From: Ren Wei <n05ec@lzu.edu.cn>
To: netdev@vger.kernel.org, idosch@mellanox.com
Cc: dsahern@kernel.org, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com, horms@kernel.org,
jiri@resnulli.us, yifanwucs@gmail.com, tomapufckgml@gmail.com,
yuantan098@gmail.com, bird@lzu.edu.cn, royenheart@gmail.com,
n05ec@lzu.edu.cn
Subject: [PATCH net v3 1/1] net: l3mdev: Reject non-L3 uppers in slave helpers
Date: Sun, 19 Apr 2026 22:53:32 +0800 [thread overview]
Message-ID: <20260419145332.3988923-1-n05ec@lzu.edu.cn> (raw)
From: Haoze Xie <royenheart@gmail.com>
Several l3mdev slave-side helpers resolve an upper device and then use
l3mdev_ops without first proving that the resolved device is still a
valid L3 master.
During slave transition, an RCU reader can transiently observe an upper
that is not an L3 master. Guard the affected slave-resolved paths by
requiring the resolved upper to still be an L3 master before using
l3mdev_ops, while keeping existing L3 RX handler providers intact.
Fixes: fdeea7be88b1 ("net: vrf: Set slave's private flag before linking")
Cc: stable@kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Haoze Xie <royenheart@gmail.com>
Signed-off-by: Haoze Xie <royenheart@gmail.com>
Signed-off-by: Ao Zhou <n05ec@lzu.edu.cn>
---
Changes in v3:
- Extend the same guard to l3mdev_l3_rcv() and l3mdev_l3_out().
- Keep existing IFF_L3MDEV_RX_HANDLER providers such as ipvlan_l3s
working by only applying the extra master check to the slave-resolved
upper case in l3mdev_l3_rcv().
- v2 Link:
https://lore.kernel.org/all/429dd4a81d4ca5624ab9f6d7b53c5fe08552c734.1775443332.git.royenheart@gmail.com/
Changes in v2:
- Point Fixes to the VRF slave ordering change identified in review.
- Add David Ahern's Reviewed-by trailer in that revision.
- v1 Link:
https://lore.kernel.org/all/b3b88cddc7e79d4b43756b26ae5db965678f3ba9.1775062214.git.royenheart@gmail.com/
include/net/l3mdev.h | 18 +++++++++++-------
net/l3mdev/l3mdev.c | 2 +-
2 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/include/net/l3mdev.h b/include/net/l3mdev.h
index 710e98665eb3..aed52bf03956 100644
--- a/include/net/l3mdev.h
+++ b/include/net/l3mdev.h
@@ -180,14 +180,17 @@ struct sk_buff *l3mdev_l3_rcv(struct sk_buff *skb, u16 proto)
{
struct net_device *master = NULL;
- if (netif_is_l3_slave(skb->dev))
+ if (netif_is_l3_slave(skb->dev)) {
master = netdev_master_upper_dev_get_rcu(skb->dev);
- else if (netif_is_l3_master(skb->dev) ||
- netif_has_l3_rx_handler(skb->dev))
+ if (master && netif_is_l3_master(master) &&
+ master->l3mdev_ops->l3mdev_l3_rcv)
+ skb = master->l3mdev_ops->l3mdev_l3_rcv(master, skb, proto);
+ } else if (netif_is_l3_master(skb->dev) ||
+ netif_has_l3_rx_handler(skb->dev)) {
master = skb->dev;
-
- if (master && master->l3mdev_ops->l3mdev_l3_rcv)
- skb = master->l3mdev_ops->l3mdev_l3_rcv(master, skb, proto);
+ if (master->l3mdev_ops->l3mdev_l3_rcv)
+ skb = master->l3mdev_ops->l3mdev_l3_rcv(master, skb, proto);
+ }
return skb;
}
@@ -215,7 +218,8 @@ struct sk_buff *l3mdev_l3_out(struct sock *sk, struct sk_buff *skb, u16 proto)
struct net_device *master;
master = netdev_master_upper_dev_get_rcu(dev);
- if (master && master->l3mdev_ops->l3mdev_l3_out)
+ if (master && netif_is_l3_master(master) &&
+ master->l3mdev_ops->l3mdev_l3_out)
skb = master->l3mdev_ops->l3mdev_l3_out(master, sk,
skb, proto);
}
diff --git a/net/l3mdev/l3mdev.c b/net/l3mdev/l3mdev.c
index 5432a5f2dfc8..b8a3030cb2c4 100644
--- a/net/l3mdev/l3mdev.c
+++ b/net/l3mdev/l3mdev.c
@@ -177,7 +177,7 @@ u32 l3mdev_fib_table_rcu(const struct net_device *dev)
const struct net_device *master;
master = netdev_master_upper_dev_get_rcu(_dev);
- if (master &&
+ if (master && netif_is_l3_master(master) &&
master->l3mdev_ops->l3mdev_fib_table)
tb_id = master->l3mdev_ops->l3mdev_fib_table(master);
}
--
2.53.0
next reply other threads:[~2026-04-19 14:58 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-19 14:53 Ren Wei [this message]
2026-04-20 11:32 ` [PATCH net v3 1/1] net: l3mdev: Reject non-L3 uppers in slave helpers Ido Schimmel
2026-04-20 18:26 ` Ido Schimmel
2026-04-21 9:10 ` Ido Schimmel
2026-04-21 19:44 ` Yuan Tan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260419145332.3988923-1-n05ec@lzu.edu.cn \
--to=n05ec@lzu.edu.cn \
--cc=bird@lzu.edu.cn \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=idosch@mellanox.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=royenheart@gmail.com \
--cc=tomapufckgml@gmail.com \
--cc=yifanwucs@gmail.com \
--cc=yuantan098@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox