* [PATCH net] rds: tcp: hold the net_device across ipv6_chk_addr() in rds_tcp_laddr_check()
@ 2026-07-09 7:44 Xiang Mei
2026-07-10 4:42 ` Allison Henderson
0 siblings, 1 reply; 3+ messages in thread
From: Xiang Mei @ 2026-07-09 7:44 UTC (permalink / raw)
To: Allison Henderson, David S . Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Simon Horman
Cc: netdev, linux-rdma, rds-devel, linux-kernel, Santosh Shilimkar,
Ka-Cheong Poon, bestswngs, Xiang Mei
rds_tcp_laddr_check() looks up a scoped IPv6 interface with
dev_get_by_index_rcu(), drops the RCU read-side lock, and only then
passes the bare struct net_device * into ipv6_chk_addr().
dev_get_by_index_rcu() only keeps the device alive within the same RCU
read-side section. After rcu_read_unlock(), a concurrent RTM_DELLINK can
free the net_device; ipv6_chk_addr() then dereferences the stale pointer
in __ipv6_chk_addr_and_flags() (e.g. l3mdev_master_dev_rcu(dev)), reading
freed memory.
Take a reference with dev_hold() before dropping the RCU lock and release
it with dev_put() after ipv6_chk_addr(), so the device cannot be freed
while in use. dev_put(NULL) is a no-op, so the scope_id == 0 path is
unaffected.
BUG: KASAN: slab-use-after-free in __ipv6_chk_addr_and_flags (... net/ipv6/addrconf.c:1998)
Read of size 8 at addr ffff8880106ec000 by task exploit/153
Call Trace:
...
kasan_report (mm/kasan/report.c:595)
__ipv6_chk_addr_and_flags (... net/ipv6/addrconf.c:1998)
ipv6_chk_addr (net/ipv6/addrconf.c:2031 net/ipv6/addrconf.c:1972)
rds_tcp_laddr_check (net/rds/tcp.c:370)
rds_bind (net/rds/bind.c:248)
__sys_bind (net/socket.c:1920)
__x64_sys_bind (net/socket.c:1956)
do_syscall_64 (arch/x86/entry/syscall_64.c:63)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
Fixes: eee2fa6ab322 ("rds: Changing IP address internal representation to struct in6_addr")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Xiang Mei <xmei5@asu.edu>
---
net/rds/tcp.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/rds/tcp.c b/net/rds/tcp.c
index a1de114d5e2e..204dcdc33c27 100644
--- a/net/rds/tcp.c
+++ b/net/rds/tcp.c
@@ -363,12 +363,16 @@ int rds_tcp_laddr_check(struct net *net, const struct in6_addr *addr,
rcu_read_unlock();
return -EADDRNOTAVAIL;
}
+ dev_hold(dev);
rcu_read_unlock();
}
#if IS_ENABLED(CONFIG_IPV6)
ret = ipv6_chk_addr(net, addr, dev, 0);
+ dev_put(dev);
if (ret)
return 0;
+#else
+ dev_put(dev);
#endif
return -EADDRNOTAVAIL;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net] rds: tcp: hold the net_device across ipv6_chk_addr() in rds_tcp_laddr_check()
2026-07-09 7:44 [PATCH net] rds: tcp: hold the net_device across ipv6_chk_addr() in rds_tcp_laddr_check() Xiang Mei
@ 2026-07-10 4:42 ` Allison Henderson
2026-07-10 22:33 ` Xiang Mei
0 siblings, 1 reply; 3+ messages in thread
From: Allison Henderson @ 2026-07-10 4:42 UTC (permalink / raw)
To: Xiang Mei, David S . Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Simon Horman
Cc: netdev, linux-rdma, rds-devel, linux-kernel, Santosh Shilimkar,
Ka-Cheong Poon, bestswngs
On Thu, 2026-07-09 at 00:44 -0700, Xiang Mei wrote:
> rds_tcp_laddr_check() looks up a scoped IPv6 interface with
> dev_get_by_index_rcu(), drops the RCU read-side lock, and only then
> passes the bare struct net_device * into ipv6_chk_addr().
>
> dev_get_by_index_rcu() only keeps the device alive within the same RCU
> read-side section. After rcu_read_unlock(), a concurrent RTM_DELLINK can
> free the net_device; ipv6_chk_addr() then dereferences the stale pointer
> in __ipv6_chk_addr_and_flags() (e.g. l3mdev_master_dev_rcu(dev)), reading
> freed memory.
>
> Take a reference with dev_hold() before dropping the RCU lock and release
> it with dev_put() after ipv6_chk_addr(), so the device cannot be freed
> while in use. dev_put(NULL) is a no-op, so the scope_id == 0 path is
> unaffected.
>
> BUG: KASAN: slab-use-after-free in __ipv6_chk_addr_and_flags (... net/ipv6/addrconf.c:1998)
> Read of size 8 at addr ffff8880106ec000 by task exploit/153
> Call Trace:
> ...
> kasan_report (mm/kasan/report.c:595)
> __ipv6_chk_addr_and_flags (... net/ipv6/addrconf.c:1998)
> ipv6_chk_addr (net/ipv6/addrconf.c:2031 net/ipv6/addrconf.c:1972)
> rds_tcp_laddr_check (net/rds/tcp.c:370)
> rds_bind (net/rds/bind.c:248)
> __sys_bind (net/socket.c:1920)
> __x64_sys_bind (net/socket.c:1956)
> do_syscall_64 (arch/x86/entry/syscall_64.c:63)
> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
>
> Fixes: eee2fa6ab322 ("rds: Changing IP address internal representation to struct in6_addr")
> Reported-by: Weiming Shi <bestswngs@gmail.com>
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: Xiang Mei <xmei5@asu.edu>
> ---
> net/rds/tcp.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/net/rds/tcp.c b/net/rds/tcp.c
> index a1de114d5e2e..204dcdc33c27 100644
> --- a/net/rds/tcp.c
> +++ b/net/rds/tcp.c
> @@ -363,12 +363,16 @@ int rds_tcp_laddr_check(struct net *net, const struct in6_addr *addr,
> rcu_read_unlock();
> return -EADDRNOTAVAIL;
> }
> + dev_hold(dev);
> rcu_read_unlock();
> }
> #if IS_ENABLED(CONFIG_IPV6)
> ret = ipv6_chk_addr(net, addr, dev, 0);
> + dev_put(dev);
Hi Xiang,
Thanks for working on this. It looks like this patch generated
some CI warnings for dev_hold/put that should be addressed:
https://patchwork.kernel.org/project/netdevbpf/patch/20260709074459.326345-1-xmei5@asu.edu/
Per the comments from include/linux/netdevice.h:4546, netdev_hold/put
replaced dev_hold/put, which takes a netdevice_tracker pointer. But I
think the easier way to do this may be just to widen the rcu locks already
in this function. Just move rcu_read_lock(); above the scope_id check,
and make sure it's released before any returns. That should get away from
having to use the hold/puts all together.
rcu_read_lock();
if (scope_id != 0) {
dev = dev_get_by_index_rcu(net, scope_id);
if (!dev) {
rcu_read_unlock();
return -EADDRNOTAVAIL;
}
}
#if IS_ENABLED(CONFIG_IPV6)
ret = ipv6_chk_addr(net, addr, dev, 0);
if (ret) {
rcu_read_unlock();
return 0;
}
#endif
rcu_read_unlock();
return -EADDRNOTAVAIL;
Also, this patch conflicts with another submitted patch:
[net,v2] rds: Fix inet6_addr_lst NULL dereference when IPv6 is disabled:
https://patchwork.kernel.org/project/netdevbpf/patch/20260709162723.367523-1-Ilia.Gavrilov@infotecs.ru/
So, please rebase on Ilia's v2, and mention the dependency in your change
log so the stable folks pick them up in the right order. Both fixes carry
the same Fixes: tag so they should travel together.
Thank you!
Allison
> if (ret)
> return 0;
> +#else
> + dev_put(dev);
> #endif
> return -EADDRNOTAVAIL;
> }
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net] rds: tcp: hold the net_device across ipv6_chk_addr() in rds_tcp_laddr_check()
2026-07-10 4:42 ` Allison Henderson
@ 2026-07-10 22:33 ` Xiang Mei
0 siblings, 0 replies; 3+ messages in thread
From: Xiang Mei @ 2026-07-10 22:33 UTC (permalink / raw)
To: Allison Henderson
Cc: David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, netdev, linux-rdma, rds-devel, linux-kernel,
Santosh Shilimkar, Ka-Cheong Poon, bestswngs
On Thu, Jul 9, 2026 at 9:42 PM Allison Henderson <achender@kernel.org> wrote:
>
> On Thu, 2026-07-09 at 00:44 -0700, Xiang Mei wrote:
> > rds_tcp_laddr_check() looks up a scoped IPv6 interface with
> > dev_get_by_index_rcu(), drops the RCU read-side lock, and only then
> > passes the bare struct net_device * into ipv6_chk_addr().
> >
> > dev_get_by_index_rcu() only keeps the device alive within the same RCU
> > read-side section. After rcu_read_unlock(), a concurrent RTM_DELLINK can
> > free the net_device; ipv6_chk_addr() then dereferences the stale pointer
> > in __ipv6_chk_addr_and_flags() (e.g. l3mdev_master_dev_rcu(dev)), reading
> > freed memory.
> >
> > Take a reference with dev_hold() before dropping the RCU lock and release
> > it with dev_put() after ipv6_chk_addr(), so the device cannot be freed
> > while in use. dev_put(NULL) is a no-op, so the scope_id == 0 path is
> > unaffected.
> >
> > BUG: KASAN: slab-use-after-free in __ipv6_chk_addr_and_flags (... net/ipv6/addrconf.c:1998)
> > Read of size 8 at addr ffff8880106ec000 by task exploit/153
> > Call Trace:
> > ...
> > kasan_report (mm/kasan/report.c:595)
> > __ipv6_chk_addr_and_flags (... net/ipv6/addrconf.c:1998)
> > ipv6_chk_addr (net/ipv6/addrconf.c:2031 net/ipv6/addrconf.c:1972)
> > rds_tcp_laddr_check (net/rds/tcp.c:370)
> > rds_bind (net/rds/bind.c:248)
> > __sys_bind (net/socket.c:1920)
> > __x64_sys_bind (net/socket.c:1956)
> > do_syscall_64 (arch/x86/entry/syscall_64.c:63)
> > entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
> >
> > Fixes: eee2fa6ab322 ("rds: Changing IP address internal representation to struct in6_addr")
> > Reported-by: Weiming Shi <bestswngs@gmail.com>
> > Assisted-by: Claude:claude-opus-4-8
> > Signed-off-by: Xiang Mei <xmei5@asu.edu>
> > ---
> > net/rds/tcp.c | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/net/rds/tcp.c b/net/rds/tcp.c
> > index a1de114d5e2e..204dcdc33c27 100644
> > --- a/net/rds/tcp.c
> > +++ b/net/rds/tcp.c
> > @@ -363,12 +363,16 @@ int rds_tcp_laddr_check(struct net *net, const struct in6_addr *addr,
> > rcu_read_unlock();
> > return -EADDRNOTAVAIL;
> > }
> > + dev_hold(dev);
> > rcu_read_unlock();
> > }
> > #if IS_ENABLED(CONFIG_IPV6)
> > ret = ipv6_chk_addr(net, addr, dev, 0);
> > + dev_put(dev);
> Hi Xiang,
>
> Thanks for working on this. It looks like this patch generated
> some CI warnings for dev_hold/put that should be addressed:
> https://patchwork.kernel.org/project/netdevbpf/patch/20260709074459.326345-1-xmei5@asu.edu/
>
> Per the comments from include/linux/netdevice.h:4546, netdev_hold/put
> replaced dev_hold/put, which takes a netdevice_tracker pointer. But I
> think the easier way to do this may be just to widen the rcu locks already
> in this function. Just move rcu_read_lock(); above the scope_id check,
> and make sure it's released before any returns. That should get away from
> having to use the hold/puts all together.
>
> rcu_read_lock();
> if (scope_id != 0) {
> dev = dev_get_by_index_rcu(net, scope_id);
> if (!dev) {
> rcu_read_unlock();
> return -EADDRNOTAVAIL;
> }
> }
> #if IS_ENABLED(CONFIG_IPV6)
> ret = ipv6_chk_addr(net, addr, dev, 0);
> if (ret) {
> rcu_read_unlock();
> return 0;
> }
> #endif
> rcu_read_unlock();
> return -EADDRNOTAVAIL;
>
> Also, this patch conflicts with another submitted patch:
> [net,v2] rds: Fix inet6_addr_lst NULL dereference when IPv6 is disabled:
> https://patchwork.kernel.org/project/netdevbpf/patch/20260709162723.367523-1-Ilia.Gavrilov@infotecs.ru/
>
> So, please rebase on Ilia's v2, and mention the dependency in your change
> log so the stable folks pick them up in the right order. Both fixes carry
> the same Fixes: tag so they should travel together.
>
> Thank you!
> Allison
Thanks so much! Your version is better!
I have sent v2, which rebase on Ilia's v2:
https://lore.kernel.org/netdev/20260710223029.1307043-1-xmei5@asu.edu/T/#u
Xiang
Xiang
>
> > if (ret)
> > return 0;
> > +#else
> > + dev_put(dev);
> > #endif
> > return -EADDRNOTAVAIL;
> > }
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-07-10 22:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-09 7:44 [PATCH net] rds: tcp: hold the net_device across ipv6_chk_addr() in rds_tcp_laddr_check() Xiang Mei
2026-07-10 4:42 ` Allison Henderson
2026-07-10 22:33 ` Xiang Mei
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox