| Message ID | 5e4fa8717da38025cd353085d5733d1928b11b25.1646989143.git.william.xuanziyang@huawei.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 291ac68478d95cb2b897915da3dc13c6e86d2218 |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | net: macvlan: fix potential UAF problem for lowerdev | expand |
| Context | Check | Description |
|---|---|---|
| netdev/tree_selection | success | Clearly marked for net-next |
| netdev/fixes_present | success | Fixes tag not required for -next series |
| netdev/subject_prefix | success | Link |
| netdev/cover_letter | success | Series has a cover letter |
| netdev/patch_count | success | Link |
| netdev/header_inline | success | No static functions without inline keyword in header files |
| netdev/build_32bit | success | Errors and warnings before: 0 this patch: 0 |
| netdev/cc_maintainers | success | CCed 3 of 3 maintainers |
| netdev/build_clang | success | Errors and warnings before: 0 this patch: 0 |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Signed-off-by tag matches author and committer |
| netdev/verify_fixes | success | No Fixes tag |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 0 this patch: 0 |
| netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 38 lines checked |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/source_inline | success | Was 0 now: 0 |
diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c index 33753a2fde29..d36af413e372 100644 --- a/drivers/net/macvlan.c +++ b/drivers/net/macvlan.c @@ -889,7 +889,7 @@ static void macvlan_set_lockdep_class(struct net_device *dev) static int macvlan_init(struct net_device *dev) { struct macvlan_dev *vlan = netdev_priv(dev); - const struct net_device *lowerdev = vlan->lowerdev; + struct net_device *lowerdev = vlan->lowerdev; struct macvlan_port *port = vlan->port; dev->state = (dev->state & ~MACVLAN_STATE_MASK) | @@ -911,6 +911,9 @@ static int macvlan_init(struct net_device *dev) port->count += 1; + /* Get macvlan's reference to lowerdev */ + dev_hold(lowerdev); + return 0; } @@ -1173,6 +1176,14 @@ static const struct net_device_ops macvlan_netdev_ops = { .ndo_features_check = passthru_features_check, }; +static void macvlan_dev_free(struct net_device *dev) +{ + struct macvlan_dev *vlan = netdev_priv(dev); + + /* Get rid of the macvlan's reference to lowerdev */ + dev_put(vlan->lowerdev); +} + void macvlan_common_setup(struct net_device *dev) { ether_setup(dev); @@ -1184,6 +1195,7 @@ void macvlan_common_setup(struct net_device *dev) dev->priv_flags |= IFF_UNICAST_FLT | IFF_CHANGE_PROTO_DOWN; dev->netdev_ops = &macvlan_netdev_ops; dev->needs_free_netdev = true; + dev->priv_destructor = macvlan_dev_free; dev->header_ops = &macvlan_hard_header_ops; dev->ethtool_ops = &macvlan_ethtool_ops; }
Add the reference operation to lowerdev of macvlan to avoid the potential UAF problem under the following known scenario: Someone module puts the NETDEV_UNREGISTER event handler to a work, and lowerdev is accessed in the work handler. But when the work is excuted, lowerdev has been destroyed because upper macvlan did not get reference to lowerdev correctly. That likes as the scenario occurred by commit 563bcbae3ba2 ("net: vlan: fix a UAF in vlan_dev_real_dev()"). Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com> --- drivers/net/macvlan.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-)