From: Eric Dumazet <edumazet@google.com> mainline inclusion from mainline-v6.14-rc3 commit 139512191bd06f1b496117c76372b2ce372c9a41 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID3WJ1 CVE: CVE-2025-40074 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- __ip_rt_update_pmtu() must use RCU protection to make sure the net structure it reads does not disappear. Fixes: 2fbc6e89b2f1 ("ipv4: Update exception handling for multipath routes via same device") Fixes: 1de6b15a434c ("Namespaceify min_pmtu sysctl") Signed-off-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20250205155120.1676781-8-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Conflicts: net/ipv4/route.c [commit 1de6b15a434c namespaceify min_pmtu sysctl, which not merged lead to context conflicts.] Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com> --- net/ipv4/route.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 677caffa1ded..c2bfe245c5f1 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1038,9 +1038,9 @@ out: kfree_skb(skb); static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu) { struct dst_entry *dst = &rt->dst; - struct net *net = dev_net(dst->dev); struct fib_result res; bool lock = false; + struct net *net; u32 old_mtu; if (ip_mtu_locked(dst)) @@ -1060,6 +1060,7 @@ static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu) return; rcu_read_lock(); + net = dev_net_rcu(dst->dev); if (fib_lookup(net, fl4, &res, 0) == 0) { struct fib_nh_common *nhc; -- 2.25.1