[PATCH 6.12 276/565] tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check()

11 Nov 2025

6.12-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Eric Dumazet edumazet@google.com
[ Upstream commit b62a59c18b692f892dcb8109c1c2e653b2abc95c ]
Use RCU to avoid a pair of atomic operations and a potential
UAF on dst_dev()->flags.
Signed-off-by: Eric Dumazet edumazet@google.com
Reviewed-by: David Ahern dsahern@kernel.org
Link: https://patch.msgid.link/20250828195823.3958522-8-edumazet@google.com
Signed-off-by: Jakub Kicinski kuba@kernel.org
Signed-off-by: Sasha Levin sashal@kernel.org
---
 net/ipv4/tcp_fastopen.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
index 86c995dc1c5e5..f9460e7531ba7 100644
--- a/net/ipv4/tcp_fastopen.c
+++ b/net/ipv4/tcp_fastopen.c
@@ -575,11 +575,12 @@ void tcp_fastopen_active_disable_ofo_check(struct sock *sk)
    	}
    } else if (tp->syn_fastopen_ch &&
    	   atomic_read(&sock_net(sk)->ipv4.tfo_active_disable_times)) {
-		dst = sk_dst_get(sk);
-		dev = dst ? dst_dev(dst) : NULL;
+		rcu_read_lock();
+		dst = __sk_dst_get(sk);
+		dev = dst ? dst_dev_rcu(dst) : NULL;
    	if (!(dev && (dev->flags & IFF_LOOPBACK)))
    		atomic_set(&sock_net(sk)->ipv4.tfo_active_disable_times, 0);
-		dst_release(dst);
+		rcu_read_unlock();
    }
 }
-- 
2.51.0





    

2025

2024

2023

2022

2021

2020

2019

2018

2017

[PATCH 6.12 276/565] tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check()