[PATCH net] tipc: fix UAF in tipc_l2_send

Netdev List
 help / color / mirror / Atom feed

* [PATCH net] tipc: fix UAF in tipc_l2_send_msg()
@ 2026-06-12 13:59 Eric Dumazet
  2026-06-13  2:50 ` Tung Quang Nguyen
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Eric Dumazet @ 2026-06-12 13:59 UTC (permalink / raw)
  To: David S . Miller, Jakub Kicinski, Paolo Abeni
  Cc: Simon Horman, netdev, eric.dumazet, Eric Dumazet,
	syzbot+64ec81389cbad56a8c35, Jon Maloy

Syzbot reported a slab-use-after-free in ipvlan_hard_header() when
called from tipc_l2_send_msg().

The root cause is that tipc_disable_l2_media() calls synchronize_net()
while b->media_ptr is still valid. This allows concurrent RCU readers
to obtain the device pointer after synchronize_net() has finished.
The pointer is cleared later in bearer_disable(), but without any
subsequent synchronization, allowing the device to be freed while
still in use by readers.

Fix this by clearing b->media_ptr in tipc_disable_l2_media() before
calling synchronize_net().

This is safe to do now because the call order in bearer_disable()
was reversed in 0d051bf93c06 ("tipc: make bearer packet filtering generic")
to call tipc_node_delete_links() (which needs the pointer) before
disable_media().

Fixes: 282b3a056225 ("tipc: send out RESET immediately when link goes down")
https://lore.kernel.org/netdev/6a2c1007.428ffe26.258b27.015d.GAE@google.com/T/#u
Reported-by: syzbot+64ec81389cbad56a8c35@syzkaller.appspotmail.com
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Jon Maloy <jmaloy@redhat.com>
---
 net/tipc/bearer.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index a3bd1ef17558a37787bb92f2c3805c0fda874d8a..05dcd2f9e887a6e5ca6665ab41e4d5b5107f158c 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -482,6 +482,7 @@ void tipc_disable_l2_media(struct tipc_bearer *b)
 	dev = (struct net_device *)rtnl_dereference(b->media_ptr);
 	dev_remove_pack(&b->pt);
 	RCU_INIT_POINTER(dev->tipc_ptr, NULL);
+	RCU_INIT_POINTER(b->media_ptr, NULL);
 	synchronize_net();
 	dev_put(dev);
 }
-- 
2.54.0.1136.gdb2ca164c4-goog

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* RE: [PATCH net] tipc: fix UAF in tipc_l2_send_msg()
  2026-06-12 13:59 [PATCH net] tipc: fix UAF in tipc_l2_send_msg() Eric Dumazet
@ 2026-06-13  2:50 ` Tung Quang Nguyen
  2026-06-13  3:31   ` Eric Dumazet
  2026-06-15  4:46 ` Tung Quang Nguyen
  2026-06-15 20:00 ` patchwork-bot+netdevbpf
  2 siblings, 1 reply; 5+ messages in thread
From: Tung Quang Nguyen @ 2026-06-13  2:50 UTC (permalink / raw)
  To: Eric Dumazet
  Cc: Simon Horman, netdev@vger.kernel.org, eric.dumazet@gmail.com,
	syzbot+64ec81389cbad56a8c35@syzkaller.appspotmail.com, Jon Maloy,
	David S . Miller, Jakub Kicinski, Paolo Abeni

>Subject: [PATCH net] tipc: fix UAF in tipc_l2_send_msg()
>
>Syzbot reported a slab-use-after-free in ipvlan_hard_header() when called
>from tipc_l2_send_msg().
>
>The root cause is that tipc_disable_l2_media() calls synchronize_net() while b-
>>media_ptr is still valid. This allows concurrent RCU readers to obtain the
>device pointer after synchronize_net() has finished.
>The pointer is cleared later in bearer_disable(), but without any subsequent
>synchronization, allowing the device to be freed while still in use by readers.
>
>Fix this by clearing b->media_ptr in tipc_disable_l2_media() before calling
>synchronize_net().
>
>This is safe to do now because the call order in bearer_disable() was reversed
>in 0d051bf93c06 ("tipc: make bearer packet filtering generic") to call
>tipc_node_delete_links() (which needs the pointer) before disable_media().
>
>Fixes: 282b3a056225 ("tipc: send out RESET immediately when link goes
>down")
>https://lore.kernel.org/netdev/6a2c1007.428ffe26.258b27.015d.GAE@google.c
>om/T/#u
>Reported-by: syzbot+64ec81389cbad56a8c35@syzkaller.appspotmail.com
>Signed-off-by: Eric Dumazet <edumazet@google.com>
>Cc: Jon Maloy <jmaloy@redhat.com>
>---
> net/tipc/bearer.c | 1 +
> 1 file changed, 1 insertion(+)
>
>diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c index
>a3bd1ef17558a37787bb92f2c3805c0fda874d8a..05dcd2f9e887a6e5ca6665ab4
>1e4d5b5107f158c 100644
>--- a/net/tipc/bearer.c
>+++ b/net/tipc/bearer.c
>@@ -482,6 +482,7 @@ void tipc_disable_l2_media(struct tipc_bearer *b)
> 	dev = (struct net_device *)rtnl_dereference(b->media_ptr);
> 	dev_remove_pack(&b->pt);
> 	RCU_INIT_POINTER(dev->tipc_ptr, NULL);
>+	RCU_INIT_POINTER(b->media_ptr, NULL);

Since 'b->media_ptr' is reset here, Should the same reset be removed in bearer_disable() ?
bearer_disable()
{
...
RCU_INIT_POINTER(b->media_ptr, NULL);
...
}

> 	synchronize_net();
> 	dev_put(dev);
> }
>--
>2.54.0.1136.gdb2ca164c4-goog
>


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH net] tipc: fix UAF in tipc_l2_send_msg()
  2026-06-13  2:50 ` Tung Quang Nguyen
@ 2026-06-13  3:31   ` Eric Dumazet
  0 siblings, 0 replies; 5+ messages in thread
From: Eric Dumazet @ 2026-06-13  3:31 UTC (permalink / raw)
  To: Tung Quang Nguyen
  Cc: Simon Horman, netdev@vger.kernel.org, eric.dumazet@gmail.com,
	syzbot+64ec81389cbad56a8c35@syzkaller.appspotmail.com, Jon Maloy,
	David S . Miller, Jakub Kicinski, Paolo Abeni

On Fri, Jun 12, 2026 at 7:50 PM Tung Quang Nguyen
<tung.quang.nguyen@est.tech> wrote:
>
> >Subject: [PATCH net] tipc: fix UAF in tipc_l2_send_msg()
> >
> >Syzbot reported a slab-use-after-free in ipvlan_hard_header() when called
> >from tipc_l2_send_msg().
> >
> >The root cause is that tipc_disable_l2_media() calls synchronize_net() while b-
> >>media_ptr is still valid. This allows concurrent RCU readers to obtain the
> >device pointer after synchronize_net() has finished.
> >The pointer is cleared later in bearer_disable(), but without any subsequent
> >synchronization, allowing the device to be freed while still in use by readers.
> >
> >Fix this by clearing b->media_ptr in tipc_disable_l2_media() before calling
> >synchronize_net().
> >
> >This is safe to do now because the call order in bearer_disable() was reversed
> >in 0d051bf93c06 ("tipc: make bearer packet filtering generic") to call
> >tipc_node_delete_links() (which needs the pointer) before disable_media().
> >
> >Fixes: 282b3a056225 ("tipc: send out RESET immediately when link goes
> >down")
> >https://lore.kernel.org/netdev/6a2c1007.428ffe26.258b27.015d.GAE@google.c
> >om/T/#u
> >Reported-by: syzbot+64ec81389cbad56a8c35@syzkaller.appspotmail.com
> >Signed-off-by: Eric Dumazet <edumazet@google.com>
> >Cc: Jon Maloy <jmaloy@redhat.com>
> >---
> > net/tipc/bearer.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> >diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c index
> >a3bd1ef17558a37787bb92f2c3805c0fda874d8a..05dcd2f9e887a6e5ca6665ab4
> >1e4d5b5107f158c 100644
> >--- a/net/tipc/bearer.c
> >+++ b/net/tipc/bearer.c
> >@@ -482,6 +482,7 @@ void tipc_disable_l2_media(struct tipc_bearer *b)
> >       dev = (struct net_device *)rtnl_dereference(b->media_ptr);
> >       dev_remove_pack(&b->pt);
> >       RCU_INIT_POINTER(dev->tipc_ptr, NULL);
> >+      RCU_INIT_POINTER(b->media_ptr, NULL);
>
> Since 'b->media_ptr' is reset here, Should the same reset be removed in bearer_disable() ?
> bearer_disable()
> {
> ...
> RCU_INIT_POINTER(b->media_ptr, NULL);
> ...
> }

We could, but we would have to add a reset in tipc_udp_disable().

I thoght it was a bit clearer (and less risky given bearer_disable()
is called from many points)
to focus only on tipc_disable_l2_media()

^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: [PATCH net] tipc: fix UAF in tipc_l2_send_msg()
  2026-06-12 13:59 [PATCH net] tipc: fix UAF in tipc_l2_send_msg() Eric Dumazet
  2026-06-13  2:50 ` Tung Quang Nguyen
@ 2026-06-15  4:46 ` Tung Quang Nguyen
  2026-06-15 20:00 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 5+ messages in thread
From: Tung Quang Nguyen @ 2026-06-15  4:46 UTC (permalink / raw)
  To: Eric Dumazet
  Cc: Simon Horman, netdev@vger.kernel.org, eric.dumazet@gmail.com,
	syzbot+64ec81389cbad56a8c35@syzkaller.appspotmail.com, Jon Maloy,
	David S . Miller, Jakub Kicinski, Paolo Abeni

>Subject: [PATCH net] tipc: fix UAF in tipc_l2_send_msg()
>
>Syzbot reported a slab-use-after-free in ipvlan_hard_header() when called
>from tipc_l2_send_msg().
>
>The root cause is that tipc_disable_l2_media() calls synchronize_net() while b-
>>media_ptr is still valid. This allows concurrent RCU readers to obtain the
>device pointer after synchronize_net() has finished.
>The pointer is cleared later in bearer_disable(), but without any subsequent
>synchronization, allowing the device to be freed while still in use by readers.
>
>Fix this by clearing b->media_ptr in tipc_disable_l2_media() before calling
>synchronize_net().
>
>This is safe to do now because the call order in bearer_disable() was reversed
>in 0d051bf93c06 ("tipc: make bearer packet filtering generic") to call
>tipc_node_delete_links() (which needs the pointer) before disable_media().
>
>Fixes: 282b3a056225 ("tipc: send out RESET immediately when link goes
>down")
>https://lore.kernel.org/netdev/6a2c1007.428ffe26.258b27.015d.GAE@google.c
>om/T/#u
>Reported-by: syzbot+64ec81389cbad56a8c35@syzkaller.appspotmail.com
>Signed-off-by: Eric Dumazet <edumazet@google.com>
>Cc: Jon Maloy <jmaloy@redhat.com>
>---
> net/tipc/bearer.c | 1 +
> 1 file changed, 1 insertion(+)
>
>diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c index
>a3bd1ef17558a37787bb92f2c3805c0fda874d8a..05dcd2f9e887a6e5ca6665ab4
>1e4d5b5107f158c 100644
>--- a/net/tipc/bearer.c
>+++ b/net/tipc/bearer.c
>@@ -482,6 +482,7 @@ void tipc_disable_l2_media(struct tipc_bearer *b)
> 	dev = (struct net_device *)rtnl_dereference(b->media_ptr);
> 	dev_remove_pack(&b->pt);
> 	RCU_INIT_POINTER(dev->tipc_ptr, NULL);
>+	RCU_INIT_POINTER(b->media_ptr, NULL);
> 	synchronize_net();
> 	dev_put(dev);
> }
>--
>2.54.0.1136.gdb2ca164c4-goog
>
Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH net] tipc: fix UAF in tipc_l2_send_msg()
  2026-06-12 13:59 [PATCH net] tipc: fix UAF in tipc_l2_send_msg() Eric Dumazet
  2026-06-13  2:50 ` Tung Quang Nguyen
  2026-06-15  4:46 ` Tung Quang Nguyen
@ 2026-06-15 20:00 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-06-15 20:00 UTC (permalink / raw)
  To: Eric Dumazet
  Cc: davem, kuba, pabeni, horms, netdev, eric.dumazet,
	syzbot+64ec81389cbad56a8c35, jmaloy

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Fri, 12 Jun 2026 13:59:49 +0000 you wrote:
> Syzbot reported a slab-use-after-free in ipvlan_hard_header() when
> called from tipc_l2_send_msg().
> 
> The root cause is that tipc_disable_l2_media() calls synchronize_net()
> while b->media_ptr is still valid. This allows concurrent RCU readers
> to obtain the device pointer after synchronize_net() has finished.
> The pointer is cleared later in bearer_disable(), but without any
> subsequent synchronization, allowing the device to be freed while
> still in use by readers.
> 
> [...]

Here is the summary with links:
  - [net] tipc: fix UAF in tipc_l2_send_msg()
    https://git.kernel.org/netdev/net/c/f4c3d89fc986

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-06-15 20:00 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-12 13:59 [PATCH net] tipc: fix UAF in tipc_l2_send_msg() Eric Dumazet
2026-06-13  2:50 ` Tung Quang Nguyen
2026-06-13  3:31   ` Eric Dumazet
2026-06-15  4:46 ` Tung Quang Nguyen
2026-06-15 20:00 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox