From: Maoyi Xie <maoyixie.tju@gmail.com>
To: netdev@vger.kernel.org
Cc: kuniyu@google.com, shaw.leon@gmail.com, davem@davemloft.net,
kuba@kernel.org, edumazet@google.com, pabeni@redhat.com,
dsahern@kernel.org, kuznet@ms2.inr.ac.ru,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
security@kernel.org
Subject: [PATCH net 0/2] ipv6: tunnel changelink: use cached netns pointer
Date: Tue, 28 Apr 2026 19:07:11 +0800 [thread overview]
Message-ID: <20260428110713.2550315-1-maoyixie.tju@gmail.com> (raw)
From: Maoyi Xie <maoyi.xie@ntu.edu.sg>
This series addresses two slab-use-after-free reports against the IPv6
tunnel changelink callbacks vti6_changelink() and ip6erspan_changelink(),
both reachable from an unprivileged user namespace and verified on
Linux v7.0 with KASAN.
Both bugs are sibling misses of commit 5e72ce3e3980 ("net: ipv6: Use
link netns in newlink() of rtnl_link_ops"), which migrated the
*_newlink callbacks for vti6, ip6_gre, ip6_tunnel, sit and ip_tunnel
from dev_net() to link_net but did not convert the corresponding
*_changelink callbacks. As a result, after a device is migrated via
IFLA_NET_NS_FD, the changelink path looks up the per-netns hash in the
wrong namespace, leaving a stale hash entry in the original creation
netns. The next cleanup_net() of that netns walks freed memory.
Patch 1/2 was authored by Kuniyuki Iwashima during the security
disclosure thread; it converts vti6_changelink() and vti6_update() to
use the cached t->net.
Patch 2/2 applies the equivalent conversion to ip6erspan_changelink().
The non-erspan sibling ip6gre_changelink() in the same file already
uses the cached t->net correctly.
Both bugs were originally reported on security@kernel.org on
2026-04-26 and triaged with Kuniyuki Iwashima and Xiao Liang. Posting
publicly per standard practice once the technical fix shape is
settled.
The bugs are present on all maintained LTS branches (v5.15, v6.1, v6.6,
v6.12, v6.18) with byte-identical source, hence Cc: stable@.
Tested with KASAN reproducers (unshare --user --map-root-user --net,
RTM_NEWLINK + IFLA_NET_NS_FD migration, RTM_NEWLINK changelink in
the migrated netns, then teardown of the original netns); without the
patches both reports trip within ~2 seconds, with the patches the
reproducers complete cleanly.
Kuniyuki Iwashima (1):
ip6: vti: Use ip6_tnl.net in vti6_changelink().
Maoyi Xie (1):
ip6_gre: Use cached t->net in ip6erspan_changelink().
net/ipv6/ip6_gre.c | 3 ++-
net/ipv6/ip6_vti.c | 12 +++++++-----
2 files changed, 9 insertions(+), 6 deletions(-)
--
2.34.1
next reply other threads:[~2026-04-28 11:07 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-28 11:07 Maoyi Xie [this message]
2026-04-28 11:07 ` [PATCH net 1/2] ip6: vti: Use ip6_tnl.net in vti6_changelink() Maoyi Xie
2026-04-28 13:14 ` Eric Dumazet
2026-04-28 11:07 ` [PATCH net 2/2] ip6_gre: Use cached t->net in ip6erspan_changelink() Maoyi Xie
2026-04-28 13:14 ` Eric Dumazet
2026-04-28 19:49 ` Kuniyuki Iwashima
2026-04-29 1:58 ` Xiao Liang
2026-04-29 2:00 ` Eric Dumazet
2026-04-29 2:38 ` Xiao Liang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260428110713.2550315-1-maoyixie.tju@gmail.com \
--to=maoyixie.tju@gmail.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=security@kernel.org \
--cc=shaw.leon@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox