[PATCH net] net: add rcu safety to rtnl_prop_list_size()

[PATCH net] net: add rcu safety to rtnl_prop_list_size()

[Eric Dumazet]

rtnl_prop_list_size() can be called while alternative names
are added or removed concurrently.

if_nlmsg_size() / rtnl_calcit() can indeed be called
without RTNL held.

Use explicit RCU protection to avoid UAF.

Fixes: 88f4fb0c7496 ("net: rtnetlink: put alternative names to getlink message")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Jiri Pirko <jiri@nvidia.com>
---
 net/core/dev.c       |  2 +-
 net/core/rtnetlink.c | 15 +++++++++------
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/net/core/dev.c b/net/core/dev.c
index cb2dab0feee0abe758479a7a001342bf6613df08..75c4ac51302b5b3c3aa7dcc3dcfa31dbcf0c8ac9 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -336,7 +336,7 @@ int netdev_name_node_alt_create(struct net_device *dev, const char *name)
 		return -ENOMEM;
 	netdev_name_node_add(net, name_node);
 	/* The node that holds dev->name acts as a head of per-device list. */
-	list_add_tail(&name_node->list, &dev->name_node->list);
+	list_add_tail_rcu(&name_node->list, &dev->name_node->list);
 
 	return 0;
 }
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index f6f29eb03ec277a1ea17ccc220fa7624bf6db092..9c4f427f3a5057b52ec05405e8b15b8ca2246b4b 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1020,14 +1020,17 @@ static size_t rtnl_xdp_size(void)
 static size_t rtnl_prop_list_size(const struct net_device *dev)
 {
 	struct netdev_name_node *name_node;
-	size_t size;
+	unsigned int cnt = 0;
+
+	rcu_read_lock();
+	list_for_each_entry_rcu(name_node, &dev->name_node->list, list)
+		cnt++;
+	rcu_read_unlock();
 
-	if (list_empty(&dev->name_node->list))
+	if (!cnt)
 		return 0;
-	size = nla_total_size(0);
-	list_for_each_entry(name_node, &dev->name_node->list, list)
-		size += nla_total_size(ALTIFNAMSIZ);
-	return size;
+
+	return nla_total_size(0) + cnt * nla_total_size(ALTIFNAMSIZ);
 }
 
 static size_t rtnl_proto_down_size(const struct net_device *dev)
-- 
2.43.0.687.g38aa6559b0-goog

Re: [PATCH net] net: add rcu safety to rtnl_prop_list_size()

[Eric Dumazet]

On Fri, Feb 9, 2024 at 7:12 PM Eric Dumazet <edumazet@google.com> wrote:
>
> rtnl_prop_list_size() can be called while alternative names
> are added or removed concurrently.
>
> if_nlmsg_size() / rtnl_calcit() can indeed be called
> without RTNL held.
>
> Use explicit RCU protection to avoid UAF.
>
> Fixes: 88f4fb0c7496 ("net: rtnetlink: put alternative names to getlink message")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Jiri Pirko <jiri@nvidia.com>
> ---
>  net/core/dev.c       |  2 +-
>  net/core/rtnetlink.c | 15 +++++++++------
>  2 files changed, 10 insertions(+), 7 deletions(-)

BTW, when testing this patch, adding many altnames to one device, I
saw that 'ifquery' would not see the device,
and all devices following in the dump.

This is orthogonal to this patch, just a reminder that some user space
programs do not cope well with one netdevice
needing more bytes than their recvmsg() buffer size.

Apparently ifquery is still using a buffer of 4096 bytes, while "ip
link " is using MSG_PEEK since 2017 to
sense what is the appropriate size.

Re: [PATCH net] net: add rcu safety to rtnl_prop_list_size()

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Fri,  9 Feb 2024 18:12:48 +0000 you wrote:
> rtnl_prop_list_size() can be called while alternative names
> are added or removed concurrently.
> 
> if_nlmsg_size() / rtnl_calcit() can indeed be called
> without RTNL held.
> 
> Use explicit RCU protection to avoid UAF.
> 
> [...]

Here is the summary with links:
  - [net] net: add rcu safety to rtnl_prop_list_size()
    https://git.kernel.org/netdev/net/c/9f30831390ed

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html