From be5db5e2ab519626e0dcf98bbcec5127073d3186 Mon Sep 17 00:00:00 2001 From: Li Zetao Date: Wed, 30 Apr 2025 14:12:26 +0800 Subject: [PATCH 1/2] neighbour: delete redundant judgment statements mainline inclusion from mainline-v6.12-rc1 commit c25bdd2ac8cf7da70a226f1a66cdce7af15ff86f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPC59 CVE: CVE-2025-21763 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c25bdd2ac8cf7da70a226f1a66cdce7af15ff86f -------------------------------- The initial value of err is -ENOBUFS, and err is guaranteed to be less than 0 before all goto errout. Therefore, on the error path of errout, there is no need to repeatedly judge that err is less than 0, and delete redundant judgments to make the code more concise. Signed-off-by: Li Zetao Reviewed-by: Petr Machata Signed-off-by: David S. Miller Signed-off-by: Dong Chenchen --- net/core/neighbour.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 3f1520755282..0936a4f3f6f5 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -2940,8 +2940,7 @@ static void __neigh_notify(struct neighbour *n, int type, int flags, rtnl_notify(skb, net, 0, RTNLGRP_NEIGH, NULL, GFP_ATOMIC); return; errout: - if (err < 0) - rtnl_set_sk_err(net, RTNLGRP_NEIGH, err); + rtnl_set_sk_err(net, RTNLGRP_NEIGH, err); } void neigh_app_ns(struct neighbour *n) -- Gitee From cc6733857bfab61fd91458ae2658809f106ee348 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Wed, 30 Apr 2025 14:12:27 +0800 Subject: [PATCH 2/2] neighbour: use RCU protection in __neigh_notify() mainline inclusion from mainline-v6.14-rc3 commit becbd5850c03ed33b232083dd66c6e38c0c0e569 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPC59 CVE: CVE-2025-21763 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=becbd5850c03ed33b232083dd66c6e38c0c0e569 -------------------------------- __neigh_notify() can be called without RTNL or RCU protection. Use RCU protection to avoid potential UAF. Fixes: 426b5303eb43 ("[NETNS]: Modify the neighbour table code so it handles multiple network namespaces") Signed-off-by: Eric Dumazet Reviewed-by: David Ahern Reviewed-by: Kuniyuki Iwashima Link: https://patch.msgid.link/20250207135841.1948589-4-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Dong Chenchen --- net/core/neighbour.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 0936a4f3f6f5..d827cfadddf0 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -2922,10 +2922,12 @@ static inline size_t neigh_nlmsg_size(void) static void __neigh_notify(struct neighbour *n, int type, int flags, u32 pid) { - struct net *net = dev_net(n->dev); struct sk_buff *skb; int err = -ENOBUFS; + struct net *net; + rcu_read_lock(); + net = dev_net_rcu(n->dev); skb = nlmsg_new(neigh_nlmsg_size(), GFP_ATOMIC); if (skb == NULL) goto errout; @@ -2938,9 +2940,11 @@ static void __neigh_notify(struct neighbour *n, int type, int flags, goto errout; } rtnl_notify(skb, net, 0, RTNLGRP_NEIGH, NULL, GFP_ATOMIC); - return; + goto out; errout: rtnl_set_sk_err(net, RTNLGRP_NEIGH, err); +out: + rcu_read_unlock(); } void neigh_app_ns(struct neighbour *n) -- Gitee