From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qv1-f73.google.com (mail-qv1-f73.google.com [209.85.219.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3E63F328B4D for ; Thu, 29 Jan 2026 20:44:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.73 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769719443; cv=none; b=d/9y1VshQ24FyzWOkIOhSQrqyW4FBVetD3Jz/x02G71icmPmJrenckYFlloAT71EKPLv8QGKxeqE45tXiPgiZuG4An25uXhMjf0YR0V1v0yCDs9X9ANB0UhKxq3r86Qnh9oO7ChJyeebYvuZltDME+ENUDui2VK9CKM9Hs2hr0s= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769719443; c=relaxed/simple; bh=iE3xdHiFLbSoPBYpGyMnBO/XjwFgYbJymPC8gdMT6oE=; h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type; b=YlqBDBx7D10+zhwk6DOtiGYO0cG2B1uzduiqlmqjmcWhwKVtUbubUt6wVMGnSC+d2mfiqY7gEdyqT3E4p/WwzsC65qtVrhNxK9B6UtrOcVHSgsIgX4GxXZso7ofolsUCx2nRxVK8BiPP7R/PChOcPhCmoQvbB0ChFW9mOgibqz4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--edumazet.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=M8TtZImj; arc=none smtp.client-ip=209.85.219.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--edumazet.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="M8TtZImj" Received: by mail-qv1-f73.google.com with SMTP id 6a1803df08f44-88a2f8e7d8dso47604786d6.1 for ; Thu, 29 Jan 2026 12:44:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1769719441; x=1770324241; darn=vger.kernel.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=ww+ew5iMA0LOYxm/aV0mnYtojRk44ZRbGIQ6TqBp/oQ=; b=M8TtZImjkzXkXA4jR/I65TeUJzmj0kiJ/1h79tbiM40TKTMicnX7eLq8XrCwVlmJqs TUzx7Jj6bCXPhS8IhZCioEz+0SN6tqz/Hf8AwSxeSudkKko/HOL1u6hZNBA7cFQnl8Zd dd9WGhu7ocPNgXVMvJecsSWQ+2XMibzSwu/U5+NLfwtmzaA3S6BeDar31HS4XkSHm/tz vUT6LS6Zdq7R5+m7y5XANItrxEimSLGJGyTW1oHt3kQzNCgXvaCW1pu5uivPv/hmh0XZ jGIMDauGrP6FK2bp3Plnh0/CYRQxbQzXQ1ouW+6L4mluANl31hswgaGKRi/LYh23EWOi lvEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769719441; x=1770324241; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=ww+ew5iMA0LOYxm/aV0mnYtojRk44ZRbGIQ6TqBp/oQ=; b=biMFFXInLcgFsZz2a93zC+HuPccI9AlQidNeVFijdJUXX6zYL6XxGUrCEk6Wfj3i1z Ky6MRbm7EQfppl55p6GNeKwAcrB2GVWFeMoJ1/Cxy8NNI7vSpAGGEu1N1Ji17jyQEijJ s+q0SozPS8TBO+2eGu67O5PNeiV4sy8nDeBBHeVyEW3qCSTF9LbbKCOZet4IM0kGNp5C 62kYCmncRG5Ruz0wyWHgJ9VDiY7+fvr72ZPKuZwk1ICnvrMriXguuY6KDJwAL0J5OAt0 BnZKGGVHjRy68nr4sjdlc3TnmFhrtXIgOA44p+ROvdB+9ov5gbgu1D15Zecj0/J7bLvR 3zbg== X-Forwarded-Encrypted: i=1; AJvYcCWyEWXNAYbNfEfKLhaX6yZCPEODEk9EHWzwzDhFpjXvgYOUJ2suvapCyhQ7cJ3I5HWmfUV5aUA=@vger.kernel.org X-Gm-Message-State: AOJu0YzmKUbDo0+1c6+Ty4fgI+upH9ie4jNXW4vgVozjP7RmBHsiqlXw +C6qt6fFCE5EMm9bhzOBYcBnKKLJdYe+mn6tOjuXcmop4UwUyDgX+2IT5anFZkbln2FNQP8Y3S0 qzVA95K8k6wL0Ww== X-Received: from qva17.prod.google.com ([2002:a05:6214:8011:b0:894:a073:377]) (user=edumazet job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6214:519c:b0:894:7405:d364 with SMTP id 6a1803df08f44-894ea0a9a88mr11020556d6.64.1769719441139; Thu, 29 Jan 2026 12:44:01 -0800 (PST) Date: Thu, 29 Jan 2026 20:43:59 +0000 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Mailer: git-send-email 2.53.0.rc1.225.gd81095ad13-goog Message-ID: <20260129204359.632556-1-edumazet@google.com> Subject: [PATCH net] macvlan: fix error recovery in macvlan_common_newlink() From: Eric Dumazet To: "David S . Miller" , Jakub Kicinski , Paolo Abeni Cc: Simon Horman , netdev@vger.kernel.org, eric.dumazet@gmail.com, Eric Dumazet , valis , syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com, Boudewijn van der Heide Content-Type: text/plain; charset="UTF-8" valis provided a nice repro to crash the kernel: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 ping -c1 -I p1 1.2.3.4 He also gave a very detailed analysis: The issue is triggered when a new macvlan link is created with MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan port and register_netdevice() called from macvlan_common_newlink() fails (e.g. because of the invalid link name). In this case macvlan_hash_add_source is called from macvlan_change_sources() / macvlan_common_newlink(): This adds a reference to vlan to the port's vlan_source_hash using macvlan_source_entry. vlan is a pointer to the priv data of the link that is being created. When register_netdevice() fails, the error is returned from macvlan_newlink() to rtnl_newlink_create(): if (ops->newlink) err = ops->newlink(dev, ¶ms, extack); else err = register_netdevice(dev); if (err < 0) { free_netdev(dev); goto out; } and free_netdev() is called, causing a kvfree() on the struct net_device that is still referenced in the source entry attached to the lower device's macvlan port. Now all packets sent on the macvlan port with a matching source mac address will trigger a use-after-free in macvlan_forward_source(). With all that, my fix is to make sure we call macvlan_flush_sources() regardless of @create value whenever "goto destroy_macvlan_port;" path is taken. Many thanks to valis for following up on this issue. Fixes: aa5fd0fb7748 ("driver: macvlan: Destroy new macvlan port if macvlan_common_newlink failed.") Signed-off-by: Eric Dumazet Reported-by: valis Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com Closes: https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u Cc: Boudewijn van der Heide --- drivers/net/macvlan.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c index b4df7e184791d0fe0a60c17522b91b2766847b37..c509228be84d1bb836cc221c1022d4037cd5c883 100644 --- a/drivers/net/macvlan.c +++ b/drivers/net/macvlan.c @@ -1567,9 +1567,10 @@ int macvlan_common_newlink(struct net_device *dev, /* the macvlan port may be freed by macvlan_uninit when fail to register. * so we destroy the macvlan port only when it's valid. */ - if (create && macvlan_port_get_rtnl(lowerdev)) { + if (macvlan_port_get_rtnl(lowerdev)) { macvlan_flush_sources(port, vlan); - macvlan_port_destroy(port->dev); + if (create) + macvlan_port_destroy(port->dev); } return err; } -- 2.53.0.rc1.225.gd81095ad13-goog