdev_ops->l3mdev_l3_rcv) + skb = master->l3mdev_ops->l3mdev_l3_rcv(master, skb, proto); + } else if (netif_is_l3_master(skb->dev) || + netif_has_l3_rx_handler(skb->dev)) { master = skb->dev; - - if (master && master->l3mdev_ops->l3mdev_l3_rcv) - skb = master->l3mdev_ops->l3mdev_l3_rcv(master, skb, proto); + if (master->l3mdev_ops->l3mdev_l3_rcv) + skb = master->l3mdev_ops->l3mdev_l3_rcv(master, skb, proto); + } return skb; } @@ -215,7 +218,8 @@ struct sk_buff *l3mdev_l3_out(struct sock *sk, struct sk_buff *skb, u16 proto) struct net_device *master; master = netdev_master_upper_dev_get_rcu(dev); - if (master && master->l3mdev_ops->l3mdev_l3_out) + if (master && netif_is_l3_master(master) && + master->l3mdev_ops->l3mdev_l3_out) skb = master->l3mdev_ops->l3mdev_l3_out(master, sk, skb, proto); } diff --git a/net/l3mdev/l3mdev.c b/net/l3mdev/l3mdev.c index 5432a5f2dfc8..b8a3030cb2c4 100644 --- a/net/l3mdev/l3mdev.c +++ b/net/l3mdev/l3mdev.c @@ -177,7 +177,7 @@ u32 l3mdev_fib_table_rcu(const struct net_device *dev) const struct net_device *master; master = netdev_master_upper_dev_get_rcu(_dev); - if (master && + if (master && netif_is_l3_master(master) && master->l3mdev_ops->l3mdev_fib_table) tb_id = master->l3mdev_ops->l3mdev_fib_table(master); } -- 2.53.0