From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Petr Machata <petrm@nvidia.com>,
Jakub Kicinski <kuba@kernel.org>,
Ziyang Xuan <william.xuanziyang@huawei.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 71/92] net: vlan: fix underflow for the real_dev refcnt
Date: Mon, 29 Nov 2021 19:18:40 +0100 [thread overview]
Message-ID: <20211129181709.783756443@linuxfoundation.org> (raw)
In-Reply-To: <20211129181707.392764191@linuxfoundation.org>
From: Ziyang Xuan <william.xuanziyang@huawei.com>
[ Upstream commit 01d9cc2dea3fde3bad6d27f464eff463496e2b00 ]
Inject error before dev_hold(real_dev) in register_vlan_dev(),
and execute the following testcase:
ip link add dev dummy1 type dummy
ip link add name dummy1.100 link dummy1 type vlan id 100
ip link del dev dummy1
When the dummy netdevice is removed, we will get a WARNING as following:
=======================================================================
refcount_t: decrement hit 0; leaking memory.
WARNING: CPU: 2 PID: 0 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0
and an endless loop of:
=======================================================================
unregister_netdevice: waiting for dummy1 to become free. Usage count = -1073741824
That is because dev_put(real_dev) in vlan_dev_free() be called without
dev_hold(real_dev) in register_vlan_dev(). It makes the refcnt of real_dev
underflow.
Move the dev_hold(real_dev) to vlan_dev_init() which is the call-back of
ndo_init(). That makes dev_hold() and dev_put() for vlan's real_dev
symmetrical.
Fixes: 563bcbae3ba2 ("net: vlan: fix a UAF in vlan_dev_real_dev()")
Reported-by: Petr Machata <petrm@nvidia.com>
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Link: https://lore.kernel.org/r/20211126015942.2918542-1-william.xuanziyang@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/8021q/vlan.c | 3 ---
net/8021q/vlan_dev.c | 3 +++
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
index cd7c0429cddf8..796d95797ab40 100644
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -177,9 +177,6 @@ int register_vlan_dev(struct net_device *dev, struct netlink_ext_ack *extack)
if (err)
goto out_unregister_netdev;
- /* Account for reference in struct vlan_dev_priv */
- dev_hold(real_dev);
-
vlan_stacked_transfer_operstate(real_dev, dev, vlan);
linkwatch_fire_event(dev); /* _MUST_ call rfc2863_policy() */
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index 415a29d42cdf0..589615ec490bb 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -583,6 +583,9 @@ static int vlan_dev_init(struct net_device *dev)
if (!vlan->vlan_pcpu_stats)
return -ENOMEM;
+ /* Get vlan's reference to real_dev */
+ dev_hold(real_dev);
+
return 0;
}
--
2.33.0
next prev parent reply other threads:[~2021-11-29 20:58 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-29 18:17 [PATCH 5.4 00/92] 5.4.163-rc1 review Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 01/92] USB: serial: option: add Telit LE910S1 0x9200 composition Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 02/92] USB: serial: option: add Fibocom FM101-GL variants Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 03/92] usb: dwc2: gadget: Fix ISOC flow for elapsed frames Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 04/92] usb: dwc2: hcd_queue: Fix use of floating point literal Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 05/92] net: nexthop: fix null pointer dereference when IPv6 is not enabled Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 06/92] usb: typec: fusb302: Fix masking of comparator and bc_lvl interrupts Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 07/92] usb: hub: Fix usb enumeration issue due to address0 race Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 08/92] usb: hub: Fix locking issues with address0_mutex Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 09/92] binder: fix test regression due to sender_euid change Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 10/92] ALSA: ctxfi: Fix out-of-range access Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 11/92] media: cec: copy sequence field for the reply Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 12/92] Revert "parisc: Fix backtrace to always include init funtion names" Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 13/92] HID: wacom: Use "Confidence" flag to prevent reporting invalid contacts Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 14/92] staging/fbtft: Fix backlight Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 15/92] staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 16/92] xen: dont continue xenstore initialization in case of errors Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 17/92] xen: detect uninitialized xenbus in xenbus_init Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 18/92] KVM: PPC: Book3S HV: Prevent POWER7/8 TLB flush flushing SLB Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 19/92] tracing/uprobe: Fix uprobe_perf_open probes iteration Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 20/92] tracing: Fix pid filtering when triggers are attached Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 21/92] mmc: sdhci: Fix ADMA for PAGE_SIZE >= 64KiB Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 22/92] mdio: aspeed: Fix "Link is Down" issue Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 23/92] PCI: aardvark: Deduplicate code in advk_pcie_rd_conf() Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 24/92] PCI: aardvark: Wait for endpoint to be ready before training link Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 25/92] PCI: aardvark: Fix big endian support Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 26/92] PCI: aardvark: Train link immediately after enabling training Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 27/92] PCI: aardvark: Improve link training Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 28/92] PCI: aardvark: Issue PERST via GPIO Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 29/92] PCI: aardvark: Replace custom macros by standard linux/pci_regs.h macros Greg Kroah-Hartman
2021-11-29 18:17 ` [PATCH 5.4 30/92] PCI: aardvark: Dont touch PCIe registers if no card connected Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 31/92] PCI: aardvark: Fix compilation on s390 Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 32/92] PCI: aardvark: Move PCIe reset card code to advk_pcie_train_link() Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 33/92] PCI: aardvark: Update comment about disabling link training Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 34/92] PCI: pci-bridge-emul: Fix array overruns, improve safety Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 35/92] PCI: aardvark: Configure PCIe resources from ranges DT property Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 36/92] PCI: aardvark: Fix PCIe Max Payload Size setting Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 37/92] PCI: aardvark: Implement re-issuing config requests on CRS response Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 38/92] PCI: aardvark: Simplify initialization of rootcap on virtual bridge Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 39/92] PCI: aardvark: Fix link training Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 40/92] PCI: aardvark: Fix support for bus mastering and PCI_COMMAND on emulated bridge Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 41/92] PCI: aardvark: Set PCI Bridge Class Code to PCI Bridge Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 42/92] PCI: aardvark: Fix support for PCI_BRIDGE_CTL_BUS_RESET on emulated bridge Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 43/92] pinctrl: armada-37xx: Correct PWM pins definitions Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 44/92] arm64: dts: marvell: armada-37xx: Set pcie_reset_pin to gpio function Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 45/92] proc/vmcore: fix clearing user buffer by properly using clear_user() Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 46/92] netfilter: ipvs: Fix reuse connection if RS weight is 0 Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 47/92] ARM: dts: BCM5301X: Fix I2C controller interrupt Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 48/92] ARM: dts: BCM5301X: Add interrupt properties to GPIO node Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 49/92] ASoC: qdsp6: q6routing: Conditionally reset FrontEnd Mixer Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 50/92] ASoC: topology: Add missing rwsem around snd_ctl_remove() calls Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 51/92] net: ieee802154: handle iftypes as u32 Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 52/92] firmware: arm_scmi: pm: Propagate return value to caller Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 53/92] NFSv42: Dont fail clone() unless the OP_CLONE operation failed Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 54/92] ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 55/92] scsi: mpt3sas: Fix kernel panic during drive powercycle test Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 56/92] drm/vc4: fix error code in vc4_create_object() Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 57/92] iavf: Prevent changing static ITR values if adaptive moderation is on Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 58/92] ipv6: fix typos in __ip6_finish_output() Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 59/92] nfp: checking parameter process for rx-usecs/tx-usecs is invalid Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 60/92] net: ipv6: add fib6_nh_release_dsts stub Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 61/92] net: nexthop: release IPv6 per-cpu dsts when replacing a nexthop group Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 62/92] scsi: core: sysfs: Fix setting device state to SDEV_RUNNING Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 63/92] net/smc: Ensure the active closing peer first closes clcsock Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 64/92] nvmet-tcp: fix incomplete data digest send Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 65/92] net/ncsi : Add payload to be 32-bit aligned to fix dropped packets Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 66/92] PM: hibernate: use correct mode for swsusp_close() Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 67/92] tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited flows Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 68/92] nvmet: use IOCB_NOWAIT only if the filesystem supports it Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 69/92] igb: fix netpoll exit with traffic Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 70/92] MIPS: use 3-level pgtable for 64KB page size on MIPS_VA_BITS_48 Greg Kroah-Hartman
2021-11-29 18:18 ` Greg Kroah-Hartman [this message]
2021-11-29 18:18 ` [PATCH 5.4 72/92] net/smc: Dont call clcsock shutdown twice when smc shutdown Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 73/92] net: hns3: fix VF RSS failed problem after PF enable multi-TCs Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 74/92] net: mscc: ocelot: dont downgrade timestamping RX filters in SIOCSHWTSTAMP Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 75/92] net: mscc: ocelot: correctly report the timestamping RX filters in ethtool Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 76/92] f2fs: set SBI_NEED_FSCK flag when inconsistent node block found Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 77/92] smb3: do not error on fsync when readonly Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 78/92] vhost/vsock: fix incorrect used length reported to the guest Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 79/92] tracing: Check pid filtering when creating events Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 80/92] s390/mm: validate VMA in PGSTE manipulation functions Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 81/92] shm: extend forced shm destroy to support objects from several IPC nses Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 82/92] NFC: add NCI_UNREG flag to eliminate the race Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 83/92] fuse: release pipe buf after last use Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 84/92] xen: sync include/xen/interface/io/ring.h with Xens newest version Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 85/92] xen/blkfront: read response from backend only once Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 86/92] xen/blkfront: dont take local copy of a request from the ring page Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 87/92] xen/blkfront: dont trust the backend response data blindly Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 88/92] xen/netfront: read response from backend only once Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 89/92] xen/netfront: dont read data from request on the ring page Greg Kroah-Hartman
2021-11-29 18:18 ` [PATCH 5.4 90/92] xen/netfront: disentangle tx_skb_freelist Greg Kroah-Hartman
2021-11-29 18:19 ` [PATCH 5.4 91/92] xen/netfront: dont trust the backend response data blindly Greg Kroah-Hartman
2021-11-29 18:19 ` [PATCH 5.4 92/92] tty: hvc: replace BUG_ON() with negative return value Greg Kroah-Hartman
2021-11-30 1:03 ` [PATCH 5.4 00/92] 5.4.163-rc1 review Shuah Khan
2021-11-30 1:23 ` Samuel Zou
2021-11-30 3:44 ` Florian Fainelli
2021-11-30 8:42 ` Jon Hunter
2021-11-30 9:22 ` Naresh Kamboju
2021-11-30 13:37 ` Sudip Mukherjee
2021-11-30 17:41 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211129181709.783756443@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=petrm@nvidia.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=william.xuanziyang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).