From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F375FC05027 for ; Mon, 20 Feb 2023 13:55:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232574AbjBTNz5 (ORCPT ); Mon, 20 Feb 2023 08:55:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44978 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232577AbjBTNz4 (ORCPT ); Mon, 20 Feb 2023 08:55:56 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B687F1E9E3 for ; Mon, 20 Feb 2023 05:55:54 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 5272960B74 for ; Mon, 20 Feb 2023 13:55:54 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6ACC7C433EF; Mon, 20 Feb 2023 13:55:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1676901353; bh=8FlHlyPdDbRgSWS18ftmP81DeH0Ngg++8W3qpDikaQw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sx7MGZfmyBhJhg9us+O7AB2OjAibxs1Y1xYYywmfEivtjVZQ7GQH6PifBLtirBmxg q3q2BYSGxBQGyPR47ptVr8eKHLR8JaXtYnzD7SSY2OFI/TKYjtvNfN5eDRmznZFP6L HeLI6KE/Mv8ZTe98GlZWMNK0cXwxYmMbm65Sdc7k= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, lianhui tang , Jakub Kicinski , "David S. Miller" Subject: [PATCH 5.10 42/57] net: mpls: fix stale pointer if allocation fails during device rename Date: Mon, 20 Feb 2023 14:36:50 +0100 Message-Id: <20230220133550.832344847@linuxfoundation.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230220133549.360169435@linuxfoundation.org> References: <20230220133549.360169435@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jakub Kicinski commit fda6c89fe3d9aca073495a664e1d5aea28cd4377 upstream. lianhui reports that when MPLS fails to register the sysctl table under new location (during device rename) the old pointers won't get overwritten and may be freed again (double free). Handle this gracefully. The best option would be unregistering the MPLS from the device completely on failure, but unfortunately mpls_ifdown() can fail. So failing fully is also unreliable. Another option is to register the new table first then only remove old one if the new one succeeds. That requires more code, changes order of notifications and two tables may be visible at the same time. sysctl point is not used in the rest of the code - set to NULL on failures and skip unregister if already NULL. Reported-by: lianhui tang Fixes: 0fae3bf018d9 ("mpls: handle device renames for per-device sysctls") Signed-off-by: Jakub Kicinski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/mpls/af_mpls.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/net/mpls/af_mpls.c +++ b/net/mpls/af_mpls.c @@ -1427,6 +1427,7 @@ static int mpls_dev_sysctl_register(stru free: kfree(table); out: + mdev->sysctl = NULL; return -ENOBUFS; } @@ -1436,6 +1437,9 @@ static void mpls_dev_sysctl_unregister(s struct net *net = dev_net(dev); struct ctl_table *table; + if (!mdev->sysctl) + return; + table = mdev->sysctl->ctl_table_arg; unregister_net_sysctl_table(mdev->sysctl); kfree(table);