From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Shuang Li <shuali@redhat.com>,
Xin Long <lucien.xin@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Olivier Matz <olivier.matz@6wind.com>
Subject: [PATCH 5.15 26/67] vlan: move dev_put into vlan_dev_uninit
Date: Tue, 5 Dec 2023 12:17:11 +0900 [thread overview]
Message-ID: <20231205031521.311405664@linuxfoundation.org> (raw)
In-Reply-To: <20231205031519.853779502@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
commit d6ff94afd90b0ce8d1715f8ef77d4347d7a7f2c0 upstream.
Shuang Li reported an QinQ issue by simply doing:
# ip link add dummy0 type dummy
# ip link add link dummy0 name dummy0.1 type vlan id 1
# ip link add link dummy0.1 name dummy0.1.2 type vlan id 2
# rmmod 8021q
unregister_netdevice: waiting for dummy0.1 to become free. Usage count = 1
When rmmods 8021q, all vlan devs are deleted from their real_dev's vlan grp
and added into list_kill by unregister_vlan_dev(). dummy0.1 is unregistered
before dummy0.1.2, as it's using for_each_netdev() in __rtnl_kill_links().
When unregisters dummy0.1, dummy0.1.2 is not unregistered in the event of
NETDEV_UNREGISTER, as it's been deleted from dummy0.1's vlan grp. However,
due to dummy0.1.2 still holding dummy0.1, dummy0.1 will keep waiting in
netdev_wait_allrefs(), while dummy0.1.2 will never get unregistered and
release dummy0.1, as it delays dev_put until calling dev->priv_destructor,
vlan_dev_free().
This issue was introduced by Commit 563bcbae3ba2 ("net: vlan: fix a UAF in
vlan_dev_real_dev()"), and this patch is to fix it by moving dev_put() into
vlan_dev_uninit(), which is called after NETDEV_UNREGISTER event but before
netdev_wait_allrefs().
Fixes: 563bcbae3ba2 ("net: vlan: fix a UAF in vlan_dev_real_dev()")
Reported-by: Shuang Li <shuali@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/8021q/vlan_dev.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -638,7 +638,12 @@ void vlan_dev_free_egress_priority(const
static void vlan_dev_uninit(struct net_device *dev)
{
+ struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
+
vlan_dev_free_egress_priority(dev);
+
+ /* Get rid of the vlan's reference to real_dev */
+ dev_put(vlan->real_dev);
}
static netdev_features_t vlan_dev_fix_features(struct net_device *dev,
@@ -851,9 +856,6 @@ static void vlan_dev_free(struct net_dev
free_percpu(vlan->vlan_pcpu_stats);
vlan->vlan_pcpu_stats = NULL;
-
- /* Get rid of the vlan's reference to real_dev */
- dev_put(vlan->real_dev);
}
void vlan_setup(struct net_device *dev)
next prev parent reply other threads:[~2023-12-05 3:41 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-05 3:16 [PATCH 5.15 00/67] 5.15.142-rc1 review Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 01/67] perf inject: Fix GEN_ELF_TEXT_OFFSET for jit Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 02/67] pinctrl: avoid reload of p state in list iteration Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 03/67] firewire: core: fix possible memory leak in create_units() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 04/67] mmc: cqhci: Increase recovery halt timeout Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 05/67] mmc: cqhci: Warn of halt or task clear failure Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 06/67] mmc: cqhci: Fix task clearing in CQE error recovery Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 07/67] mmc: block: Retry commands " Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 08/67] mmc: block: Do not lose cache flush during " Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 09/67] mmc: block: Be sure to wait while busy in " Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 10/67] ALSA: hda: Disable power-save on KONTRON SinglePC Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 11/67] ALSA: hda/realtek: Headset Mic VREF to 100% Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 12/67] ALSA: hda/realtek: Add supported ALC257 for ChromeOS Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 13/67] dm-verity: align struct dm_verity_fec_io properly Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 14/67] dm verity: dont perform FEC for failed readahead IO Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 15/67] bcache: revert replacing IS_ERR_OR_NULL with IS_ERR Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 16/67] iommu/vt-d: Add MTL to quirk list to skip TE disabling Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 17/67] powerpc: Dont clobber f0/vs0 during fp|altivec register save Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 18/67] parisc: Drop the HP-UX ENOSYM and EREMOTERELEASE error codes Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 19/67] btrfs: add dmesg output for first mount and last unmount of a filesystem Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 20/67] btrfs: ref-verify: fix memory leaks in btrfs_ref_tree_mod() Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 21/67] btrfs: fix off-by-one when checking chunk map includes logical address Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 22/67] btrfs: send: ensure send_fd is writable Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 23/67] btrfs: make error messages more clear when getting a chunk map Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 24/67] Input: xpad - add HyperX Clutch Gladiate Support Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 25/67] vlan: introduce vlan_dev_free_egress_priority Greg Kroah-Hartman
2023-12-05 3:17 ` Greg Kroah-Hartman [this message]
2023-12-05 3:17 ` [PATCH 5.15 27/67] rcu: Avoid tracing a few functions executed in stop machine Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 28/67] hv_netvsc: fix race of netvsc and VF register_netdevice Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 29/67] USB: core: Change configuration warnings to notices Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 30/67] usb: config: fix iteration issue in usb_get_bos_descriptor() Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 31/67] ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 32/67] dpaa2-eth: increase the needed headroom to account for alignment Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 33/67] uapi: propagate __struct_group() attributes to the container union Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 34/67] selftests/net: ipsec: fix constant out of range Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 35/67] octeontx2-af: Fix possible buffer overflow Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 36/67] net: stmmac: xgmac: Disable FPE MMC interrupts Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 37/67] octeontx2-pf: Fix adding mbox work queue entry when num_vfs > 64 Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 38/67] Revert "workqueue: remove unused cancel_work()" Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 39/67] r8169: prevent potential deadlock in rtl8169_close Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 40/67] ravb: Fix races between ravb_tx_timeout_work() and net related ops Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 41/67] net: ravb: Check return value of reset_control_deassert() Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 42/67] net: ravb: Use pm_runtime_resume_and_get() Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 43/67] net: ravb: Start TX queues after HW initialization succeeded Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 44/67] ravb: Separate handling of irq enable/disable regs into feature Greg Kroah-Hartman
2023-12-05 9:04 ` Sergey Shtylyov
2023-12-05 18:28 ` Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 45/67] ravb: Support separate Line0 (Desc), Line1 (Err) and Line2 (Mgmt) irqs Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 46/67] net: ravb: Stop DMA in case of failures on ravb_open() Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 47/67] perf intel-pt: Fix async branch flags Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 48/67] selftests/resctrl: Add missing SPDX license to Makefile Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 49/67] selftests/resctrl: Move _GNU_SOURCE define into Makefile Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 50/67] powerpc/pseries/iommu: enable_ddw incorrectly returns direct mapping for SR-IOV device Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 51/67] smb3: fix touch -h of symlink Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 52/67] ASoC: Intel: Move soc_intel_is_foo() helpers to a generic header Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 53/67] ASoC: SOF: sof-pci-dev: use community key on all Up boards Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 54/67] ASoC: SOF: sof-pci-dev: add parameter to override topology filename Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 55/67] ASoC: SOF: sof-pci-dev: dont use the community key on APL Chromebooks Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 56/67] ASoC: SOF: sof-pci-dev: Fix community key quirk detection Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 57/67] fbdev: stifb: Make the STI next font pointer a 32-bit signed offset Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 58/67] fs: add ctime accessors infrastructure Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 59/67] smb3: fix caching of ctime on setxattr Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 60/67] cpufreq: imx6q: dont warn for disabling a non-existing frequency Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 61/67] cpufreq: imx6q: Dont disable 792 Mhz OPP unnecessarily Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 62/67] iommu/vt-d: Omit devTLB invalidation requests when TES=0 Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 63/67] iommu/vt-d: Make context clearing consistent with context mapping Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 64/67] mmc: core: add helpers mmc_regulator_enable/disable_vqmmc Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 65/67] mmc: sdhci-sprd: Fix vqmmc not shutting down after the card was pulled Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 66/67] r8169: disable ASPM in case of tx timeout Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 67/67] r8169: fix deadlock on RTL8125 in jumbo mtu mode Greg Kroah-Hartman
2023-12-05 7:16 ` [PATCH 5.15 00/67] 5.15.142-rc1 review Harshit Mogalapalli
2023-12-05 18:17 ` Greg Kroah-Hartman
2024-01-07 0:54 ` Namhyung Kim
2024-01-07 8:53 ` Greg Kroah-Hartman
2024-01-09 21:49 ` [PATCH for-5.15] perf inject: Fix GEN_ELF_TEXT_OFFSET for jit Namhyung Kim
2024-01-09 21:52 ` kernel test robot
2024-01-10 7:58 ` Greg Kroah-Hartman
2024-01-10 17:53 ` Namhyung Kim
2024-01-11 10:44 ` Greg Kroah-Hartman
2023-12-05 11:09 ` [PATCH 5.15 00/67] 5.15.142-rc1 review Jon Hunter
2023-12-05 16:48 ` Naresh Kamboju
2023-12-05 16:48 ` Naresh Kamboju
2023-12-05 18:23 ` Greg Kroah-Hartman
2023-12-05 18:23 ` Greg Kroah-Hartman
2023-12-05 16:50 ` Guenter Roeck
2023-12-05 17:09 ` SeongJae Park
2023-12-05 18:21 ` Florian Fainelli
2023-12-05 21:14 ` Allen
2023-12-06 1:42 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231205031521.311405664@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=lucien.xin@gmail.com \
--cc=olivier.matz@6wind.com \
--cc=patches@lists.linux.dev \
--cc=shuali@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.