From patchwork Mon Mar 14 11:12:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ziyang Xuan (William)" X-Patchwork-Id: 12780025 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 107A5C433EF for ; Mon, 14 Mar 2022 10:54:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238714AbiCNKzl (ORCPT ); Mon, 14 Mar 2022 06:55:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57486 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238705AbiCNKzj (ORCPT ); Mon, 14 Mar 2022 06:55:39 -0400 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6B49825E8F; Mon, 14 Mar 2022 03:54:29 -0700 (PDT) Received: from canpemm500006.china.huawei.com (unknown [172.30.72.56]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4KHCwC55tlzcb4Q; Mon, 14 Mar 2022 18:49:31 +0800 (CST) Received: from localhost.localdomain (10.175.104.82) by canpemm500006.china.huawei.com (7.192.105.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Mon, 14 Mar 2022 18:54:27 +0800 From: Ziyang Xuan To: , , CC: , , Subject: [PATCH net-next 1/3] net: ipvlan: fix potential UAF problem for phy_dev Date: Mon, 14 Mar 2022 19:12:12 +0800 Message-ID: <751f88c0846df798a403643cefcaab53922ffe2f.1647255926.git.william.xuanziyang@huawei.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 X-Originating-IP: [10.175.104.82] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To canpemm500006.china.huawei.com (7.192.105.130) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Add the reference operation to phy_dev of ipvlan to avoid the potential UAF problem under the following known scenario: Someone module puts the NETDEV_UNREGISTER event handler to a work, and phy_dev is accessed in the work handler. But when the work is excuted, phy_dev has been destroyed because upper ipvlan did not get reference to phy_dev correctly. That likes as the scenario occurred by commit 563bcbae3ba2 ("net: vlan: fix a UAF in vlan_dev_real_dev()"). Signed-off-by: Ziyang Xuan --- drivers/net/ipvlan/ipvlan_main.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c index 696e245f6d00..dcdc01403f22 100644 --- a/drivers/net/ipvlan/ipvlan_main.c +++ b/drivers/net/ipvlan/ipvlan_main.c @@ -158,6 +158,10 @@ static int ipvlan_init(struct net_device *dev) } port = ipvlan_port_get_rtnl(phy_dev); port->count += 1; + + /* Get ipvlan's reference to phy_dev */ + dev_hold(phy_dev); + return 0; } @@ -665,6 +669,14 @@ void ipvlan_link_delete(struct net_device *dev, struct list_head *head) } EXPORT_SYMBOL_GPL(ipvlan_link_delete); +static void ipvlan_dev_free(struct net_device *dev) +{ + struct ipvl_dev *ipvlan = netdev_priv(dev); + + /* Get rid of the ipvlan's reference to phy_dev */ + dev_put(ipvlan->phy_dev); +} + void ipvlan_link_setup(struct net_device *dev) { ether_setup(dev); @@ -674,6 +686,7 @@ void ipvlan_link_setup(struct net_device *dev) dev->priv_flags |= IFF_UNICAST_FLT | IFF_NO_QUEUE; dev->netdev_ops = &ipvlan_netdev_ops; dev->needs_free_netdev = true; + dev->priv_destructor = ipvlan_dev_free; dev->header_ops = &ipvlan_header_ops; dev->ethtool_ops = &ipvlan_ethtool_ops; } From patchwork Mon Mar 14 11:12:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ziyang Xuan (William)" X-Patchwork-Id: 12780026 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 48EF3C433EF for ; Mon, 14 Mar 2022 10:55:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238726AbiCNK4S (ORCPT ); Mon, 14 Mar 2022 06:56:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60344 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238736AbiCNK4Q (ORCPT ); Mon, 14 Mar 2022 06:56:16 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 17AB131217; Mon, 14 Mar 2022 03:55:05 -0700 (PDT) Received: from canpemm500006.china.huawei.com (unknown [172.30.72.55]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4KHD0w6jPGzfZ4g; Mon, 14 Mar 2022 18:53:36 +0800 (CST) Received: from localhost.localdomain (10.175.104.82) by canpemm500006.china.huawei.com (7.192.105.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Mon, 14 Mar 2022 18:55:03 +0800 From: Ziyang Xuan To: , , CC: , , Subject: [PATCH net-next 2/3] net: ipvlan: add net device refcount tracker Date: Mon, 14 Mar 2022 19:12:49 +0800 Message-ID: <93c4e0b3b07f4e8f7c224c7a1b4e09c65e9bea6d.1647255926.git.william.xuanziyang@huawei.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 X-Originating-IP: [10.175.104.82] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To canpemm500006.china.huawei.com (7.192.105.130) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Add net device refcount tracker to ipvlan. Signed-off-by: Ziyang Xuan --- drivers/net/ipvlan/ipvlan.h | 1 + drivers/net/ipvlan/ipvlan_main.c | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/ipvlan/ipvlan.h b/drivers/net/ipvlan/ipvlan.h index 3837c897832e..6605199305b7 100644 --- a/drivers/net/ipvlan/ipvlan.h +++ b/drivers/net/ipvlan/ipvlan.h @@ -64,6 +64,7 @@ struct ipvl_dev { struct list_head pnode; struct ipvl_port *port; struct net_device *phy_dev; + netdevice_tracker dev_tracker; struct list_head addrs; struct ipvl_pcpu_stats __percpu *pcpu_stats; DECLARE_BITMAP(mac_filters, IPVLAN_MAC_FILTER_SIZE); diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c index dcdc01403f22..be06f122092e 100644 --- a/drivers/net/ipvlan/ipvlan_main.c +++ b/drivers/net/ipvlan/ipvlan_main.c @@ -160,7 +160,7 @@ static int ipvlan_init(struct net_device *dev) port->count += 1; /* Get ipvlan's reference to phy_dev */ - dev_hold(phy_dev); + dev_hold_track(phy_dev, &ipvlan->dev_tracker, GFP_KERNEL); return 0; } @@ -674,7 +674,7 @@ static void ipvlan_dev_free(struct net_device *dev) struct ipvl_dev *ipvlan = netdev_priv(dev); /* Get rid of the ipvlan's reference to phy_dev */ - dev_put(ipvlan->phy_dev); + dev_put_track(ipvlan->phy_dev, &ipvlan->dev_tracker); } void ipvlan_link_setup(struct net_device *dev) From patchwork Mon Mar 14 11:13:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ziyang Xuan (William)" X-Patchwork-Id: 12780027 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5F2F6C433EF for ; Mon, 14 Mar 2022 10:55:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234814AbiCNK4x (ORCPT ); Mon, 14 Mar 2022 06:56:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33008 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238614AbiCNK4v (ORCPT ); Mon, 14 Mar 2022 06:56:51 -0400 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1471443ED9; Mon, 14 Mar 2022 03:55:42 -0700 (PDT) Received: from canpemm500006.china.huawei.com (unknown [172.30.72.57]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4KHD1f0mZMzfYvc; Mon, 14 Mar 2022 18:54:14 +0800 (CST) Received: from localhost.localdomain (10.175.104.82) by canpemm500006.china.huawei.com (7.192.105.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Mon, 14 Mar 2022 18:55:39 +0800 From: Ziyang Xuan To: , , CC: , , Subject: [PATCH net-next 3/3] net: ipvtap: fix error comments Date: Mon, 14 Mar 2022 19:13:25 +0800 Message-ID: <1fdd040200b495add1020f4a0890ce8d87267334.1647255926.git.william.xuanziyang@huawei.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 X-Originating-IP: [10.175.104.82] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To canpemm500006.china.huawei.com (7.192.105.130) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Use "macvlan" comment inappropriately in ipvtap module. Fix them with "ipvlan" comment. Signed-off-by: Ziyang Xuan --- drivers/net/ipvlan/ipvtap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/ipvlan/ipvtap.c b/drivers/net/ipvlan/ipvtap.c index ef02f2cf5ce1..c130cfb30822 100644 --- a/drivers/net/ipvlan/ipvtap.c +++ b/drivers/net/ipvlan/ipvtap.c @@ -83,7 +83,7 @@ static int ipvtap_newlink(struct net *src_net, struct net_device *dev, INIT_LIST_HEAD(&vlantap->tap.queue_list); - /* Since macvlan supports all offloads by default, make + /* Since ipvlan supports all offloads by default, make * tap support all offloads also. */ vlantap->tap.tap_features = TUN_OFFLOADS; @@ -95,7 +95,7 @@ static int ipvtap_newlink(struct net *src_net, struct net_device *dev, if (err) return err; - /* Don't put anything that may fail after macvlan_common_newlink + /* Don't put anything that may fail after ipvlan_link_new * because we can't undo what it does. */ err = ipvlan_link_new(src_net, dev, tb, data, extack);