[PATCH v2 net-next 0/7] net: Fix UAF of sk_dst_get(sk)->dev.

[PATCH v2 net-next 0/7] net: Fix UAF of sk_dst_get(sk)->dev.

[Kuniyuki Iwashima]

syzbot caught use-after-free of sk_dst_get(sk)->dev,
which was not fetched under RCU nor RTNL. [0]

Patch 1 ~ 5, 7 fix UAF in smc, tcp, ktls, mptcp
Patch 6 fixes dst ref leak in mptcp


[0]: https://lore.kernel.org/netdev/68c237c7.050a0220.3c6139.0036.GAE@google.com/


Changes:
  v2:
    * Rebase to net-next (Eric)
    * Drop tcp patch as it's already fixed in net-next (Eric)
    * Drop sk_dst_dev_rcu() helper patch and use dst_dev_rcu() directly (Eric)
    * Split mptcp dst_release() patch (Matthieu)

  v1: https://lore.kernel.org/netdev/20250911030620.1284754-1-kuniyu@google.com/


Kuniyuki Iwashima (7):
  smc: Fix use-after-free in __pnet_find_base_ndev().
  smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().
  smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().
  smc: Use __sk_dst_get() and dst_dev_rcu() in smc_vlan_by_tcpsk().
  tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().
  mptcp: Call dst_release() in mptcp_active_enable().
  mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().

 net/mptcp/ctrl.c     |  9 ++++--
 net/smc/smc_clc.c    | 67 +++++++++++++++++++++++---------------------
 net/smc/smc_core.c   | 27 ++++++++----------
 net/smc/smc_pnet.c   | 43 ++++++++++++++--------------
 net/tls/tls_device.c | 18 ++++++------
 5 files changed, 86 insertions(+), 78 deletions(-)

-- 
2.51.0.384.g4c02a37b29-goog

[PATCH v2 net-next 1/7] smc: Fix use-after-free in __pnet_find_base_ndev().

[Kuniyuki Iwashima]

syzbot reported use-after-free of net_device in __pnet_find_base_ndev(),
which was called during connect(). [0]

smc_pnet_find_ism_resource() fetches sk_dst_get(sk)->dev and passes
down to pnet_find_base_ndev(), where RTNL is held.  Then, UAF happened
at __pnet_find_base_ndev() when the dev is first used.

This means dev had already been freed before acquiring RTNL in
pnet_find_base_ndev().

While dev is going away, dst->dev could be swapped with blackhole_netdev,
and the dev's refcnt by dst will be released.

We must hold dev's refcnt before calling smc_pnet_find_ism_resource().

Also, smc_pnet_find_roce_resource() has the same problem.

Let's use __sk_dst_get() and dst_dev_rcu() in the two functions.

[0]:
BUG: KASAN: use-after-free in __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926
Read of size 1 at addr ffff888036bac33a by task syz.0.3632/18609

CPU: 1 UID: 0 PID: 18609 Comm: syz.0.3632 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926
 pnet_find_base_ndev net/smc/smc_pnet.c:946 [inline]
 smc_pnet_find_ism_by_pnetid net/smc/smc_pnet.c:1103 [inline]
 smc_pnet_find_ism_resource+0xef/0x390 net/smc/smc_pnet.c:1154
 smc_find_ism_device net/smc/af_smc.c:1030 [inline]
 smc_find_proposal_devices net/smc/af_smc.c:1115 [inline]
 __smc_connect+0x372/0x1890 net/smc/af_smc.c:1545
 smc_connect+0x877/0xd90 net/smc/af_smc.c:1715
 __sys_connect_file net/socket.c:2086 [inline]
 __sys_connect+0x313/0x440 net/socket.c:2105
 __do_sys_connect net/socket.c:2111 [inline]
 __se_sys_connect net/socket.c:2108 [inline]
 __x64_sys_connect+0x7a/0x90 net/socket.c:2108
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f47cbf8eba9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f47ccdb1038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007f47cc1d5fa0 RCX: 00007f47cbf8eba9
RDX: 0000000000000010 RSI: 0000200000000280 RDI: 000000000000000b
RBP: 00007f47cc011e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f47cc1d6038 R14: 00007f47cc1d5fa0 R15: 00007ffc512f8aa8
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888036bacd00 pfn:0x36bac
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001243d08 ffff8880b863fdc0 0000000000000000
raw: ffff888036bacd00 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP), pid 16741, tgid 16741 (syz-executor), ts 343313197788, free_ts 380670750466
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
 ___kmalloc_large_node+0x5f/0x1b0 mm/slub.c:4317
 __kmalloc_large_node_noprof+0x18/0x90 mm/slub.c:4348
 __do_kmalloc_node mm/slub.c:4364 [inline]
 __kvmalloc_node_noprof+0x6d/0x5f0 mm/slub.c:5067
 alloc_netdev_mqs+0xa3/0x11b0 net/core/dev.c:11812
 tun_set_iff+0x532/0xef0 drivers/net/tun.c:2775
 __tun_chr_ioctl+0x788/0x1df0 drivers/net/tun.c:3085
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:598 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:584
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 18610 tgid 18608 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
 free_large_kmalloc+0x13a/0x1f0 mm/slub.c:4820
 device_release+0x99/0x1c0 drivers/base/core.c:-1
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x22b/0x480 lib/kobject.c:737
 netdev_run_todo+0xd2e/0xea0 net/core/dev.c:11513
 rtnl_unlock net/core/rtnetlink.c:157 [inline]
 rtnl_net_unlock include/linux/rtnetlink.h:135 [inline]
 rtnl_dellink+0x537/0x710 net/core/rtnetlink.c:3563
 rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6946
 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x219/0x270 net/socket.c:729
 ____sys_sendmsg+0x505/0x830 net/socket.c:2614
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
 __sys_sendmsg net/socket.c:2700 [inline]
 __do_sys_sendmsg net/socket.c:2705 [inline]
 __se_sys_sendmsg net/socket.c:2703 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888036bac200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888036bac280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888036bac300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                        ^
 ffff888036bac380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888036bac400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Fixes: 0afff91c6f5e ("net/smc: add pnetid support")
Fixes: 1619f770589a ("net/smc: add pnetid support for SMC-D and ISM")
Reported-by: syzbot+ea28e9d85be2f327b6c6@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/68c237c7.050a0220.3c6139.0036.GAE@google.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
---
Cc: "D. Wythe" <alibuda@linux.alibaba.com>
Cc: Dust Li <dust.li@linux.alibaba.com>
Cc: Sidraya Jayagond <sidraya@linux.ibm.com>
Cc: Wenjia Zhang <wenjia@linux.ibm.com>
Cc: Mahanta Jambigi <mjambigi@linux.ibm.com>
Cc: Tony Lu <tonylu@linux.alibaba.com>
Cc: Wen Gu <guwen@linux.alibaba.com>
Cc: Ursula Braun <ubraun@linux.ibm.com>
Cc: Hans Wippel <hwippel@linux.ibm.com>
---
 net/smc/smc_pnet.c | 43 ++++++++++++++++++++++---------------------
 1 file changed, 22 insertions(+), 21 deletions(-)

diff --git a/net/smc/smc_pnet.c b/net/smc/smc_pnet.c
index b90337f86e83..7225b5fa17a6 100644
--- a/net/smc/smc_pnet.c
+++ b/net/smc/smc_pnet.c
@@ -1126,37 +1126,38 @@ static void smc_pnet_find_ism_by_pnetid(struct net_device *ndev,
  */
 void smc_pnet_find_roce_resource(struct sock *sk, struct smc_init_info *ini)
 {
-	struct dst_entry *dst = sk_dst_get(sk);
-
-	if (!dst)
-		goto out;
-	if (!dst->dev)
-		goto out_rel;
+	struct net_device *dev;
+	struct dst_entry *dst;
 
-	smc_pnet_find_roce_by_pnetid(dst->dev, ini);
+	rcu_read_lock();
+	dst = __sk_dst_get(sk);
+	dev = dst ? dst_dev_rcu(dst) : NULL;
+	dev_hold(dev);
+	rcu_read_unlock();
 
-out_rel:
-	dst_release(dst);
-out:
-	return;
+	if (dev) {
+		smc_pnet_find_roce_by_pnetid(dev, ini);
+		dev_put(dev);
+	}
 }
 
 void smc_pnet_find_ism_resource(struct sock *sk, struct smc_init_info *ini)
 {
-	struct dst_entry *dst = sk_dst_get(sk);
+	struct net_device *dev;
+	struct dst_entry *dst;
 
 	ini->ism_dev[0] = NULL;
-	if (!dst)
-		goto out;
-	if (!dst->dev)
-		goto out_rel;
 
-	smc_pnet_find_ism_by_pnetid(dst->dev, ini);
+	rcu_read_lock();
+	dst = __sk_dst_get(sk);
+	dev = dst ? dst_dev_rcu(dst) : NULL;
+	dev_hold(dev);
+	rcu_read_unlock();
 
-out_rel:
-	dst_release(dst);
-out:
-	return;
+	if (dev) {
+		smc_pnet_find_ism_by_pnetid(dev, ini);
+		dev_put(dev);
+	}
 }
 
 /* Lookup and apply a pnet table entry to the given ib device.
-- 
2.51.0.384.g4c02a37b29-goog

Re: [PATCH v2 net-next 1/7] smc: Fix use-after-free in __pnet_find_base_ndev().

[Mahanta Jambigi]

On 17/09/25 3:17 am, Kuniyuki Iwashima wrote:
> +	dst = __sk_dst_get(sk);
> +	dev = dst ? dst_dev_rcu(dst) : NULL;
> +	dev_hold(dev);

We should hold the reference to dev only if it's non-NULL(although
netdev_hold() has this sanity check), as we are doing the same while
releasing the reference to dev in below code:

if(dev) {
    smc_pnet_find_roce_by_pnetid(dev, ini);
    dev_put(dev);
}

Same applies to changes in smc_pnet_find_ism_resource().

Re: [PATCH v2 net-next 1/7] smc: Fix use-after-free in __pnet_find_base_ndev().

[Kuniyuki Iwashima]

On Tue, Sep 16, 2025 at 11:52 PM Mahanta Jambigi <mjambigi@linux.ibm.com> wrote:
>
> On 17/09/25 3:17 am, Kuniyuki Iwashima wrote:
> > +     dst = __sk_dst_get(sk);
> > +     dev = dst ? dst_dev_rcu(dst) : NULL;
> > +     dev_hold(dev);
>
> We should hold the reference to dev only if it's non-NULL(although
> netdev_hold() has this sanity check), as we are doing the same while
> releasing the reference to dev in below code:

dev_hold() must be done under RCU.


>
> if(dev) {
>     smc_pnet_find_roce_by_pnetid(dev, ini);
>     dev_put(dev);
> }
>
> Same applies to changes in smc_pnet_find_ism_resource().

Re: [PATCH v2 net-next 1/7] smc: Fix use-after-free in __pnet_find_base_ndev().

[Eric Dumazet]

On Tue, Sep 16, 2025 at 2:48 PM Kuniyuki Iwashima <kuniyu@google.com> wrote:
>
> syzbot reported use-after-free of net_device in __pnet_find_base_ndev(),
> which was called during connect(). [0]
>
> smc_pnet_find_ism_resource() fetches sk_dst_get(sk)->dev and passes
> down to pnet_find_base_ndev(), where RTNL is held.  Then, UAF happened
> at __pnet_find_base_ndev() when the dev is first used.
>
> This means dev had already been freed before acquiring RTNL in
> pnet_find_base_ndev().
>
> While dev is going away, dst->dev could be swapped with blackhole_netdev,
> and the dev's refcnt by dst will be released.
>
> We must hold dev's refcnt before calling smc_pnet_find_ism_resource().
>
> Also, smc_pnet_find_roce_resource() has the same problem.
>
> Let's use __sk_dst_get() and dst_dev_rcu() in the two functions.
>

> Fixes: 0afff91c6f5e ("net/smc: add pnetid support")
> Fixes: 1619f770589a ("net/smc: add pnetid support for SMC-D and ISM")
> Reported-by: syzbot+ea28e9d85be2f327b6c6@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/netdev/68c237c7.050a0220.3c6139.0036.GAE@google.com/
> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>

Reviewed-by: Eric Dumazet <edumazet@google.com>

[PATCH v2 net-next 2/7] smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().

[Kuniyuki Iwashima]

smc_clc_prfx_set() is called during connect() and not under RCU
nor RTNL.

Using sk_dst_get(sk)->dev could trigger UAF.

Let's use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock()
after kernel_getsockname().

Note that the returned value of smc_clc_prfx_set() is not used
in the caller.

While at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu()
not to touch dst there.

Fixes: a046d57da19f ("smc: CLC handshake (incl. preparation steps)")
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
---
Cc: "D. Wythe" <alibuda@linux.alibaba.com>
Cc: Dust Li <dust.li@linux.alibaba.com>
Cc: Sidraya Jayagond <sidraya@linux.ibm.com>
Cc: Wenjia Zhang <wenjia@linux.ibm.com>
Cc: Mahanta Jambigi <mjambigi@linux.ibm.com>
Cc: Tony Lu <tonylu@linux.alibaba.com>
Cc: Wen Gu <guwen@linux.alibaba.com>
Cc: Ursula Braun <ubraun@linux.vnet.ibm.com>
---
 net/smc/smc_clc.c | 41 ++++++++++++++++++++++-------------------
 1 file changed, 22 insertions(+), 19 deletions(-)

diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
index 08be56dfb3f2..976b2102bdfc 100644
--- a/net/smc/smc_clc.c
+++ b/net/smc/smc_clc.c
@@ -509,10 +509,10 @@ static bool smc_clc_msg_hdr_valid(struct smc_clc_msg_hdr *clcm, bool check_trl)
 }
 
 /* find ipv4 addr on device and get the prefix len, fill CLC proposal msg */
-static int smc_clc_prfx_set4_rcu(struct dst_entry *dst, __be32 ipv4,
+static int smc_clc_prfx_set4_rcu(struct net_device *dev, __be32 ipv4,
 				 struct smc_clc_msg_proposal_prefix *prop)
 {
-	struct in_device *in_dev = __in_dev_get_rcu(dst->dev);
+	struct in_device *in_dev = __in_dev_get_rcu(dev);
 	const struct in_ifaddr *ifa;
 
 	if (!in_dev)
@@ -530,12 +530,12 @@ static int smc_clc_prfx_set4_rcu(struct dst_entry *dst, __be32 ipv4,
 }
 
 /* fill CLC proposal msg with ipv6 prefixes from device */
-static int smc_clc_prfx_set6_rcu(struct dst_entry *dst,
+static int smc_clc_prfx_set6_rcu(struct net_device *dev,
 				 struct smc_clc_msg_proposal_prefix *prop,
 				 struct smc_clc_ipv6_prefix *ipv6_prfx)
 {
 #if IS_ENABLED(CONFIG_IPV6)
-	struct inet6_dev *in6_dev = __in6_dev_get(dst->dev);
+	struct inet6_dev *in6_dev = __in6_dev_get(dev);
 	struct inet6_ifaddr *ifa;
 	int cnt = 0;
 
@@ -564,41 +564,44 @@ static int smc_clc_prfx_set(struct socket *clcsock,
 			    struct smc_clc_msg_proposal_prefix *prop,
 			    struct smc_clc_ipv6_prefix *ipv6_prfx)
 {
-	struct dst_entry *dst = sk_dst_get(clcsock->sk);
 	struct sockaddr_storage addrs;
 	struct sockaddr_in6 *addr6;
 	struct sockaddr_in *addr;
+	struct net_device *dev;
+	struct dst_entry *dst;
 	int rc = -ENOENT;
 
-	if (!dst) {
-		rc = -ENOTCONN;
-		goto out;
-	}
-	if (!dst->dev) {
-		rc = -ENODEV;
-		goto out_rel;
-	}
 	/* get address to which the internal TCP socket is bound */
 	if (kernel_getsockname(clcsock, (struct sockaddr *)&addrs) < 0)
-		goto out_rel;
+		goto out;
+
 	/* analyze IP specific data of net_device belonging to TCP socket */
 	addr6 = (struct sockaddr_in6 *)&addrs;
+
 	rcu_read_lock();
+
+	dst = __sk_dst_get(clcsock->sk);
+	dev = dst ? dst_dev_rcu(dst) : NULL;
+	if (!dev) {
+		rc = -ENODEV;
+		goto out_unlock;
+	}
+
 	if (addrs.ss_family == PF_INET) {
 		/* IPv4 */
 		addr = (struct sockaddr_in *)&addrs;
-		rc = smc_clc_prfx_set4_rcu(dst, addr->sin_addr.s_addr, prop);
+		rc = smc_clc_prfx_set4_rcu(dev, addr->sin_addr.s_addr, prop);
 	} else if (ipv6_addr_v4mapped(&addr6->sin6_addr)) {
 		/* mapped IPv4 address - peer is IPv4 only */
-		rc = smc_clc_prfx_set4_rcu(dst, addr6->sin6_addr.s6_addr32[3],
+		rc = smc_clc_prfx_set4_rcu(dev, addr6->sin6_addr.s6_addr32[3],
 					   prop);
 	} else {
 		/* IPv6 */
-		rc = smc_clc_prfx_set6_rcu(dst, prop, ipv6_prfx);
+		rc = smc_clc_prfx_set6_rcu(dev, prop, ipv6_prfx);
 	}
+
+out_unlock:
 	rcu_read_unlock();
-out_rel:
-	dst_release(dst);
 out:
 	return rc;
 }
-- 
2.51.0.384.g4c02a37b29-goog

Re: [PATCH v2 net-next 2/7] smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().

[Eric Dumazet]

On Tue, Sep 16, 2025 at 2:48 PM Kuniyuki Iwashima <kuniyu@google.com> wrote:
>
> smc_clc_prfx_set() is called during connect() and not under RCU
> nor RTNL.
>
> Using sk_dst_get(sk)->dev could trigger UAF.
>
> Let's use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock()
> after kernel_getsockname().
>
> Note that the returned value of smc_clc_prfx_set() is not used
> in the caller.
>
> While at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu()
> not to touch dst there.
>
> Fixes: a046d57da19f ("smc: CLC handshake (incl. preparation steps)")
> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>

Reviewed-by: Eric Dumazet <edumazet@google.com>

[PATCH v2 net-next 3/7] smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().

[Kuniyuki Iwashima]

smc_clc_prfx_match() is called from smc_listen_work() and
not under RCU nor RTNL.

Using sk_dst_get(sk)->dev could trigger UAF.

Let's use __sk_dst_get() and dst_dev_rcu().

Note that the returned value of smc_clc_prfx_match() is not
used in the caller.

Fixes: a046d57da19f ("smc: CLC handshake (incl. preparation steps)")
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
---
Cc: "D. Wythe" <alibuda@linux.alibaba.com>
Cc: Dust Li <dust.li@linux.alibaba.com>
Cc: Sidraya Jayagond <sidraya@linux.ibm.com>
Cc: Wenjia Zhang <wenjia@linux.ibm.com>
Cc: Mahanta Jambigi <mjambigi@linux.ibm.com>
Cc: Tony Lu <tonylu@linux.alibaba.com>
Cc: Wen Gu <guwen@linux.alibaba.com>
Cc: Ursula Braun <ubraun@linux.vnet.ibm.com>
---
 net/smc/smc_clc.c | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
index 976b2102bdfc..09745baa1017 100644
--- a/net/smc/smc_clc.c
+++ b/net/smc/smc_clc.c
@@ -657,26 +657,26 @@ static int smc_clc_prfx_match6_rcu(struct net_device *dev,
 int smc_clc_prfx_match(struct socket *clcsock,
 		       struct smc_clc_msg_proposal_prefix *prop)
 {
-	struct dst_entry *dst = sk_dst_get(clcsock->sk);
+	struct net_device *dev;
+	struct dst_entry *dst;
 	int rc;
 
-	if (!dst) {
-		rc = -ENOTCONN;
-		goto out;
-	}
-	if (!dst->dev) {
+	rcu_read_lock();
+
+	dst = __sk_dst_get(clcsock->sk);
+	dev = dst ? dst_dev_rcu(dst) : NULL;
+	if (!dev) {
 		rc = -ENODEV;
-		goto out_rel;
+		goto out;
 	}
-	rcu_read_lock();
+
 	if (!prop->ipv6_prefixes_cnt)
-		rc = smc_clc_prfx_match4_rcu(dst->dev, prop);
+		rc = smc_clc_prfx_match4_rcu(dev, prop);
 	else
-		rc = smc_clc_prfx_match6_rcu(dst->dev, prop);
-	rcu_read_unlock();
-out_rel:
-	dst_release(dst);
+		rc = smc_clc_prfx_match6_rcu(dev, prop);
 out:
+	rcu_read_unlock();
+
 	return rc;
 }
 
-- 
2.51.0.384.g4c02a37b29-goog

Re: [PATCH v2 net-next 3/7] smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().

[Eric Dumazet]

On Tue, Sep 16, 2025 at 2:48 PM Kuniyuki Iwashima <kuniyu@google.com> wrote:
>
> smc_clc_prfx_match() is called from smc_listen_work() and
> not under RCU nor RTNL.
>
> Using sk_dst_get(sk)->dev could trigger UAF.
>
> Let's use __sk_dst_get() and dst_dev_rcu().
>
> Note that the returned value of smc_clc_prfx_match() is not
> used in the caller.
>
> Fixes: a046d57da19f ("smc: CLC handshake (incl. preparation steps)")
> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>

Reviewed-by: Eric Dumazet <edumazet@google.com>

[PATCH v2 net-next 4/7] smc: Use __sk_dst_get() and dst_dev_rcu() in smc_vlan_by_tcpsk().

[Kuniyuki Iwashima]

smc_vlan_by_tcpsk() fetches sk_dst_get(sk)->dev before RTNL and
passes it to netdev_walk_all_lower_dev(), which is illegal.

Also, smc_vlan_by_tcpsk_walk() does not require RTNL at all.

Let's use __sk_dst_get(), dst_dev_rcu(), and
netdev_walk_all_lower_dev_rcu().

Note that the returned value of smc_vlan_by_tcpsk() is not used
in the caller.

Fixes: 0cfdd8f92cac ("smc: connection and link group creation")
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
---
Cc: "D. Wythe" <alibuda@linux.alibaba.com>
Cc: Dust Li <dust.li@linux.alibaba.com>
Cc: Sidraya Jayagond <sidraya@linux.ibm.com>
Cc: Wenjia Zhang <wenjia@linux.ibm.com>
Cc: Mahanta Jambigi <mjambigi@linux.ibm.com>
Cc: Tony Lu <tonylu@linux.alibaba.com>
Cc: Wen Gu <guwen@linux.alibaba.com>
Cc: Ursula Braun <ubraun@linux.vnet.ibm.com>
---
 net/smc/smc_core.c | 27 ++++++++++++---------------
 1 file changed, 12 insertions(+), 15 deletions(-)

diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c
index 262746e304dd..2a559a98541c 100644
--- a/net/smc/smc_core.c
+++ b/net/smc/smc_core.c
@@ -1883,35 +1883,32 @@ static int smc_vlan_by_tcpsk_walk(struct net_device *lower_dev,
 /* Determine vlan of internal TCP socket. */
 int smc_vlan_by_tcpsk(struct socket *clcsock, struct smc_init_info *ini)
 {
-	struct dst_entry *dst = sk_dst_get(clcsock->sk);
 	struct netdev_nested_priv priv;
 	struct net_device *ndev;
+	struct dst_entry *dst;
 	int rc = 0;
 
 	ini->vlan_id = 0;
-	if (!dst) {
-		rc = -ENOTCONN;
-		goto out;
-	}
-	if (!dst->dev) {
+
+	rcu_read_lock();
+
+	dst = __sk_dst_get(clcsock->sk);
+	ndev = dst ? dst_dev_rcu(dst) : NULL;
+	if (!ndev) {
 		rc = -ENODEV;
-		goto out_rel;
+		goto out;
 	}
 
-	ndev = dst->dev;
 	if (is_vlan_dev(ndev)) {
 		ini->vlan_id = vlan_dev_vlan_id(ndev);
-		goto out_rel;
+		goto out;
 	}
 
 	priv.data = (void *)&ini->vlan_id;
-	rtnl_lock();
-	netdev_walk_all_lower_dev(ndev, smc_vlan_by_tcpsk_walk, &priv);
-	rtnl_unlock();
-
-out_rel:
-	dst_release(dst);
+	netdev_walk_all_lower_dev_rcu(ndev, smc_vlan_by_tcpsk_walk, &priv);
 out:
+	rcu_read_unlock();
+
 	return rc;
 }
 
-- 
2.51.0.384.g4c02a37b29-goog

Re: [PATCH v2 net-next 4/7] smc: Use __sk_dst_get() and dst_dev_rcu() in smc_vlan_by_tcpsk().

[Mahanta Jambigi]

On 17/09/25 3:17 am, Kuniyuki Iwashima wrote:
> Note that the returned value of smc_vlan_by_tcpsk() is not used
> in the caller.

I see that smc_vlan_by_tcpsk() is called in net/smc/af_smc.c file & the
return value is used in if block to decide whether the ini->vlan_id is
set or not. In failure case, the return value has an impact on the CLC
handshake.

Re: [PATCH v2 net-next 4/7] smc: Use __sk_dst_get() and dst_dev_rcu() in smc_vlan_by_tcpsk().

[Eric Dumazet]

On Wed, Sep 17, 2025 at 2:14 AM Mahanta Jambigi <mjambigi@linux.ibm.com> wrote:
>
>
>
> On 17/09/25 3:17 am, Kuniyuki Iwashima wrote:
> > Note that the returned value of smc_vlan_by_tcpsk() is not used
> > in the caller.
>
> I see that smc_vlan_by_tcpsk() is called in net/smc/af_smc.c file & the
> return value is used in if block to decide whether the ini->vlan_id is
> set or not. In failure case, the return value has an impact on the CLC
> handshake.

I guess Kuniyuki wanted to say the precise error (-ENODEV or
-ENOTCONN) was not used,
because his patch is now only returning -ENODEV

Reviewed-by: Eric Dumazet <edumazet@google.com>

Re: [PATCH v2 net-next 4/7] smc: Use __sk_dst_get() and dst_dev_rcu() in smc_vlan_by_tcpsk().

[Kuniyuki Iwashima]

On Wed, Sep 17, 2025 at 7:09 AM Eric Dumazet <edumazet@google.com> wrote:
>
> On Wed, Sep 17, 2025 at 2:14 AM Mahanta Jambigi <mjambigi@linux.ibm.com> wrote:
> >
> >
> >
> > On 17/09/25 3:17 am, Kuniyuki Iwashima wrote:
> > > Note that the returned value of smc_vlan_by_tcpsk() is not used
> > > in the caller.
> >
> > I see that smc_vlan_by_tcpsk() is called in net/smc/af_smc.c file & the
> > return value is used in if block to decide whether the ini->vlan_id is
> > set or not. In failure case, the return value has an impact on the CLC
> > handshake.
>
> I guess Kuniyuki wanted to say the precise error (-ENODEV or
> -ENOTCONN) was not used,
> because his patch is now only returning -ENODEV

Yes, that was my intention.

Thanks!

Re: [PATCH v2 net-next 4/7] smc: Use __sk_dst_get() and dst_dev_rcu() in smc_vlan_by_tcpsk().

[Mahanta Jambigi]

On 17/09/25 11:11 pm, Kuniyuki Iwashima wrote:
>>> On 17/09/25 3:17 am, Kuniyuki Iwashima wrote:
>>>> Note that the returned value of smc_vlan_by_tcpsk() is not used
>>>> in the caller.
>>>
>>> I see that smc_vlan_by_tcpsk() is called in net/smc/af_smc.c file & the
>>> return value is used in if block to decide whether the ini->vlan_id is
>>> set or not. In failure case, the return value has an impact on the CLC
>>> handshake.
>>
>> I guess Kuniyuki wanted to say the precise error (-ENODEV or
>> -ENOTCONN) was not used,
>> because his patch is now only returning -ENODEV
> 
> Yes, that was my intention.

Understood. We treat both errors as a single error here.

[PATCH v2 net-next 5/7] tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().

[Kuniyuki Iwashima]

get_netdev_for_sock() is called during setsockopt(),
so not under RCU.

Using sk_dst_get(sk)->dev could trigger UAF.

Let's use __sk_dst_get() and dst_dev_rcu().

Note that the only ->ndo_sk_get_lower_dev() user is
bond_sk_get_lower_dev(), which uses RCU.

Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure")
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
---
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Sabrina Dubroca <sd@queasysnail.net>
Cc: Ilya Lesokhin <ilyal@mellanox.com>
---
 net/tls/tls_device.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
index f672a62a9a52..a82fdcf19969 100644
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
@@ -123,17 +123,19 @@ static void tls_device_queue_ctx_destruction(struct tls_context *ctx)
 /* We assume that the socket is already connected */
 static struct net_device *get_netdev_for_sock(struct sock *sk)
 {
-	struct dst_entry *dst = sk_dst_get(sk);
-	struct net_device *netdev = NULL;
+	struct net_device *dev, *lowest_dev = NULL;
+	struct dst_entry *dst;
 
-	if (likely(dst)) {
-		netdev = netdev_sk_get_lowest_dev(dst->dev, sk);
-		dev_hold(netdev);
+	rcu_read_lock();
+	dst = __sk_dst_get(sk);
+	dev = dst ? dst_dev_rcu(dst) : NULL;
+	if (likely(dev)) {
+		lowest_dev = netdev_sk_get_lowest_dev(dev, sk);
+		dev_hold(lowest_dev);
 	}
+	rcu_read_unlock();
 
-	dst_release(dst);
-
-	return netdev;
+	return lowest_dev;
 }
 
 static void destroy_record(struct tls_record_info *record)
-- 
2.51.0.384.g4c02a37b29-goog

Re: [PATCH v2 net-next 5/7] tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().

[Eric Dumazet]

On Tue, Sep 16, 2025 at 2:48 PM Kuniyuki Iwashima <kuniyu@google.com> wrote:
>
> get_netdev_for_sock() is called during setsockopt(),
> so not under RCU.
>
> Using sk_dst_get(sk)->dev could trigger UAF.
>
> Let's use __sk_dst_get() and dst_dev_rcu().
>
> Note that the only ->ndo_sk_get_lower_dev() user is
> bond_sk_get_lower_dev(), which uses RCU.
>
> Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure")
> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
> ---

Reviewed-by: Eric Dumazet <edumazet@google.com>

Re: [PATCH v2 net-next 5/7] tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().

[Sabrina Dubroca]

2025-09-16, 21:47:23 +0000, Kuniyuki Iwashima wrote:
> get_netdev_for_sock() is called during setsockopt(),
> so not under RCU.
> 
> Using sk_dst_get(sk)->dev could trigger UAF.
> 
> Let's use __sk_dst_get() and dst_dev_rcu().
> 
> Note that the only ->ndo_sk_get_lower_dev() user is
> bond_sk_get_lower_dev(), which uses RCU.
> 
> Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure")
> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>

Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>

-- 
Sabrina

[PATCH v2 net-next 6/7] mptcp: Call dst_release() in mptcp_active_enable().

[Kuniyuki Iwashima]

mptcp_active_enable() calls sk_dst_get(), which returns dst with its
refcount bumped, but forgot dst_release().

Let's add missing dst_release().

Fixes: 27069e7cb3d1 ("mptcp: disable active MPTCP in case of blackhole")
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
---
v2: split from the next patch as dst_dev_rcu() patch hasn't been
    backported to 6.12+, where the cited commit exists.

Cc: Matthieu Baerts <matttbe@kernel.org>
Cc: Mat Martineau <martineau@kernel.org>
Cc: Geliang Tang <geliang@kernel.org>
---
 net/mptcp/ctrl.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/mptcp/ctrl.c b/net/mptcp/ctrl.c
index fed40dae5583..c0e516872b4b 100644
--- a/net/mptcp/ctrl.c
+++ b/net/mptcp/ctrl.c
@@ -505,6 +505,8 @@ void mptcp_active_enable(struct sock *sk)
 
 		if (dst && dst->dev && (dst->dev->flags & IFF_LOOPBACK))
 			atomic_set(&pernet->active_disable_times, 0);
+
+		dst_release(dst);
 	}
 }
 
-- 
2.51.0.384.g4c02a37b29-goog

Re: [PATCH v2 net-next 6/7] mptcp: Call dst_release() in mptcp_active_enable().

[Matthieu Baerts]

Hi Kuniyuki,

On 16/09/2025 23:47, Kuniyuki Iwashima wrote:
> mptcp_active_enable() calls sk_dst_get(), which returns dst with its
> refcount bumped, but forgot dst_release().
> 
> Let's add missing dst_release().
> 
> Fixes: 27069e7cb3d1 ("mptcp: disable active MPTCP in case of blackhole")
> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
> ---
> v2: split from the next patch as dst_dev_rcu() patch hasn't been
>     backported to 6.12+, where the cited commit exists.

Thank you for the v2 and for the split!

Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>

Ideally, it would be great to if the 'Cc: stable' tag can be added when
applying the patch, so I would be notified in case of issues with the
backport of this patch.

Cc: stable@vger.kernel.org

Cheers,
Matt
-- 
Sponsored by the NGI0 Core fund.

Re: [PATCH v2 net-next 6/7] mptcp: Call dst_release() in mptcp_active_enable().

[Eric Dumazet]

On Wed, Sep 17, 2025 at 3:17 AM Matthieu Baerts <matttbe@kernel.org> wrote:
>
> Hi Kuniyuki,
>
> On 16/09/2025 23:47, Kuniyuki Iwashima wrote:
> > mptcp_active_enable() calls sk_dst_get(), which returns dst with its
> > refcount bumped, but forgot dst_release().
> >
> > Let's add missing dst_release().
> >
> > Fixes: 27069e7cb3d1 ("mptcp: disable active MPTCP in case of blackhole")
> > Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
> > ---
> > v2: split from the next patch as dst_dev_rcu() patch hasn't been
> >     backported to 6.12+, where the cited commit exists.
>
> Thank you for the v2 and for the split!
>
> Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
>
> Ideally, it would be great to if the 'Cc: stable' tag can be added when
> applying the patch, so I would be notified in case of issues with the
> backport of this patch.
>
> Cc: stable@vger.kernel.org

I almost never use this tag, stable teams automatically catch things
with Fixes: tag which contains a precise bug origin.

Reviewed-by: Eric Dumazet <edumazet@google.com>

Re: [PATCH v2 net-next 6/7] mptcp: Call dst_release() in mptcp_active_enable().

[Matthieu Baerts]

Hi Eric,

On 17/09/2025 16:04, Eric Dumazet wrote:
> On Wed, Sep 17, 2025 at 3:17 AM Matthieu Baerts <matttbe@kernel.org> wrote:
>>
>> Hi Kuniyuki,
>>
>> On 16/09/2025 23:47, Kuniyuki Iwashima wrote:
>>> mptcp_active_enable() calls sk_dst_get(), which returns dst with its
>>> refcount bumped, but forgot dst_release().
>>>
>>> Let's add missing dst_release().
>>>
>>> Fixes: 27069e7cb3d1 ("mptcp: disable active MPTCP in case of blackhole")
>>> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
>>> ---
>>> v2: split from the next patch as dst_dev_rcu() patch hasn't been
>>>     backported to 6.12+, where the cited commit exists.
>>
>> Thank you for the v2 and for the split!
>>
>> Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
>>
>> Ideally, it would be great to if the 'Cc: stable' tag can be added when
>> applying the patch, so I would be notified in case of issues with the
>> backport of this patch.
>>
>> Cc: stable@vger.kernel.org
> 
> I almost never use this tag, stable teams automatically catch things
> with Fixes: tag which contains a precise bug origin.

Indeed, they do. At the beginning, we were only adding the "Fixes:" tag,
without the "Cc: stable" one -- despite what the doc recommends [1] --
because we didn't see the point to have both. But later, we realised
adding "Cc: stable" results in Greg sending 'FAILED' notifications when
a patch cannot be backported, e.g. [2]. Thanks to that, we only have to
monitor Greg's 'FAILED' notifications to know what couldn't be
backported, instead of tracking each patch individually.

[1] https://docs.kernel.org/process/stable-kernel-rules.html#option-1
[2] https://lore.kernel.org/2025062026-excitable-trunks-92e6@gregkh

> Reviewed-by: Eric Dumazet <edumazet@google.com>

Thank you for the review!

Cheers,
Matt
-- 
Sponsored by the NGI0 Core fund.

[PATCH v2 net-next 7/7] mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().

[Kuniyuki Iwashima]

mptcp_active_enable() is called from subflow_finish_connect(),
which is icsk->icsk_af_ops->sk_rx_dst_set() and it's not always
under RCU.

Using sk_dst_get(sk)->dev could trigger UAF.

Let's use __sk_dst_get() and dst_dev_rcu().

Fixes: 27069e7cb3d1 ("mptcp: disable active MPTCP in case of blackhole")
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
---
Cc: Matthieu Baerts <matttbe@kernel.org>
Cc: Mat Martineau <martineau@kernel.org>
Cc: Geliang Tang <geliang@kernel.org>
---
 net/mptcp/ctrl.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/net/mptcp/ctrl.c b/net/mptcp/ctrl.c
index c0e516872b4b..e8ffa62ec183 100644
--- a/net/mptcp/ctrl.c
+++ b/net/mptcp/ctrl.c
@@ -501,12 +501,15 @@ void mptcp_active_enable(struct sock *sk)
 	struct mptcp_pernet *pernet = mptcp_get_pernet(sock_net(sk));
 
 	if (atomic_read(&pernet->active_disable_times)) {
-		struct dst_entry *dst = sk_dst_get(sk);
+		struct net_device *dev;
+		struct dst_entry *dst;
 
-		if (dst && dst->dev && (dst->dev->flags & IFF_LOOPBACK))
+		rcu_read_lock();
+		dst = __sk_dst_get(sk);
+		dev = dst ? dst_dev_rcu(dst) : NULL;
+		if (dev && (dev->flags & IFF_LOOPBACK))
 			atomic_set(&pernet->active_disable_times, 0);
-
-		dst_release(dst);
+		rcu_read_unlock();
 	}
 }
 
-- 
2.51.0.384.g4c02a37b29-goog

Re: [PATCH v2 net-next 7/7] mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().

[Matthieu Baerts]

Hi Kuniyuki,

On 16/09/2025 23:47, Kuniyuki Iwashima wrote:
> mptcp_active_enable() is called from subflow_finish_connect(),
> which is icsk->icsk_af_ops->sk_rx_dst_set() and it's not always
> under RCU.
> 
> Using sk_dst_get(sk)->dev could trigger UAF.
> 
> Let's use __sk_dst_get() and dst_dev_rcu().
> 
> Fixes: 27069e7cb3d1 ("mptcp: disable active MPTCP in case of blackhole")
> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>

Thank you for the fix! It looks good to me!

Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>

> ---
> Cc: Matthieu Baerts <matttbe@kernel.org>
> Cc: Mat Martineau <martineau@kernel.org>
> Cc: Geliang Tang <geliang@kernel.org>
> ---
>  net/mptcp/ctrl.c | 11 +++++++----
>  1 file changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/net/mptcp/ctrl.c b/net/mptcp/ctrl.c
> index c0e516872b4b..e8ffa62ec183 100644
> --- a/net/mptcp/ctrl.c
> +++ b/net/mptcp/ctrl.c
> @@ -501,12 +501,15 @@ void mptcp_active_enable(struct sock *sk)
>  	struct mptcp_pernet *pernet = mptcp_get_pernet(sock_net(sk));
>  
>  	if (atomic_read(&pernet->active_disable_times)) {
> -		struct dst_entry *dst = sk_dst_get(sk);
> +		struct net_device *dev;
> +		struct dst_entry *dst;
>  
> -		if (dst && dst->dev && (dst->dev->flags & IFF_LOOPBACK))

Mmh, I don't know why but the condition was already wrong before your
patch. It should be the opposite: we should reset if we manage to open
an MPTCP connection on a non-loopback interface...

I don't want to block this series for this non-directly related issue.
If you prefer, I can send a fix when this series will be applied. I
guess it would be easier to send it to net-next to avoid conflicts,
which should be fine if we are close to the merge windows.

> +		rcu_read_lock();
> +		dst = __sk_dst_get(sk);
> +		dev = dst ? dst_dev_rcu(dst) : NULL;
> +		if (dev && (dev->flags & IFF_LOOPBACK))
>  			atomic_set(&pernet->active_disable_times, 0);
> -
> -		dst_release(dst);
> +		rcu_read_unlock();
>  	}
>  }
>  

Cheers,
Matt
-- 
Sponsored by the NGI0 Core fund.

Re: [PATCH v2 net-next 7/7] mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().

[Kuniyuki Iwashima]

On Wed, Sep 17, 2025 at 3:17 AM Matthieu Baerts <matttbe@kernel.org> wrote:
>
> Hi Kuniyuki,
>
> On 16/09/2025 23:47, Kuniyuki Iwashima wrote:
> > mptcp_active_enable() is called from subflow_finish_connect(),
> > which is icsk->icsk_af_ops->sk_rx_dst_set() and it's not always
> > under RCU.
> >
> > Using sk_dst_get(sk)->dev could trigger UAF.
> >
> > Let's use __sk_dst_get() and dst_dev_rcu().
> >
> > Fixes: 27069e7cb3d1 ("mptcp: disable active MPTCP in case of blackhole")
> > Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
>
> Thank you for the fix! It looks good to me!
>
> Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
>
> > ---
> > Cc: Matthieu Baerts <matttbe@kernel.org>
> > Cc: Mat Martineau <martineau@kernel.org>
> > Cc: Geliang Tang <geliang@kernel.org>
> > ---
> >  net/mptcp/ctrl.c | 11 +++++++----
> >  1 file changed, 7 insertions(+), 4 deletions(-)
> >
> > diff --git a/net/mptcp/ctrl.c b/net/mptcp/ctrl.c
> > index c0e516872b4b..e8ffa62ec183 100644
> > --- a/net/mptcp/ctrl.c
> > +++ b/net/mptcp/ctrl.c
> > @@ -501,12 +501,15 @@ void mptcp_active_enable(struct sock *sk)
> >       struct mptcp_pernet *pernet = mptcp_get_pernet(sock_net(sk));
> >
> >       if (atomic_read(&pernet->active_disable_times)) {
> > -             struct dst_entry *dst = sk_dst_get(sk);
> > +             struct net_device *dev;
> > +             struct dst_entry *dst;
> >
> > -             if (dst && dst->dev && (dst->dev->flags & IFF_LOOPBACK))
>
> Mmh, I don't know why but the condition was already wrong before your
> patch. It should be the opposite: we should reset if we manage to open
> an MPTCP connection on a non-loopback interface...
>
> I don't want to block this series for this non-directly related issue.
> If you prefer, I can send a fix when this series will be applied. I
> guess it would be easier to send it to net-next to avoid conflicts,
> which should be fine if we are close to the merge windows.

Sounds good to me.

Thanks for the review!

Re: [PATCH v2 net-next 7/7] mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().

[Eric Dumazet]

On Tue, Sep 16, 2025 at 2:48 PM Kuniyuki Iwashima <kuniyu@google.com> wrote:
>
> mptcp_active_enable() is called from subflow_finish_connect(),
> which is icsk->icsk_af_ops->sk_rx_dst_set() and it's not always
> under RCU.
>
> Using sk_dst_get(sk)->dev could trigger UAF.
>
> Let's use __sk_dst_get() and dst_dev_rcu().
>
> Fixes: 27069e7cb3d1 ("mptcp: disable active MPTCP in case of blackhole")
> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
> ---

Reviewed-by: Eric Dumazet <edumazet@google.com>

Re: [PATCH v2 net-next 0/7] net: Fix UAF of sk_dst_get(sk)->dev.

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Tue, 16 Sep 2025 21:47:18 +0000 you wrote:
> syzbot caught use-after-free of sk_dst_get(sk)->dev,
> which was not fetched under RCU nor RTNL. [0]
> 
> Patch 1 ~ 5, 7 fix UAF in smc, tcp, ktls, mptcp
> Patch 6 fixes dst ref leak in mptcp
> 
> 
> [...]

Here is the summary with links:
  - [v2,net-next,1/7] smc: Fix use-after-free in __pnet_find_base_ndev().
    https://git.kernel.org/netdev/net-next/c/3d3466878afd
  - [v2,net-next,2/7] smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().
    https://git.kernel.org/netdev/net-next/c/935d783e5de9
  - [v2,net-next,3/7] smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().
    https://git.kernel.org/netdev/net-next/c/235f81045c00
  - [v2,net-next,4/7] smc: Use __sk_dst_get() and dst_dev_rcu() in smc_vlan_by_tcpsk().
    https://git.kernel.org/netdev/net-next/c/0b0e4d51c655
  - [v2,net-next,5/7] tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().
    https://git.kernel.org/netdev/net-next/c/c65f27b9c3be
  - [v2,net-next,6/7] mptcp: Call dst_release() in mptcp_active_enable().
    https://git.kernel.org/netdev/net-next/c/108a86c71c93
  - [v2,net-next,7/7] mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().
    https://git.kernel.org/netdev/net-next/c/893c49a78d9f

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html