ipv6: use RCU in ip6_output()

Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent
possible UAF.

We can remove rcu_read_lock()/rcu_read_unlock() pairs
from ip6_finish_output2().

Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20250828195823.3958522-5-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index e234640433d6b30d3c13d8367dbe7270ddb2c9d7..9d64c13bab5eacb4cc05c78cccd86a7aeb36d37e 100644 (file)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -60,7 +60,7 @@
 static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
        struct dst_entry *dst = skb_dst(skb);
-       struct net_device *dev = dst_dev(dst);
+       struct net_device *dev = dst_dev_rcu(dst);
        struct inet6_dev *idev = ip6_dst_idev(dst);
        unsigned int hh_len = LL_RESERVED_SPACE(dev);
        const struct in6_addr *daddr, *nexthop;
@@ -70,15 +70,12 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *
 
        /* Be paranoid, rather than too clever. */
        if (unlikely(hh_len > skb_headroom(skb)) && dev->header_ops) {
-               /* Make sure idev stays alive */
-               rcu_read_lock();
+               /* idev stays alive because we hold rcu_read_lock(). */
                skb = skb_expand_head(skb, hh_len);
                if (!skb) {
                        IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
-                       rcu_read_unlock();
                        return -ENOMEM;
                }
-               rcu_read_unlock();
        }
 
        hdr = ipv6_hdr(skb);
@@ -123,7 +120,6 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *
 
        IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len);
 
-       rcu_read_lock();
        nexthop = rt6_nexthop(dst_rt6_info(dst), daddr);
        neigh = __ipv6_neigh_lookup_noref(dev, nexthop);
 
@@ -131,7 +127,6 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *
                if (unlikely(!neigh))
                        neigh = __neigh_create(&nd_tbl, nexthop, dev, false);
                if (IS_ERR(neigh)) {
-                       rcu_read_unlock();
                        IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTNOROUTES);
                        kfree_skb_reason(skb, SKB_DROP_REASON_NEIGH_CREATEFAIL);
                        return -EINVAL;
@@ -139,7 +134,6 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *
        }
        sock_confirm_neigh(skb, neigh);
        ret = neigh_output(neigh, skb, false);
-       rcu_read_unlock();
        return ret;
 }
 
@@ -233,22 +227,29 @@ static int ip6_finish_output(struct net *net, struct sock *sk, struct sk_buff *s
 int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
        struct dst_entry *dst = skb_dst(skb);
-       struct net_device *dev = dst_dev(dst), *indev = skb->dev;
-       struct inet6_dev *idev = ip6_dst_idev(dst);
+       struct net_device *dev, *indev = skb->dev;
+       struct inet6_dev *idev;
+       int ret;
 
        skb->protocol = htons(ETH_P_IPV6);
+       rcu_read_lock();
+       dev = dst_dev_rcu(dst);
+       idev = ip6_dst_idev(dst);
        skb->dev = dev;
 
        if (unlikely(!idev || READ_ONCE(idev->cnf.disable_ipv6))) {
                IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
+               rcu_read_unlock();
                kfree_skb_reason(skb, SKB_DROP_REASON_IPV6DISABLED);
                return 0;
        }
 
-       return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING,
-                           net, sk, skb, indev, dev,
-                           ip6_finish_output,
-                           !(IP6CB(skb)->flags & IP6SKB_REROUTED));
+       ret = NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING,
+                          net, sk, skb, indev, dev,
+                          ip6_finish_output,
+                          !(IP6CB(skb)->flags & IP6SKB_REROUTED));
+       rcu_read_unlock();
+       return ret;
 }
 EXPORT_SYMBOL(ip6_output);