vrf: use RCU protection in l3mdev_l3_out()

l3mdev_l3_out() can be called without RCU being held:

raw_sendmsg()
 ip_push_pending_frames()
  ip_send_skb()
   ip_local_out()
    __ip_local_out()
     l3mdev_ip_out()

Add rcu_read_lock() / rcu_read_unlock() pair to avoid
a potential UAF.

Fixes: a8e3e1a9f020 ("net: l3mdev: Add hook to output path")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250207135841.1948589-7-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/include/net/l3mdev.h b/include/net/l3mdev.h
index 2d6141f28b53097fe452cbdaf5faa977fc6e6782..f7fe796e8429a5e633f7540430675a728ed4de66 100644 (file)
--- a/include/net/l3mdev.h
+++ b/include/net/l3mdev.h
@@ -198,10 +198,12 @@ struct sk_buff *l3mdev_l3_out(struct sock *sk, struct sk_buff *skb, u16 proto)
        if (netif_is_l3_slave(dev)) {
                struct net_device *master;
 
+               rcu_read_lock();
                master = netdev_master_upper_dev_get_rcu(dev);
                if (master && master->l3mdev_ops->l3mdev_l3_out)
                        skb = master->l3mdev_ops->l3mdev_l3_out(master, sk,
                                                                skb, proto);
+               rcu_read_unlock();
        }
 
        return skb;