From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com [209.85.215.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2504B3A1A21
	for <linux-kernel@vger.kernel.org>; Tue, 28 Apr 2026 11:07:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.177
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777374446; cv=none; b=MyWCifjFgyMQWyhjxuqmqEpyGfJhZszRFo6Ud45PZlmARBiF1DppHAYeGvx/HDzwOugWQcH6ips4p26wRKKOftdkRVBuiR9eNs0hhDwwArt/t87X7LV5cxwBKXOilPmlc9fwOlVjhF72go3mI8OLiNb4/d/C2q2Cwd0cHVQ7Ick=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777374446; c=relaxed/simple;
	bh=NjtDbOnnEO86ejPTIN4uLHWLgBUoL1OSud1GczR0dAk=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=kQAmxGKJWfOo+vNj0/+H+MEbf4XlTlioS4RuMlMyndUaSEgcUHYd4rvsLMD9zSZYmY7HR/INcohhV0r37r2tRwHC9iig5g5+u9E2eB3Fbq9+h8kvqg7qpqtwGv3FevKsxaG8QdadjSHGgZiZ3cT0wA9dSkcJFgwGDqCIXgJklak=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=P5n5Pa6l; arc=none smtp.client-ip=209.85.215.177
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="P5n5Pa6l"
Received: by mail-pg1-f177.google.com with SMTP id 41be03b00d2f7-c648bc907ebso7366617a12.3
        for <linux-kernel@vger.kernel.org>; Tue, 28 Apr 2026 04:07:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777374439; x=1777979239; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=t5gnbIk61J7ja47fuHsFudG56ejf8vLTSwMTzZTnrdk=;
        b=P5n5Pa6lAKroFCMbDkm33qbTSyeMJRlas8iPNwU2wK9sKNFbBbJAfzragLyGOMedOs
         h0pp9wPnYK7/vG8NNTHA6xMopP9aFsD4RRf4sHdjSWUQWBl3ArsL2ePRio69f1/5tRkS
         8zrGHr3IMr3CAqtElvwOUOztxV4lAElnX2iyUVFt+V1OBSL27pSn4o3scnL8SM96nfEV
         oj3OLbid7kjCSJzW4pNTqSTA6n/7Z2d1GqPwnw4OCX9r9NZtwQYAgEmKUFrdDJdeUV9A
         3vqREdr3ghvf1dV6//Sdph1iv5gsQ5vdFgI/hF5cSexm0k5/eNT09AxXYdC+diQq8JOC
         2GJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777374439; x=1777979239;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=t5gnbIk61J7ja47fuHsFudG56ejf8vLTSwMTzZTnrdk=;
        b=LjOS+57l+oXEJrEUjBaugUMthRHLf705UUxGSLcuemusIdpomrvB4LTRSwq8N6ICQc
         95mmQ/XVoKlhUOya44wivuBYrHewEy62vlZO3wXl9YAy3HIbR6kW4rz87zw46crhhxTD
         24Wat3/DkebX9rJkcdcgXxruaWIJ07AuBETLpgdSMnmALIMXpJGw7D2ldNic9JRtTS7P
         mxDa3ko+n9ocz0GJOkNB5NyBhWZSfk/PfbHJ8FWjQdPdwzSuFF2Ie2dbS+85e1+6ezP2
         tbEv+oQyOL0TGrBQP+rCVTkadDoT+AGPTqNc00XtHBOnpH4lHS1655/UaJg3mkp9aEFE
         GhMg==
X-Forwarded-Encrypted: i=1; AFNElJ9U9SdZmqJHi9U+adHBpLWgIItrHtn9hFWP4e3UlQvC7SMV3oJos7FJGdm0kjDwqNRgRhRmc/PTTDMttLg=@vger.kernel.org
X-Gm-Message-State: AOJu0YxUNr5PInKUoeRuzW7ZGhelbHk8voMTXAs9EZhyAYhbdDndi0/n
	YZQNy0V6xagfeozXub0zLvzEdJnICDSyE99N33MvbD/TSe/iHV8eGRPU
X-Gm-Gg: AeBDieskj9r1inlYvH68HtjacHEbq3ukJofbDoIezBT2lkYj++bpML6L+Kdxym057Kp
	v6sYke79oMIGPeiQsDpiq6rBbsgA9dlVTxZiT6kY+YMTWqqbhpboqVWZ15jYv6vFJ9v4wQbvcnU
	sSAEAO1QTuSwNMbIac7PSTrrR1gAX7UoiRkNeE5LxSUDGlEcQn5U4yY/37dhY1yzrnK4CIiB6lE
	4sDLyBAEGOYYul9SecECWFeaSVPaUlTnnHkfA0d1rHAzSj5TwD7hR979zeohc08ph6z4NYZrU6P
	xR1ZhFNTlf0UsKZfeTgbFeSpkKIkljA7/mQvHZqZTyh/WtmXr4R39TfmNPNt2ElSK6W/Vq6hxS4
	YOXwJlFBfHv2ZqtvwXUy+wlzQztorBbibGG2kWGszS85h5ur3fbmx4C1WYmky2TIUtOsPTGYPaB
	oBdv3CgTUiijx6lclyFd75grBtt8bbynB/bNJHQZeqG+CRKo4wet7GHeNgatM=
X-Received: by 2002:a05:6a21:3086:b0:39b:e321:784f with SMTP id adf61e73a8af0-3a39c34ad7emr3383963637.40.1777374439315;
        Tue, 28 Apr 2026 04:07:19 -0700 (PDT)
Received: from csl-conti-dell7858.ntu.edu.sg ([155.69.195.57])
        by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c7fc33d4e11sm2023328a12.24.2026.04.28.04.07.15
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 28 Apr 2026 04:07:18 -0700 (PDT)
From: Maoyi Xie <maoyixie.tju@gmail.com>
To: netdev@vger.kernel.org
Cc: kuniyu@google.com,
	shaw.leon@gmail.com,
	davem@davemloft.net,
	kuba@kernel.org,
	edumazet@google.com,
	pabeni@redhat.com,
	dsahern@kernel.org,
	kuznet@ms2.inr.ac.ru,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	security@kernel.org
Subject: [PATCH net 0/2] ipv6: tunnel changelink: use cached netns pointer
Date: Tue, 28 Apr 2026 19:07:11 +0800
Message-Id: <20260428110713.2550315-1-maoyixie.tju@gmail.com>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

From: Maoyi Xie <maoyi.xie@ntu.edu.sg>

This series addresses two slab-use-after-free reports against the IPv6
tunnel changelink callbacks vti6_changelink() and ip6erspan_changelink(),
both reachable from an unprivileged user namespace and verified on
Linux v7.0 with KASAN.

Both bugs are sibling misses of commit 5e72ce3e3980 ("net: ipv6: Use
link netns in newlink() of rtnl_link_ops"), which migrated the
*_newlink callbacks for vti6, ip6_gre, ip6_tunnel, sit and ip_tunnel
from dev_net() to link_net but did not convert the corresponding
*_changelink callbacks. As a result, after a device is migrated via
IFLA_NET_NS_FD, the changelink path looks up the per-netns hash in the
wrong namespace, leaving a stale hash entry in the original creation
netns. The next cleanup_net() of that netns walks freed memory.

Patch 1/2 was authored by Kuniyuki Iwashima during the security
disclosure thread; it converts vti6_changelink() and vti6_update() to
use the cached t->net.

Patch 2/2 applies the equivalent conversion to ip6erspan_changelink().
The non-erspan sibling ip6gre_changelink() in the same file already
uses the cached t->net correctly.

Both bugs were originally reported on security@kernel.org on
2026-04-26 and triaged with Kuniyuki Iwashima and Xiao Liang. Posting
publicly per standard practice once the technical fix shape is
settled.

The bugs are present on all maintained LTS branches (v5.15, v6.1, v6.6,
v6.12, v6.18) with byte-identical source, hence Cc: stable@.

Tested with KASAN reproducers (unshare --user --map-root-user --net,
RTM_NEWLINK + IFLA_NET_NS_FD migration, RTM_NEWLINK changelink in
the migrated netns, then teardown of the original netns); without the
patches both reports trip within ~2 seconds, with the patches the
reproducers complete cleanly.

Kuniyuki Iwashima (1):
  ip6: vti: Use ip6_tnl.net in vti6_changelink().

Maoyi Xie (1):
  ip6_gre: Use cached t->net in ip6erspan_changelink().

 net/ipv6/ip6_gre.c |  3 ++-
 net/ipv6/ip6_vti.c | 12 +++++++-----
 2 files changed, 9 insertions(+), 6 deletions(-)

--
2.34.1