From e1ccf58371dfdb626c9f5f4158910ba1e02af721 Mon Sep 17 00:00:00 2001
From: Eric Dumazet <edumazet@google.com>
Date: Wed, 30 Apr 2025 14:13:03 +0800
Subject: [PATCH] arp: use RCU protection in arp_xmit()

mainline inclusion
from mainline-v6.14-rc3
commit a42b69f692165ec39db42d595f4f65a4c8f42e44
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPC8P
CVE: CVE-2025-21762

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a42b69f692165ec39db42d595f4f65a4c8f42e44

--------------------------------

arp_xmit() can be called without RTNL or RCU protection.

Use RCU protection to avoid potential UAF.

Fixes: 29a26a568038 ("netfilter: Pass struct net into the netfilter hooks")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250207135841.1948589-5-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>
---
 net/ipv4/arp.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index fccf246e4263..638e6e91441b 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -639,10 +639,12 @@ static int arp_xmit_finish(struct net *net, struct sock *sk, struct sk_buff *skb
  */
 void arp_xmit(struct sk_buff *skb)
 {
+	rcu_read_lock();
 	/* Send it off, maybe filter it using firewalling first.  */
 	NF_HOOK(NFPROTO_ARP, NF_ARP_OUT,
-		dev_net(skb->dev), NULL, skb, NULL, skb->dev,
+		dev_net_rcu(skb->dev), NULL, skb, NULL, skb->dev,
 		arp_xmit_finish);
+	rcu_read_unlock();
 }
 EXPORT_SYMBOL(arp_xmit);
 
-- 
Gitee