[PATCH OLK-5.10 7/9] tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().

From: Kuniyuki Iwashima <kuniyu@google.com> mainline inclusion from mainline-v6.18-rc1 commit c65f27b9c3be2269918e1cbad6d8884741f835c5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID3WJ1 CVE: CVE-2025-40074 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- get_netdev_for_sock() is called during setsockopt(), so not under RCU. Using sk_dst_get(sk)->dev could trigger UAF. Let's use __sk_dst_get() and dst_dev_rcu(). Note that the only ->ndo_sk_get_lower_dev() user is bond_sk_get_lower_dev(), which uses RCU. Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Link: https://patch.msgid.link/20250916214758.650211-6-kuniyu@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Conflicts: net/tls/tls_device.c [commit 153cbd137f0a is not backport] Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com> --- net/tls/tls_device.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c index d9832a2ae23d..b0db6d8d7e21 100644 --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c @@ -113,15 +113,14 @@ static void tls_device_queue_ctx_destruction(struct tls_context *ctx) /* We assume that the socket is already connected */ static struct net_device *get_netdev_for_sock(struct sock *sk) { - struct dst_entry *dst = sk_dst_get(sk); struct net_device *netdev = NULL; + struct dst_entry *dst; - if (likely(dst)) { - netdev = dst->dev; - dev_hold(netdev); - } - - dst_release(dst); + rcu_read_lock(); + dst = __sk_dst_get(sk); + netdev = dst ? dst_dev_rcu(dst) : NULL; + dev_hold(netdev); + rcu_read_unlock(); return netdev; } -- 2.25.1