* [PATCH net] rds: tcp: hold the net_device across ipv6_chk_addr() in rds_tcp_laddr_check()
@ 2026-07-09 7:44 Xiang Mei
2026-07-10 4:42 ` Allison Henderson
0 siblings, 1 reply; 3+ messages in thread
From: Xiang Mei @ 2026-07-09 7:44 UTC (permalink / raw)
To: Allison Henderson, David S . Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Simon Horman
Cc: netdev, linux-rdma, rds-devel, linux-kernel, Santosh Shilimkar,
Ka-Cheong Poon, bestswngs, Xiang Mei
rds_tcp_laddr_check() looks up a scoped IPv6 interface with
dev_get_by_index_rcu(), drops the RCU read-side lock, and only then
passes the bare struct net_device * into ipv6_chk_addr().
dev_get_by_index_rcu() only keeps the device alive within the same RCU
read-side section. After rcu_read_unlock(), a concurrent RTM_DELLINK can
free the net_device; ipv6_chk_addr() then dereferences the stale pointer
in __ipv6_chk_addr_and_flags() (e.g. l3mdev_master_dev_rcu(dev)), reading
freed memory.
Take a reference with dev_hold() before dropping the RCU lock and release
it with dev_put() after ipv6_chk_addr(), so the device cannot be freed
while in use. dev_put(NULL) is a no-op, so the scope_id == 0 path is
unaffected.
BUG: KASAN: slab-use-after-free in __ipv6_chk_addr_and_flags (... net/ipv6/addrconf.c:1998)
Read of size 8 at addr ffff8880106ec000 by task exploit/153
Call Trace:
...
kasan_report (mm/kasan/report.c:595)
__ipv6_chk_addr_and_flags (... net/ipv6/addrconf.c:1998)
ipv6_chk_addr (net/ipv6/addrconf.c:2031 net/ipv6/addrconf.c:1972)
rds_tcp_laddr_check (net/rds/tcp.c:370)
rds_bind (net/rds/bind.c:248)
__sys_bind (net/socket.c:1920)
__x64_sys_bind (net/socket.c:1956)
do_syscall_64 (arch/x86/entry/syscall_64.c:63)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
Fixes: eee2fa6ab322 ("rds: Changing IP address internal representation to struct in6_addr")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Xiang Mei <xmei5@asu.edu>
---
net/rds/tcp.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/rds/tcp.c b/net/rds/tcp.c
index a1de114d5e2e..204dcdc33c27 100644
--- a/net/rds/tcp.c
+++ b/net/rds/tcp.c
@@ -363,12 +363,16 @@ int rds_tcp_laddr_check(struct net *net, const struct in6_addr *addr,
rcu_read_unlock();
return -EADDRNOTAVAIL;
}
+ dev_hold(dev);
rcu_read_unlock();
}
#if IS_ENABLED(CONFIG_IPV6)
ret = ipv6_chk_addr(net, addr, dev, 0);
+ dev_put(dev);
if (ret)
return 0;
+#else
+ dev_put(dev);
#endif
return -EADDRNOTAVAIL;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH net] rds: tcp: hold the net_device across ipv6_chk_addr() in rds_tcp_laddr_check() 2026-07-09 7:44 [PATCH net] rds: tcp: hold the net_device across ipv6_chk_addr() in rds_tcp_laddr_check() Xiang Mei @ 2026-07-10 4:42 ` Allison Henderson 2026-07-10 22:33 ` Xiang Mei 0 siblings, 1 reply; 3+ messages in thread From: Allison Henderson @ 2026-07-10 4:42 UTC (permalink / raw) To: Xiang Mei, David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman Cc: netdev, linux-rdma, rds-devel, linux-kernel, Santosh Shilimkar, Ka-Cheong Poon, bestswngs On Thu, 2026-07-09 at 00:44 -0700, Xiang Mei wrote: > rds_tcp_laddr_check() looks up a scoped IPv6 interface with > dev_get_by_index_rcu(), drops the RCU read-side lock, and only then > passes the bare struct net_device * into ipv6_chk_addr(). > > dev_get_by_index_rcu() only keeps the device alive within the same RCU > read-side section. After rcu_read_unlock(), a concurrent RTM_DELLINK can > free the net_device; ipv6_chk_addr() then dereferences the stale pointer > in __ipv6_chk_addr_and_flags() (e.g. l3mdev_master_dev_rcu(dev)), reading > freed memory. > > Take a reference with dev_hold() before dropping the RCU lock and release > it with dev_put() after ipv6_chk_addr(), so the device cannot be freed > while in use. dev_put(NULL) is a no-op, so the scope_id == 0 path is > unaffected. > > BUG: KASAN: slab-use-after-free in __ipv6_chk_addr_and_flags (... net/ipv6/addrconf.c:1998) > Read of size 8 at addr ffff8880106ec000 by task exploit/153 > Call Trace: > ... > kasan_report (mm/kasan/report.c:595) > __ipv6_chk_addr_and_flags (... net/ipv6/addrconf.c:1998) > ipv6_chk_addr (net/ipv6/addrconf.c:2031 net/ipv6/addrconf.c:1972) > rds_tcp_laddr_check (net/rds/tcp.c:370) > rds_bind (net/rds/bind.c:248) > __sys_bind (net/socket.c:1920) > __x64_sys_bind (net/socket.c:1956) > do_syscall_64 (arch/x86/entry/syscall_64.c:63) > entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121) > > Fixes: eee2fa6ab322 ("rds: Changing IP address internal representation to struct in6_addr") > Reported-by: Weiming Shi <bestswngs@gmail.com> > Assisted-by: Claude:claude-opus-4-8 > Signed-off-by: Xiang Mei <xmei5@asu.edu> > --- > net/rds/tcp.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/net/rds/tcp.c b/net/rds/tcp.c > index a1de114d5e2e..204dcdc33c27 100644 > --- a/net/rds/tcp.c > +++ b/net/rds/tcp.c > @@ -363,12 +363,16 @@ int rds_tcp_laddr_check(struct net *net, const struct in6_addr *addr, > rcu_read_unlock(); > return -EADDRNOTAVAIL; > } > + dev_hold(dev); > rcu_read_unlock(); > } > #if IS_ENABLED(CONFIG_IPV6) > ret = ipv6_chk_addr(net, addr, dev, 0); > + dev_put(dev); Hi Xiang, Thanks for working on this. It looks like this patch generated some CI warnings for dev_hold/put that should be addressed: https://patchwork.kernel.org/project/netdevbpf/patch/20260709074459.326345-1-xmei5@asu.edu/ Per the comments from include/linux/netdevice.h:4546, netdev_hold/put replaced dev_hold/put, which takes a netdevice_tracker pointer. But I think the easier way to do this may be just to widen the rcu locks already in this function. Just move rcu_read_lock(); above the scope_id check, and make sure it's released before any returns. That should get away from having to use the hold/puts all together. rcu_read_lock(); if (scope_id != 0) { dev = dev_get_by_index_rcu(net, scope_id); if (!dev) { rcu_read_unlock(); return -EADDRNOTAVAIL; } } #if IS_ENABLED(CONFIG_IPV6) ret = ipv6_chk_addr(net, addr, dev, 0); if (ret) { rcu_read_unlock(); return 0; } #endif rcu_read_unlock(); return -EADDRNOTAVAIL; Also, this patch conflicts with another submitted patch: [net,v2] rds: Fix inet6_addr_lst NULL dereference when IPv6 is disabled: https://patchwork.kernel.org/project/netdevbpf/patch/20260709162723.367523-1-Ilia.Gavrilov@infotecs.ru/ So, please rebase on Ilia's v2, and mention the dependency in your change log so the stable folks pick them up in the right order. Both fixes carry the same Fixes: tag so they should travel together. Thank you! Allison > if (ret) > return 0; > +#else > + dev_put(dev); > #endif > return -EADDRNOTAVAIL; > } ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net] rds: tcp: hold the net_device across ipv6_chk_addr() in rds_tcp_laddr_check() 2026-07-10 4:42 ` Allison Henderson @ 2026-07-10 22:33 ` Xiang Mei 0 siblings, 0 replies; 3+ messages in thread From: Xiang Mei @ 2026-07-10 22:33 UTC (permalink / raw) To: Allison Henderson Cc: David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman, netdev, linux-rdma, rds-devel, linux-kernel, Santosh Shilimkar, Ka-Cheong Poon, bestswngs On Thu, Jul 9, 2026 at 9:42 PM Allison Henderson <achender@kernel.org> wrote: > > On Thu, 2026-07-09 at 00:44 -0700, Xiang Mei wrote: > > rds_tcp_laddr_check() looks up a scoped IPv6 interface with > > dev_get_by_index_rcu(), drops the RCU read-side lock, and only then > > passes the bare struct net_device * into ipv6_chk_addr(). > > > > dev_get_by_index_rcu() only keeps the device alive within the same RCU > > read-side section. After rcu_read_unlock(), a concurrent RTM_DELLINK can > > free the net_device; ipv6_chk_addr() then dereferences the stale pointer > > in __ipv6_chk_addr_and_flags() (e.g. l3mdev_master_dev_rcu(dev)), reading > > freed memory. > > > > Take a reference with dev_hold() before dropping the RCU lock and release > > it with dev_put() after ipv6_chk_addr(), so the device cannot be freed > > while in use. dev_put(NULL) is a no-op, so the scope_id == 0 path is > > unaffected. > > > > BUG: KASAN: slab-use-after-free in __ipv6_chk_addr_and_flags (... net/ipv6/addrconf.c:1998) > > Read of size 8 at addr ffff8880106ec000 by task exploit/153 > > Call Trace: > > ... > > kasan_report (mm/kasan/report.c:595) > > __ipv6_chk_addr_and_flags (... net/ipv6/addrconf.c:1998) > > ipv6_chk_addr (net/ipv6/addrconf.c:2031 net/ipv6/addrconf.c:1972) > > rds_tcp_laddr_check (net/rds/tcp.c:370) > > rds_bind (net/rds/bind.c:248) > > __sys_bind (net/socket.c:1920) > > __x64_sys_bind (net/socket.c:1956) > > do_syscall_64 (arch/x86/entry/syscall_64.c:63) > > entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121) > > > > Fixes: eee2fa6ab322 ("rds: Changing IP address internal representation to struct in6_addr") > > Reported-by: Weiming Shi <bestswngs@gmail.com> > > Assisted-by: Claude:claude-opus-4-8 > > Signed-off-by: Xiang Mei <xmei5@asu.edu> > > --- > > net/rds/tcp.c | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/net/rds/tcp.c b/net/rds/tcp.c > > index a1de114d5e2e..204dcdc33c27 100644 > > --- a/net/rds/tcp.c > > +++ b/net/rds/tcp.c > > @@ -363,12 +363,16 @@ int rds_tcp_laddr_check(struct net *net, const struct in6_addr *addr, > > rcu_read_unlock(); > > return -EADDRNOTAVAIL; > > } > > + dev_hold(dev); > > rcu_read_unlock(); > > } > > #if IS_ENABLED(CONFIG_IPV6) > > ret = ipv6_chk_addr(net, addr, dev, 0); > > + dev_put(dev); > Hi Xiang, > > Thanks for working on this. It looks like this patch generated > some CI warnings for dev_hold/put that should be addressed: > https://patchwork.kernel.org/project/netdevbpf/patch/20260709074459.326345-1-xmei5@asu.edu/ > > Per the comments from include/linux/netdevice.h:4546, netdev_hold/put > replaced dev_hold/put, which takes a netdevice_tracker pointer. But I > think the easier way to do this may be just to widen the rcu locks already > in this function. Just move rcu_read_lock(); above the scope_id check, > and make sure it's released before any returns. That should get away from > having to use the hold/puts all together. > > rcu_read_lock(); > if (scope_id != 0) { > dev = dev_get_by_index_rcu(net, scope_id); > if (!dev) { > rcu_read_unlock(); > return -EADDRNOTAVAIL; > } > } > #if IS_ENABLED(CONFIG_IPV6) > ret = ipv6_chk_addr(net, addr, dev, 0); > if (ret) { > rcu_read_unlock(); > return 0; > } > #endif > rcu_read_unlock(); > return -EADDRNOTAVAIL; > > Also, this patch conflicts with another submitted patch: > [net,v2] rds: Fix inet6_addr_lst NULL dereference when IPv6 is disabled: > https://patchwork.kernel.org/project/netdevbpf/patch/20260709162723.367523-1-Ilia.Gavrilov@infotecs.ru/ > > So, please rebase on Ilia's v2, and mention the dependency in your change > log so the stable folks pick them up in the right order. Both fixes carry > the same Fixes: tag so they should travel together. > > Thank you! > Allison Thanks so much! Your version is better! I have sent v2, which rebase on Ilia's v2: https://lore.kernel.org/netdev/20260710223029.1307043-1-xmei5@asu.edu/T/#u Xiang Xiang > > > if (ret) > > return 0; > > +#else > > + dev_put(dev); > > #endif > > return -EADDRNOTAVAIL; > > } > ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-07-10 22:33 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-07-09 7:44 [PATCH net] rds: tcp: hold the net_device across ipv6_chk_addr() in rds_tcp_laddr_check() Xiang Mei 2026-07-10 4:42 ` Allison Henderson 2026-07-10 22:33 ` Xiang Mei
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox