From 56d4ec3eaad875b5f647895ee1da0d8f83cbd4e7 Mon Sep 17 00:00:00 2001 From: Li Zetao Date: Wed, 30 Apr 2025 20:54:30 +0800 Subject: [PATCH 1/2] neighbour: delete redundant judgment statements mainline inclusion from mainline-v6.12-rc1 commit c25bdd2ac8cf7da70a226f1a66cdce7af15ff86f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPC59 CVE: CVE-2025-21763 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c25bdd2ac8cf7da70a226f1a66cdce7af15ff86f -------------------------------- The initial value of err is -ENOBUFS, and err is guaranteed to be less than 0 before all goto errout. Therefore, on the error path of errout, there is no need to repeatedly judge that err is less than 0, and delete redundant judgments to make the code more concise. Signed-off-by: Li Zetao Reviewed-by: Petr Machata Signed-off-by: David S. Miller Signed-off-by: Dong Chenchen --- net/core/neighbour.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 168868fb8e6c..4ff60a725cf9 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -3386,8 +3386,7 @@ static void __neigh_notify(struct neighbour *n, int type, int flags, rtnl_notify(skb, net, 0, RTNLGRP_NEIGH, NULL, GFP_ATOMIC); return; errout: - if (err < 0) - rtnl_set_sk_err(net, RTNLGRP_NEIGH, err); + rtnl_set_sk_err(net, RTNLGRP_NEIGH, err); } void neigh_app_ns(struct neighbour *n) -- Gitee From 4a2677c08ab52b8cb063b945ca46d0e1517e1e41 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Wed, 30 Apr 2025 20:54:31 +0800 Subject: [PATCH 2/2] neighbour: use RCU protection in __neigh_notify() mainline inclusion from mainline-v6.14-rc3 commit becbd5850c03ed33b232083dd66c6e38c0c0e569 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPC59 CVE: CVE-2025-21763 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=becbd5850c03ed33b232083dd66c6e38c0c0e569 -------------------------------- __neigh_notify() can be called without RTNL or RCU protection. Use RCU protection to avoid potential UAF. Fixes: 426b5303eb43 ("[NETNS]: Modify the neighbour table code so it handles multiple network namespaces") Signed-off-by: Eric Dumazet Reviewed-by: David Ahern Reviewed-by: Kuniyuki Iwashima Link: https://patch.msgid.link/20250207135841.1948589-4-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Dong Chenchen --- net/core/neighbour.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 4ff60a725cf9..399885144c3e 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -3368,10 +3368,12 @@ static const struct seq_operations neigh_stat_seq_ops = { static void __neigh_notify(struct neighbour *n, int type, int flags, u32 pid) { - struct net *net = dev_net(n->dev); struct sk_buff *skb; int err = -ENOBUFS; + struct net *net; + rcu_read_lock(); + net = dev_net_rcu(n->dev); skb = nlmsg_new(neigh_nlmsg_size(), GFP_ATOMIC); if (skb == NULL) goto errout; @@ -3384,9 +3386,11 @@ static void __neigh_notify(struct neighbour *n, int type, int flags, goto errout; } rtnl_notify(skb, net, 0, RTNLGRP_NEIGH, NULL, GFP_ATOMIC); - return; + goto out; errout: rtnl_set_sk_err(net, RTNLGRP_NEIGH, err); +out: + rcu_read_unlock(); } void neigh_app_ns(struct neighbour *n) -- Gitee