ipv6: use RCU protection in ip6_default_advmss()

PlaidCat · PlaidCat · commit 9601d848e58b · 2025-06-05T15:46:31.000-04:00
jira LE-3187 cve CVE-2025-21765 Rebuild_History Non-Buildable kernel-5.14.0-570.19.1.el9_6 commit-author Eric Dumazet <edumazet@google.com> commit 3c8ffcd ip6_default_advmss() needs rcu protection to make sure the net structure it reads does not disappear. Fixes: 5578689 ("[NETNS][IPV6] route6 - make route6 per namespace") Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://patch.msgid.link/20250205155120.1676781-11-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 3c8ffcd) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
@@ -3189,13 +3189,18 @@ static unsigned int ip6_default_advmss(const struct dst_entry *dst)
 {
 	struct net_device *dev = dst->dev;
 	unsigned int mtu = dst_mtu(dst);
-	struct net *net = dev_net(dev);
+	struct net *net;
 
 	mtu -= sizeof(struct ipv6hdr) + sizeof(struct tcphdr);
 
+	rcu_read_lock();
+
+	net = dev_net_rcu(dev);
 	if (mtu < net->ipv6.sysctl.ip6_rt_min_advmss)
 		mtu = net->ipv6.sysctl.ip6_rt_min_advmss;
 
+	rcu_read_unlock();
+
 	/*
 	 * Maximal non-jumbo IPv6 payload is IPV6_MAXPLEN and
 	 * corresponding MSS is IPV6_MAXPLEN - tcp_header_size.
