From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Sharath Chandra Vurukala <quic_sharathv@quicinc.com>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Keerthana K <keerthana.kalyanasundaram@broadcom.com>
Subject: [PATCH 6.6 22/88] net: Add locking to protect skb->dev access in ip_output
Date: Thu, 15 Jan 2026 17:48:05 +0100 [thread overview]
Message-ID: <20260115164147.118024894@linuxfoundation.org> (raw)
In-Reply-To: <20260115164146.312481509@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sharath Chandra Vurukala <quic_sharathv@quicinc.com>
commit 1dbf1d590d10a6d1978e8184f8dfe20af22d680a upstream.
In ip_output() skb->dev is updated from the skb_dst(skb)->dev
this can become invalid when the interface is unregistered and freed,
Introduced new skb_dst_dev_rcu() function to be used instead of
skb_dst_dev() within rcu_locks in ip_output.This will ensure that
all the skb's associated with the dev being deregistered will
be transnmitted out first, before freeing the dev.
Given that ip_output() is called within an rcu_read_lock()
critical section or from a bottom-half context, it is safe to introduce
an RCU read-side critical section within it.
Multiple panic call stacks were observed when UL traffic was run
in concurrency with device deregistration from different functions,
pasting one sample for reference.
[496733.627565][T13385] Call trace:
[496733.627570][T13385] bpf_prog_ce7c9180c3b128ea_cgroupskb_egres+0x24c/0x7f0
[496733.627581][T13385] __cgroup_bpf_run_filter_skb+0x128/0x498
[496733.627595][T13385] ip_finish_output+0xa4/0xf4
[496733.627605][T13385] ip_output+0x100/0x1a0
[496733.627613][T13385] ip_send_skb+0x68/0x100
[496733.627618][T13385] udp_send_skb+0x1c4/0x384
[496733.627625][T13385] udp_sendmsg+0x7b0/0x898
[496733.627631][T13385] inet_sendmsg+0x5c/0x7c
[496733.627639][T13385] __sys_sendto+0x174/0x1e4
[496733.627647][T13385] __arm64_sys_sendto+0x28/0x3c
[496733.627653][T13385] invoke_syscall+0x58/0x11c
[496733.627662][T13385] el0_svc_common+0x88/0xf4
[496733.627669][T13385] do_el0_svc+0x2c/0xb0
[496733.627676][T13385] el0_svc+0x2c/0xa4
[496733.627683][T13385] el0t_64_sync_handler+0x68/0xb4
[496733.627689][T13385] el0t_64_sync+0x1a4/0x1a8
Changes in v3:
- Replaced WARN_ON() with WARN_ON_ONCE(), as suggested by Willem de Bruijn.
- Dropped legacy lines mistakenly pulled in from an outdated branch.
Changes in v2:
- Addressed review comments from Eric Dumazet
- Used READ_ONCE() to prevent potential load/store tearing
- Added skb_dst_dev_rcu() and used along with rcu_read_lock() in ip_output
Signed-off-by: Sharath Chandra Vurukala <quic_sharathv@quicinc.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250730105118.GA26100@hu-sharathv-hyd.qualcomm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Keerthana: Backported the patch to v6.6.y ]
Signed-off-by: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/dst.h | 12 ++++++++++++
net/ipv4/ip_output.c | 15 ++++++++++-----
2 files changed, 22 insertions(+), 5 deletions(-)
--- a/include/net/dst.h
+++ b/include/net/dst.h
@@ -569,6 +569,18 @@ static inline void skb_dst_update_pmtu_n
dst->ops->update_pmtu(dst, NULL, skb, mtu, false);
}
+static inline struct net_device *dst_dev_rcu(const struct dst_entry *dst)
+{
+ /* In the future, use rcu_dereference(dst->dev) */
+ WARN_ON_ONCE(!rcu_read_lock_held());
+ return READ_ONCE(dst->dev);
+}
+
+static inline struct net_device *skb_dst_dev_rcu(const struct sk_buff *skb)
+{
+ return dst_dev_rcu(skb_dst(skb));
+}
+
struct dst_entry *dst_blackhole_check(struct dst_entry *dst, u32 cookie);
void dst_blackhole_update_pmtu(struct dst_entry *dst, struct sock *sk,
struct sk_buff *skb, u32 mtu, bool confirm_neigh);
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -425,15 +425,20 @@ int ip_mc_output(struct net *net, struct
int ip_output(struct net *net, struct sock *sk, struct sk_buff *skb)
{
- struct net_device *dev = skb_dst(skb)->dev, *indev = skb->dev;
+ struct net_device *dev, *indev = skb->dev;
+ int ret_val;
+ rcu_read_lock();
+ dev = skb_dst_dev_rcu(skb);
skb->dev = dev;
skb->protocol = htons(ETH_P_IP);
- return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING,
- net, sk, skb, indev, dev,
- ip_finish_output,
- !(IPCB(skb)->flags & IPSKB_REROUTED));
+ ret_val = NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING,
+ net, sk, skb, indev, dev,
+ ip_finish_output,
+ !(IPCB(skb)->flags & IPSKB_REROUTED));
+ rcu_read_unlock();
+ return ret_val;
}
EXPORT_SYMBOL(ip_output);
next prev parent reply other threads:[~2026-01-15 17:06 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-15 16:47 [PATCH 6.6 00/88] 6.6.121-rc1 review Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.6 01/88] NFSD: Fix permission check for read access to executable-only files Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.6 02/88] nfsd: provide locking for v4_end_grace Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.6 03/88] atm: Fix dma_free_coherent() size Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.6 04/88] net: 3com: 3c59x: fix possible null dereference in vortex_probe1() Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.6 05/88] btrfs: always detect conflicting inodes when logging inode refs Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.6 06/88] mei: me: add nova lake point S DID Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.6 07/88] lib/crypto: aes: Fix missing MMU protection for AES S-box Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.6 08/88] counter: 104-quad-8: Fix incorrect return value in IRQ handler Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.6 09/88] counter: interrupt-cnt: Drop IRQF_NO_THREAD flag Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.6 10/88] drm/pl111: Fix error handling in pl111_amba_probe Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.6 11/88] drm/radeon: Remove __counted_by from ClockInfoArray.clockInfo[] Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.6 12/88] gpio: rockchip: mark the GPIO controller as sleeping Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.6 13/88] pinctrl: qcom: lpass-lpi: " Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.6 14/88] wifi: avoid kernel-infoleak from struct iw_point Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.6 15/88] libceph: prevent potential out-of-bounds reads in handle_auth_done() Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.6 16/88] libceph: replace overzealous BUG_ON in osdmap_apply_incremental() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 17/88] libceph: make free_choose_arg_map() resilient to partial allocation Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 18/88] libceph: return the handler error from mon_handle_auth_done() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 19/88] libceph: reset sparse-read state in osd_fault() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 20/88] libceph: make calc_target() set t->paused, not just clear it Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 21/88] ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Greg Kroah-Hartman
2026-01-15 16:48 ` Greg Kroah-Hartman [this message]
2026-01-15 16:48 ` [PATCH 6.6 23/88] nfsd: convert to new timestamp accessors Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 24/88] nfsd: Fix NFSv3 atomicity bugs in nfsd_setattr() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 25/88] nfsd: set security label during create operations Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 26/88] NFSD: NFSv4 file creation neglects setting ACL Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 27/88] tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 28/88] csky: fix csky_cmpxchg_fixup not working Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 29/88] ARM: 9461/1: Disable HIGHPTE on PREEMPT_RT kernels Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 30/88] alpha: dont reference obsolete termio struct for TC* constants Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 31/88] dm-snapshot: fix scheduling while atomic on real-time kernels Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 32/88] NFSv4: ensure the open stateid seqid doesnt go backwards Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 33/88] NFS: Fix up the automount fs_context to use the correct cred Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 34/88] smb/client: fix NT_STATUS_UNABLE_TO_FREE_VM value Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 35/88] smb/client: fix NT_STATUS_DEVICE_DOOR_OPEN value Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 36/88] smb/client: fix NT_STATUS_NO_DATA_DETECTED value Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 37/88] scsi: ipr: Enable/disable IRQD_NO_BALANCING during reset Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 38/88] scsi: ufs: core: Fix EH failure after W-LUN resume error Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 39/88] scsi: Revert "scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed" Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 40/88] arm64: dts: add off-on-delay-us for usdhc2 regulator Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 41/88] ARM: dts: imx6q-ba16: fix RTC interrupt level Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 42/88] arm64: dts: imx8mp: Fix LAN8740Ai PHY reference clock on DH electronics i.MX8M Plus DHCOM Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 43/88] netfilter: nft_synproxy: avoid possible data-race on update operation Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 44/88] gpio: pca953x: Utilise dev_err_probe() where it makes sense Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 45/88] gpio: pca953x: Utilise temporary variable for struct device Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 46/88] gpio: pca953x: Add support for level-triggered interrupts Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 47/88] gpio: pca953x: handle short interrupt pulses on PCAL devices Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 48/88] netfilter: nf_tables: fix memory leak in nf_tables_newrule() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 49/88] netfilter: nf_conncount: update last_gc only when GC has been performed Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 50/88] net: marvell: prestera: fix NULL dereference on devlink_alloc() failure Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 51/88] bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 52/88] net: mscc: ocelot: Fix crash when adding interface under a lag Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 53/88] inet: ping: Fix icmp out counting Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 54/88] net: sock: fix hardened usercopy panic in sock_recv_errqueue Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 55/88] netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 56/88] net/mlx5e: Dont print error message due to invalid module Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 57/88] net: wwan: iosm: Fix memory leak in ipc_mux_deinit() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 58/88] bnxt_en: Fix potential data corruption with HW GRO/LRO Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 59/88] net: fix memory leak in skb_segment_list for GRO packets Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 60/88] HID: quirks: work around VID/PID conflict for appledisplay Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 61/88] net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 62/88] net: usb: pegasus: fix memory leak in update_eth_regs_async() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 63/88] net: enetc: fix build warning when PAGE_SIZE is greater than 128K Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 64/88] arp: do not assume dev_hard_header() does not change skb->head Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 65/88] LoongArch: Add more instruction opcodes and emit_* helpers Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 66/88] ALSA: ac97bus: Use guard() for mutex locks Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 67/88] ALSA: ac97: fix a double free in snd_ac97_controller_register() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 68/88] NFS: trace: show TIMEDOUT instead of 0x6e Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 69/88] nfs_common: factor out nfs_errtbl and nfs_stat_to_errno Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 70/88] NFSD: Remove NFSERR_EAGAIN Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 71/88] x86/microcode/AMD: Select which microcode patch to load Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 72/88] riscv: uprobes: Add missing fence.i after building the XOL buffer Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 73/88] bpf: Fix an issue in bpf_prog_test_run_xdp when page size greater than 4K Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 74/88] bpf: Make variables in bpf_prog_test_run_xdp less confusing Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 75/88] bpf: Support specifying linear xdp packet data size for BPF_PROG_TEST_RUN Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.6 76/88] bpf, test_run: Subtract size of xdp_frame from allowed metadata size Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.6 77/88] bpf: Fix reference count leak in bpf_prog_test_run_xdp() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.6 78/88] powercap: fix race condition in register_control_type() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.6 79/88] powercap: fix sscanf() error return value handling Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.6 80/88] netfilter: nf_tables: avoid chain re-validation if possible Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.6 81/88] drm/amd/display: Fix DP no audio issue Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.6 82/88] can: j1939: make j1939_session_activate() fail if device is no longer registered Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.6 83/88] ALSA: usb-audio: Update for native DSD support quirks Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.6 84/88] ASoC: amd: yc: Add quirk for Honor MagicBook X16 2025 Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.6 85/88] ASoC: fsl_sai: Add missing registers to cache default Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.6 86/88] scsi: sg: Fix occasional bogus elapsed time that exceeds timeout Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.6 87/88] bpf: test_run: Fix ctx leak in bpf_prog_test_run_xdp error path Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.6 88/88] gpio: pca953x: fix wrong error probe return value Greg Kroah-Hartman
2026-01-15 19:15 ` [PATCH 6.6 00/88] 6.6.121-rc1 review Brett A C Sheffield
2026-01-15 19:47 ` Slade Watkins
2026-01-15 21:32 ` Francesco Dolcini
2026-01-15 22:41 ` Florian Fainelli
2026-01-15 22:43 ` Shuah Khan
2026-01-16 10:17 ` Ron Economos
2026-01-16 10:51 ` Greg Kroah-Hartman
2026-01-16 10:33 ` Jon Hunter
2026-01-16 10:57 ` Peter Schneider
2026-01-16 15:44 ` Mark Brown
2026-01-17 14:37 ` Miguel Ojeda
2026-01-19 10:35 ` Jeffrin Thalakkottoor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260115164147.118024894@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=keerthana.kalyanasundaram@broadcom.com \
--cc=kuba@kernel.org \
--cc=patches@lists.linux.dev \
--cc=quic_sharathv@quicinc.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox