vrf: use RCU protection in l3mdev_l3_out()

JIRA: https://issues.redhat.com/browse/RHEL-81542 Upstream Status: linux.git CVE: CVE-2025-21791 commit 6d0ce46a93135d96b7fa075a94a88fe0da8e8773 Author: Eric Dumazet <edumazet@google.com> Date: Fri Feb 7 13:58:38 2025 +0000 vrf: use RCU protection in l3mdev_l3_out() l3mdev_l3_out() can be called without RCU being held: raw_sendmsg() ip_push_pending_frames() ip_send_skb() ip_local_out() __ip_local_out() l3mdev_ip_out() Add rcu_read_lock() / rcu_read_unlock() pair to avoid a potential UAF. Fixes: a8e3e1a9 ("net: l3mdev: Add hook to output path") Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: David Ahern <dsahern@kernel.org> Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://patch.msgid.link/20250207135841.1948589-7-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Guillaume Nault <gnault@redhat.com>

vrf: use RCU protection in l3mdev_l3_out()
40c5e224 · Guillaume Nault · 15b5887e · 40c5e224
Commit 40c5e224 authored 1 month ago by Guillaume Nault
--- a/include/net/l3mdev.h
+++ b/include/net/l3mdev.h
@@ -209,10 +209,12 @@ struct sk_buff *l3mdev_l3_out(struct sock *sk, struct sk_buff *skb, u16 proto)
 	if (netif_is_l3_slave(dev)) {
 		struct net_device *master;

+		rcu_read_lock();
 		master = netdev_master_upper_dev_get_rcu(dev);
 		if (master && master->l3mdev_ops->l3mdev_l3_out)
 			skb = master->l3mdev_ops->l3mdev_l3_out(master, sk,
 								skb, proto);
+		rcu_read_unlock();
 	}

 	return skb;