From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Shuang Li <shuali@redhat.com>,
Xin Long <lucien.xin@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Olivier Matz <olivier.matz@6wind.com>
Subject: [PATCH 5.15 26/67] vlan: move dev_put into vlan_dev_uninit
Date: Tue, 5 Dec 2023 12:17:11 +0900 [thread overview]
Message-ID: <20231205031521.311405664@linuxfoundation.org> (raw)
In-Reply-To: <20231205031519.853779502@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
commit d6ff94afd90b0ce8d1715f8ef77d4347d7a7f2c0 upstream.
Shuang Li reported an QinQ issue by simply doing:
# ip link add dummy0 type dummy
# ip link add link dummy0 name dummy0.1 type vlan id 1
# ip link add link dummy0.1 name dummy0.1.2 type vlan id 2
# rmmod 8021q
unregister_netdevice: waiting for dummy0.1 to become free. Usage count = 1
When rmmods 8021q, all vlan devs are deleted from their real_dev's vlan grp
and added into list_kill by unregister_vlan_dev(). dummy0.1 is unregistered
before dummy0.1.2, as it's using for_each_netdev() in __rtnl_kill_links().
When unregisters dummy0.1, dummy0.1.2 is not unregistered in the event of
NETDEV_UNREGISTER, as it's been deleted from dummy0.1's vlan grp. However,
due to dummy0.1.2 still holding dummy0.1, dummy0.1 will keep waiting in
netdev_wait_allrefs(), while dummy0.1.2 will never get unregistered and
release dummy0.1, as it delays dev_put until calling dev->priv_destructor,
vlan_dev_free().
This issue was introduced by Commit 563bcbae3ba2 ("net: vlan: fix a UAF in
vlan_dev_real_dev()"), and this patch is to fix it by moving dev_put() into
vlan_dev_uninit(), which is called after NETDEV_UNREGISTER event but before
netdev_wait_allrefs().
Fixes: 563bcbae3ba2 ("net: vlan: fix a UAF in vlan_dev_real_dev()")
Reported-by: Shuang Li <shuali@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/8021q/vlan_dev.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -638,7 +638,12 @@ void vlan_dev_free_egress_priority(const
static void vlan_dev_uninit(struct net_device *dev)
{
+ struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
+
vlan_dev_free_egress_priority(dev);
+
+ /* Get rid of the vlan's reference to real_dev */
+ dev_put(vlan->real_dev);
}
static netdev_features_t vlan_dev_fix_features(struct net_device *dev,
@@ -851,9 +856,6 @@ static void vlan_dev_free(struct net_dev
free_percpu(vlan->vlan_pcpu_stats);
vlan->vlan_pcpu_stats = NULL;
-
- /* Get rid of the vlan's reference to real_dev */
- dev_put(vlan->real_dev);
}
void vlan_setup(struct net_device *dev)
next prev parent reply other threads:[~2023-12-05 3:41 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-05 3:16 [PATCH 5.15 00/67] 5.15.142-rc1 review Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 01/67] perf inject: Fix GEN_ELF_TEXT_OFFSET for jit Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 02/67] pinctrl: avoid reload of p state in list iteration Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 03/67] firewire: core: fix possible memory leak in create_units() Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 04/67] mmc: cqhci: Increase recovery halt timeout Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 05/67] mmc: cqhci: Warn of halt or task clear failure Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 06/67] mmc: cqhci: Fix task clearing in CQE error recovery Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 07/67] mmc: block: Retry commands " Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 08/67] mmc: block: Do not lose cache flush during " Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 09/67] mmc: block: Be sure to wait while busy in " Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 10/67] ALSA: hda: Disable power-save on KONTRON SinglePC Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 11/67] ALSA: hda/realtek: Headset Mic VREF to 100% Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 12/67] ALSA: hda/realtek: Add supported ALC257 for ChromeOS Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 13/67] dm-verity: align struct dm_verity_fec_io properly Greg Kroah-Hartman
2023-12-05 3:16 ` [PATCH 5.15 14/67] dm verity: dont perform FEC for failed readahead IO Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 15/67] bcache: revert replacing IS_ERR_OR_NULL with IS_ERR Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 16/67] iommu/vt-d: Add MTL to quirk list to skip TE disabling Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 17/67] powerpc: Dont clobber f0/vs0 during fp|altivec register save Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 18/67] parisc: Drop the HP-UX ENOSYM and EREMOTERELEASE error codes Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 19/67] btrfs: add dmesg output for first mount and last unmount of a filesystem Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 20/67] btrfs: ref-verify: fix memory leaks in btrfs_ref_tree_mod() Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 21/67] btrfs: fix off-by-one when checking chunk map includes logical address Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 22/67] btrfs: send: ensure send_fd is writable Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 23/67] btrfs: make error messages more clear when getting a chunk map Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 24/67] Input: xpad - add HyperX Clutch Gladiate Support Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 25/67] vlan: introduce vlan_dev_free_egress_priority Greg Kroah-Hartman
2023-12-05 3:17 ` Greg Kroah-Hartman [this message]
2023-12-05 3:17 ` [PATCH 5.15 27/67] rcu: Avoid tracing a few functions executed in stop machine Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 28/67] hv_netvsc: fix race of netvsc and VF register_netdevice Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 29/67] USB: core: Change configuration warnings to notices Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 30/67] usb: config: fix iteration issue in usb_get_bos_descriptor() Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 31/67] ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 32/67] dpaa2-eth: increase the needed headroom to account for alignment Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 33/67] uapi: propagate __struct_group() attributes to the container union Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 34/67] selftests/net: ipsec: fix constant out of range Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 35/67] octeontx2-af: Fix possible buffer overflow Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 36/67] net: stmmac: xgmac: Disable FPE MMC interrupts Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 37/67] octeontx2-pf: Fix adding mbox work queue entry when num_vfs > 64 Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 38/67] Revert "workqueue: remove unused cancel_work()" Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 39/67] r8169: prevent potential deadlock in rtl8169_close Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 40/67] ravb: Fix races between ravb_tx_timeout_work() and net related ops Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 41/67] net: ravb: Check return value of reset_control_deassert() Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 42/67] net: ravb: Use pm_runtime_resume_and_get() Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 43/67] net: ravb: Start TX queues after HW initialization succeeded Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 44/67] ravb: Separate handling of irq enable/disable regs into feature Greg Kroah-Hartman
2023-12-05 9:04 ` Sergey Shtylyov
2023-12-05 18:28 ` Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 45/67] ravb: Support separate Line0 (Desc), Line1 (Err) and Line2 (Mgmt) irqs Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 46/67] net: ravb: Stop DMA in case of failures on ravb_open() Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 47/67] perf intel-pt: Fix async branch flags Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 48/67] selftests/resctrl: Add missing SPDX license to Makefile Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 49/67] selftests/resctrl: Move _GNU_SOURCE define into Makefile Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 50/67] powerpc/pseries/iommu: enable_ddw incorrectly returns direct mapping for SR-IOV device Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 51/67] smb3: fix touch -h of symlink Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 52/67] ASoC: Intel: Move soc_intel_is_foo() helpers to a generic header Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 53/67] ASoC: SOF: sof-pci-dev: use community key on all Up boards Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 54/67] ASoC: SOF: sof-pci-dev: add parameter to override topology filename Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 55/67] ASoC: SOF: sof-pci-dev: dont use the community key on APL Chromebooks Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 56/67] ASoC: SOF: sof-pci-dev: Fix community key quirk detection Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 57/67] fbdev: stifb: Make the STI next font pointer a 32-bit signed offset Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 58/67] fs: add ctime accessors infrastructure Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 59/67] smb3: fix caching of ctime on setxattr Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 60/67] cpufreq: imx6q: dont warn for disabling a non-existing frequency Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 61/67] cpufreq: imx6q: Dont disable 792 Mhz OPP unnecessarily Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 62/67] iommu/vt-d: Omit devTLB invalidation requests when TES=0 Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 63/67] iommu/vt-d: Make context clearing consistent with context mapping Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 64/67] mmc: core: add helpers mmc_regulator_enable/disable_vqmmc Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 65/67] mmc: sdhci-sprd: Fix vqmmc not shutting down after the card was pulled Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 66/67] r8169: disable ASPM in case of tx timeout Greg Kroah-Hartman
2023-12-05 3:17 ` [PATCH 5.15 67/67] r8169: fix deadlock on RTL8125 in jumbo mtu mode Greg Kroah-Hartman
2023-12-05 7:16 ` [PATCH 5.15 00/67] 5.15.142-rc1 review Harshit Mogalapalli
2023-12-05 18:17 ` Greg Kroah-Hartman
2024-01-07 0:54 ` Namhyung Kim
2024-01-07 8:53 ` Greg Kroah-Hartman
2024-01-09 21:49 ` [PATCH for-5.15] perf inject: Fix GEN_ELF_TEXT_OFFSET for jit Namhyung Kim
2024-01-09 21:52 ` kernel test robot
2024-01-10 7:58 ` Greg Kroah-Hartman
2024-01-10 17:53 ` Namhyung Kim
2024-01-11 10:44 ` Greg Kroah-Hartman
2023-12-05 11:09 ` [PATCH 5.15 00/67] 5.15.142-rc1 review Jon Hunter
2023-12-05 16:48 ` Naresh Kamboju
2023-12-05 18:23 ` Greg Kroah-Hartman
2023-12-05 16:50 ` Guenter Roeck
2023-12-05 17:09 ` SeongJae Park
2023-12-05 18:21 ` Florian Fainelli
2023-12-05 21:14 ` Allen
2023-12-06 1:42 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231205031521.311405664@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=lucien.xin@gmail.com \
--cc=olivier.matz@6wind.com \
--cc=patches@lists.linux.dev \
--cc=shuali@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox