rtnl_getlink() uses an RCU lookup to get the netdevice pointer. When/If rtnl_lock() is used, we should check if the netdevice is not being dismantled before potentially perform illegal actions. Move dev_isalive() out of net/core/net-sysfs.c and make it available in net/core/dev.h. Return -ENODEV if rtnl_getlink() finds a device which is currently being dismantled and RTNL is requested. Fixes: e896e5c0734b ("rtnetlink: do not acquire RTNL in rtnl_getlink() with RTEXT_FILTER_NAME_ONLY") Signed-off-by: Eric Dumazet Suggested-by: Jakub Kicinski Cc: Jiayuan Chen --- v2: clear nskb (Jiayuan Chen) move dev_isalive() to net/core/dev.h (Jakub Kicinski) net/core/dev.h | 6 ++++++ net/core/net-sysfs.c | 6 ------ net/core/rtnetlink.c | 6 ++++++ 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/net/core/dev.h b/net/core/dev.h index 0cf24b8f5008a951f569ff1b51da91a0e19b347f..9e94314408695be763320aa8282340842f7303e2 100644 --- a/net/core/dev.h +++ b/net/core/dev.h @@ -396,4 +396,10 @@ int dev_get_hwtstamp_phylib(struct net_device *dev, struct kernel_hwtstamp_config *cfg); int net_hwtstamp_validate(const struct kernel_hwtstamp_config *cfg); +/* Caller holds RTNL, netdev->lock or RCU */ +static inline bool dev_isalive(const struct net_device *dev) +{ + return READ_ONCE(dev->reg_state) <= NETREG_REGISTERED; +} + #endif diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c index 3318b5666e438fe5bab2bcfed2bb260c7b4d5a63..0e71c9ed41e81d85af33a4339f556a0c5d760243 100644 --- a/net/core/net-sysfs.c +++ b/net/core/net-sysfs.c @@ -37,12 +37,6 @@ static const char fmt_uint[] = "%u\n"; static const char fmt_ulong[] = "%lu\n"; static const char fmt_u64[] = "%llu\n"; -/* Caller holds RTNL, netdev->lock or RCU */ -static inline int dev_isalive(const struct net_device *dev) -{ - return READ_ONCE(dev->reg_state) <= NETREG_REGISTERED; -} - /* There is a possible ABBA deadlock between rtnl_lock and kernfs_node->active, * when unregistering a net device and accessing associated sysfs files. The * potential deadlock is as follow: diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index d0b0499dddea37148f6a86d9464c40319610129d..1761376cdfd5d5ed41c3dd3089c812b3625e3a94 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -4267,6 +4267,11 @@ static int rtnl_getlink(struct sk_buff *skb, struct nlmsghdr *nlh, retry: if (need_rtnl) { rtnl_lock(); + if (!dev_isalive(dev)) { + err = -ENODEV; + nskb = NULL; + goto unlock; + } /* Synchronize the carrier state so we don't report a state * that we're not actually going to honour immediately; if * the driver just did a carrier off->on transition, we can @@ -4284,6 +4289,7 @@ static int rtnl_getlink(struct sk_buff *skb, struct nlmsghdr *nlh, nlh->nlmsg_seq, 0, 0, ext_filter_mask, 0, NULL, 0, netnsid, GFP_KERNEL); +unlock: if (need_rtnl) rtnl_unlock(); -- 2.54.0.1032.g2f8565e1d1-goog