On 8/18/25 11:24 AM, Chanho Min wrote:
From: Eric Dumazet edumazet@google.com
[ Upstream commit 087c1faa594fa07a66933d750c0b2610aa1a2946 ]
igmp6_send() can be called without RTNL or RCU being held.
Extend RCU protection so that we can safely fetch the net pointer and avoid a potential UAF.
Note that we no longer can use sock_alloc_send_skb() because ipv6.igmp_sk uses GFP_KERNEL allocations which can sleep.
Instead use alloc_skb() and charge the net->ipv6.igmp_sk socket under RCU protection.
Cc: stable@vger.kernel.org # 5.4 Fixes: b8ad0cbc58f7 ("[NETNS][IPV6] mcast - handle several network namespace") Signed-off-by: Eric Dumazet edumazet@google.com Reviewed-by: David Ahern dsahern@kernel.org Reviewed-by: Kuniyuki Iwashima kuniyu@amazon.com Link: https://patch.msgid.link/20250207135841.1948589-9-edumazet@google.com [ chanho: Backports to v5.4.y. v5.4.y does not include commit b4a11b2033b7(net: fix IPSTATS_MIB_OUTPKGS increment in OutForwDatagrams), so IPSTATS_MIB_OUTREQUESTS was changed to IPSTATS_MIB_OUTPKGS defined as 'OutRequests'. ] Signed-off-by: Chanho Min chanho.min@lge.com Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org
FWIW, the SoB chain above looks incorrect, as I think that neither Jakub nor Sasha have touched yet this patch.
/P