Re: [PATCH net-next] rtnetlink: use dev_isalive() in rtnl_getlink()

Netdev List
 help / color / mirror / Atom feed

From: Jiayuan Chen <jiayuan.chen@linux.dev>
To: Eric Dumazet <edumazet@google.com>,
	"David S . Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>
Cc: Kuniyuki Iwashima <kuniyu@google.com>,
	Simon Horman <horms@kernel.org>,
	netdev@vger.kernel.org, eric.dumazet@gmail.com
Subject: Re: [PATCH net-next] rtnetlink: use dev_isalive() in rtnl_getlink()
Date: Tue, 2 Jun 2026 20:23:09 +0800	[thread overview]
Message-ID: <319850b8-1374-44db-93a6-1203853de498@linux.dev> (raw)
In-Reply-To: <20260602091319.1753654-1-edumazet@google.com>


On 6/2/26 5:13 PM, Eric Dumazet wrote:
> rtnl_getlink() uses an RCU lookup to get the netdevice pointer.
>
> When/If rtnl_lock() is used, we should check if the netdevice is not
> being dismantled before potentially perform illegal actions.
>
> Move dev_isalive() out of net/core/net-sysfs.c and make it available
> in include/linux/netdevice.h
>
> Return -ENODEV if rtnl_getlink() finds a device which is currently
> being dismantled and RTNL is requested.
>
> Fixes: e896e5c0734b ("rtnetlink: do not acquire RTNL in rtnl_getlink() with RTEXT_FILTER_NAME_ONLY")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Suggested-by: Jakub Kicinski <kuba@kernel.org>
> ---
>   include/linux/netdevice.h | 6 ++++++
>   net/core/net-sysfs.c      | 6 ------
>   net/core/rtnetlink.c      | 5 +++++
>   3 files changed, 11 insertions(+), 6 deletions(-)
>
> diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
> index 74507c006490f180d2fac6594f6dcf2c86d53919..bfc847bc47fd957b58174dc4d2b82e2e8b461405 100644
> --- a/include/linux/netdevice.h
> +++ b/include/linux/netdevice.h
> @@ -5660,6 +5660,12 @@ static inline const char *netdev_name(const struct net_device *dev)
>   	return dev->name;
>   }
>   
> +/* Caller holds RTNL, netdev->lock or RCU */
> +static inline bool dev_isalive(const struct net_device *dev)
> +{
> +	return READ_ONCE(dev->reg_state) <= NETREG_REGISTERED;
> +}
> +
>   static inline const char *netdev_reg_state(const struct net_device *dev)
>   {
>   	u8 reg_state = READ_ONCE(dev->reg_state);
> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
> index 3318b5666e438fe5bab2bcfed2bb260c7b4d5a63..0e71c9ed41e81d85af33a4339f556a0c5d760243 100644
> --- a/net/core/net-sysfs.c
> +++ b/net/core/net-sysfs.c
> @@ -37,12 +37,6 @@ static const char fmt_uint[] = "%u\n";
>   static const char fmt_ulong[] = "%lu\n";
>   static const char fmt_u64[] = "%llu\n";
>   
> -/* Caller holds RTNL, netdev->lock or RCU */
> -static inline int dev_isalive(const struct net_device *dev)
> -{
> -	return READ_ONCE(dev->reg_state) <= NETREG_REGISTERED;
> -}
> -
>   /* There is a possible ABBA deadlock between rtnl_lock and kernfs_node->active,
>    * when unregistering a net device and accessing associated sysfs files. The
>    * potential deadlock is as follow:
> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
> index 652dd008955a90691403de9a54d8693d64ea7799..9e90d02b73c2909409e12adfcec3940b49dcbaa1 100644
> --- a/net/core/rtnetlink.c
> +++ b/net/core/rtnetlink.c
> @@ -4265,6 +4265,10 @@ static int rtnl_getlink(struct sk_buff *skb, struct nlmsghdr *nlh,
>   retry:
>   	if (need_rtnl) {
>   		rtnl_lock();
> +		if (!dev_isalive(dev)) {
> +			err = -ENODEV;
> +			goto unlock;


This does fix the macvlan UAF, thanks.

But 'nskb' is used uninitialized, so the kfree_skb(nskb) below frees an 
uninitialized pointer.

+unlock:
     if (need_rtnl)
             rtnl_unlock();

     if (err < 0) {
             kfree_skb(nskb);   /* nskb is uninitialized when reached 
via goto unlock */
             ...
     }


> +		}
>   		/* Synchronize the carrier state so we don't report a state
>   		 * that we're not actually going to honour immediately; if
>   		 * the driver just did a carrier off->on transition, we can
> @@ -4282,6 +4286,7 @@ static int rtnl_getlink(struct sk_buff *skb, struct nlmsghdr *nlh,
>   				       nlh->nlmsg_seq, 0, 0, ext_filter_mask,
>   				       0, NULL, 0, netnsid, GFP_KERNEL);
>   
> +unlock:
>   	if (need_rtnl)
>   		rtnl_unlock();
>

next prev parent reply	other threads:[~2026-06-02 12:23 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-02  9:13 [PATCH net-next] rtnetlink: use dev_isalive() in rtnl_getlink() Eric Dumazet
2026-06-02 12:23 ` Jiayuan Chen [this message]
2026-06-02 12:47   ` Eric Dumazet
2026-06-02 17:57 ` Jakub Kicinski
2026-06-02 18:36   ` Eric Dumazet

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=319850b8-1374-44db-93a6-1203853de498@linux.dev \
    --to=jiayuan.chen@linux.dev \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=eric.dumazet@gmail.com \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=kuniyu@google.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox