From: Jason Gunthorpe <jgg@nvidia.com>
To: Ziyang Xuan <william.xuanziyang@huawei.com>,
Jiri Pirko <jiri@nvidia.com>
Cc: dledford@redhat.com, leon@kernel.org, mbloch@nvidia.com,
jinpu.wang@ionos.com, lee.jones@linaro.org,
linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH rdma-rc] IB/core: fix a UAF for netdev in netdevice_event process
Date: Mon, 25 Oct 2021 13:39:41 -0300 [thread overview]
Message-ID: <20211025163941.GA393143@nvidia.com> (raw)
In-Reply-To: <20211025034258.2426872-1-william.xuanziyang@huawei.com>
On Mon, Oct 25, 2021 at 11:42:58AM +0800, Ziyang Xuan wrote:
> When a vlan netdev enter netdevice_event process although it is not a
> roce netdev, it will be passed to netdevice_event_work_handler() to
> process. In order to hold the netdev of netdevice_event after
> netdevice_event() return, call dev_hold() to hold the netdev in
> netdevice_queue_work(). But that did not consider the real_dev of a vlan
> netdev, the real_dev can be freed within netdevice_event_work_handler()
> be scheduled. It would trigger the UAF problem for the real_dev like
> following:
I think this is a netdev bug. Under rtnl vlan_dev_real_dev() should
return NULL if the vlan device has passed unregister_vlan_dev()
diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
index 55275ef9a31a7c..1106da84e72559 100644
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -126,6 +126,7 @@ void unregister_vlan_dev(struct net_device *dev, struct list_head *head)
/* Get rid of the vlan's reference to real_dev */
dev_put(real_dev);
+ vlan->real_dev = NULL;
}
int vlan_check_real_dev(struct net_device *real_dev,
I'm assuming there is more too it than this, but it is a starting
point.
Jason
prev parent reply other threads:[~2021-10-25 16:39 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-25 3:42 [PATCH rdma-rc] IB/core: fix a UAF for netdev in netdevice_event process Ziyang Xuan
2021-10-25 7:33 ` Leon Romanovsky
2021-10-25 8:37 ` Ziyang Xuan (William)
2021-10-25 11:06 ` Leon Romanovsky
2021-10-26 3:14 ` Ziyang Xuan (William)
2021-10-26 9:03 ` Leon Romanovsky
2021-10-25 16:39 ` Jason Gunthorpe [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211025163941.GA393143@nvidia.com \
--to=jgg@nvidia.com \
--cc=dledford@redhat.com \
--cc=jinpu.wang@ionos.com \
--cc=jiri@nvidia.com \
--cc=lee.jones@linaro.org \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=mbloch@nvidia.com \
--cc=william.xuanziyang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.