net: add rcu safety to rtnl_prop_list_size()
rtnl_prop_list_size() can be called while alternative names
are added or removed concurrently.
if_nlmsg_size() / rtnl_calcit() can indeed be called
without RTNL held.
Use explicit RCU protection to avoid UAF.
Fixes: 88f4fb0c74
("net: rtnetlink: put alternative names to getlink message")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Jiri Pirko <jiri@nvidia.com>
Link: https://lore.kernel.org/r/20240209181248.96637-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
parent
3e36031cc0
commit
9f30831390
@ -336,7 +336,7 @@ int netdev_name_node_alt_create(struct net_device *dev, const char *name)
|
||||
return -ENOMEM;
|
||||
netdev_name_node_add(net, name_node);
|
||||
/* The node that holds dev->name acts as a head of per-device list. */
|
||||
list_add_tail(&name_node->list, &dev->name_node->list);
|
||||
list_add_tail_rcu(&name_node->list, &dev->name_node->list);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@ -1020,14 +1020,17 @@ static size_t rtnl_xdp_size(void)
|
||||
static size_t rtnl_prop_list_size(const struct net_device *dev)
|
||||
{
|
||||
struct netdev_name_node *name_node;
|
||||
size_t size;
|
||||
unsigned int cnt = 0;
|
||||
|
||||
if (list_empty(&dev->name_node->list))
|
||||
rcu_read_lock();
|
||||
list_for_each_entry_rcu(name_node, &dev->name_node->list, list)
|
||||
cnt++;
|
||||
rcu_read_unlock();
|
||||
|
||||
if (!cnt)
|
||||
return 0;
|
||||
size = nla_total_size(0);
|
||||
list_for_each_entry(name_node, &dev->name_node->list, list)
|
||||
size += nla_total_size(ALTIFNAMSIZ);
|
||||
return size;
|
||||
|
||||
return nla_total_size(0) + cnt * nla_total_size(ALTIFNAMSIZ);
|
||||
}
|
||||
|
||||
static size_t rtnl_proto_down_size(const struct net_device *dev)
|
||||
|
Loading…
Reference in New Issue
Block a user