arp: use RCU protection in arp_xmit()

arp_xmit() can be called without RTNL or RCU protection.

Use RCU protection to avoid potential UAF.

Fixes: 29a26a568038 ("netfilter: Pass struct net into the netfilter hooks")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250207135841.1948589-5-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index cb9a7ed8abd3ab17403f226ea7e31ea2bae52a9f..f23a1ec6694cb2f1bd60f28faa357fcad83c165a 100644 (file)
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -659,10 +659,12 @@ static int arp_xmit_finish(struct net *net, struct sock *sk, struct sk_buff *skb
  */
 void arp_xmit(struct sk_buff *skb)
 {
+       rcu_read_lock();
        /* Send it off, maybe filter it using firewalling first.  */
        NF_HOOK(NFPROTO_ARP, NF_ARP_OUT,
-               dev_net(skb->dev), NULL, skb, NULL, skb->dev,
+               dev_net_rcu(skb->dev), NULL, skb, NULL, skb->dev,
                arp_xmit_finish);
+       rcu_read_unlock();
 }
 EXPORT_SYMBOL(arp_xmit);