From patchwork Fri Mar 18 01:57:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ziyang Xuan (William)" X-Patchwork-Id: 12784745 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0565AC433F5 for ; Fri, 18 Mar 2022 01:40:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231557AbiCRBlr (ORCPT ); Thu, 17 Mar 2022 21:41:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51580 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229642AbiCRBlq (ORCPT ); Thu, 17 Mar 2022 21:41:46 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 929C51B087C; Thu, 17 Mar 2022 18:40:28 -0700 (PDT) Received: from canpemm500006.china.huawei.com (unknown [172.30.72.54]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4KKRVS352nzCqn7; Fri, 18 Mar 2022 09:38:24 +0800 (CST) Received: from localhost.localdomain (10.175.104.82) by canpemm500006.china.huawei.com (7.192.105.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Fri, 18 Mar 2022 09:40:26 +0800 From: Ziyang Xuan To: , , CC: , , , , Subject: [PATCH net-next v2 1/3] net: ipvlan: fix potential UAF problem for phy_dev Date: Fri, 18 Mar 2022 09:57:47 +0800 Message-ID: <83116bde1ddf39420e24466684c9488bff46f43c.1647568181.git.william.xuanziyang@huawei.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 X-Originating-IP: [10.175.104.82] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To canpemm500006.china.huawei.com (7.192.105.130) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Add the reference operation to phy_dev of ipvlan to avoid the potential UAF problem under the following known scenario: Someone module puts the NETDEV_UNREGISTER event handler to a work, and phy_dev is accessed in the work handler. But when the work is excuted, phy_dev has been destroyed because upper ipvlan did not get reference to phy_dev correctly. That likes as the scenario occurred by commit 563bcbae3ba2 ("net: vlan: fix a UAF in vlan_dev_real_dev()"). Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") Signed-off-by: Ziyang Xuan --- drivers/net/ipvlan/ipvlan_main.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c index 696e245f6d00..dcdc01403f22 100644 --- a/drivers/net/ipvlan/ipvlan_main.c +++ b/drivers/net/ipvlan/ipvlan_main.c @@ -158,6 +158,10 @@ static int ipvlan_init(struct net_device *dev) } port = ipvlan_port_get_rtnl(phy_dev); port->count += 1; + + /* Get ipvlan's reference to phy_dev */ + dev_hold(phy_dev); + return 0; } @@ -665,6 +669,14 @@ void ipvlan_link_delete(struct net_device *dev, struct list_head *head) } EXPORT_SYMBOL_GPL(ipvlan_link_delete); +static void ipvlan_dev_free(struct net_device *dev) +{ + struct ipvl_dev *ipvlan = netdev_priv(dev); + + /* Get rid of the ipvlan's reference to phy_dev */ + dev_put(ipvlan->phy_dev); +} + void ipvlan_link_setup(struct net_device *dev) { ether_setup(dev); @@ -674,6 +686,7 @@ void ipvlan_link_setup(struct net_device *dev) dev->priv_flags |= IFF_UNICAST_FLT | IFF_NO_QUEUE; dev->netdev_ops = &ipvlan_netdev_ops; dev->needs_free_netdev = true; + dev->priv_destructor = ipvlan_dev_free; dev->header_ops = &ipvlan_header_ops; dev->ethtool_ops = &ipvlan_ethtool_ops; } From patchwork Fri Mar 18 01:59:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ziyang Xuan (William)" X-Patchwork-Id: 12784746 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5A8C0C433EF for ; Fri, 18 Mar 2022 01:41:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231591AbiCRBmv (ORCPT ); Thu, 17 Mar 2022 21:42:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55350 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231575AbiCRBmt (ORCPT ); Thu, 17 Mar 2022 21:42:49 -0400 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1A90C2EE962; Thu, 17 Mar 2022 18:41:31 -0700 (PDT) Received: from canpemm500006.china.huawei.com (unknown [172.30.72.53]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4KKRZ02Y1Yzcb3x; Fri, 18 Mar 2022 09:41:28 +0800 (CST) Received: from localhost.localdomain (10.175.104.82) by canpemm500006.china.huawei.com (7.192.105.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Fri, 18 Mar 2022 09:41:29 +0800 From: Ziyang Xuan To: , , CC: , , , , Subject: [PATCH net-next v2 2/3] net: ipvlan: add net device refcount tracker Date: Fri, 18 Mar 2022 09:59:13 +0800 Message-ID: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 X-Originating-IP: [10.175.104.82] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To canpemm500006.china.huawei.com (7.192.105.130) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Add net device refcount tracker to ipvlan. Signed-off-by: Ziyang Xuan --- drivers/net/ipvlan/ipvlan.h | 1 + drivers/net/ipvlan/ipvlan_main.c | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/ipvlan/ipvlan.h b/drivers/net/ipvlan/ipvlan.h index 3837c897832e..6605199305b7 100644 --- a/drivers/net/ipvlan/ipvlan.h +++ b/drivers/net/ipvlan/ipvlan.h @@ -64,6 +64,7 @@ struct ipvl_dev { struct list_head pnode; struct ipvl_port *port; struct net_device *phy_dev; + netdevice_tracker dev_tracker; struct list_head addrs; struct ipvl_pcpu_stats __percpu *pcpu_stats; DECLARE_BITMAP(mac_filters, IPVLAN_MAC_FILTER_SIZE); diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c index dcdc01403f22..be06f122092e 100644 --- a/drivers/net/ipvlan/ipvlan_main.c +++ b/drivers/net/ipvlan/ipvlan_main.c @@ -160,7 +160,7 @@ static int ipvlan_init(struct net_device *dev) port->count += 1; /* Get ipvlan's reference to phy_dev */ - dev_hold(phy_dev); + dev_hold_track(phy_dev, &ipvlan->dev_tracker, GFP_KERNEL); return 0; } @@ -674,7 +674,7 @@ static void ipvlan_dev_free(struct net_device *dev) struct ipvl_dev *ipvlan = netdev_priv(dev); /* Get rid of the ipvlan's reference to phy_dev */ - dev_put(ipvlan->phy_dev); + dev_put_track(ipvlan->phy_dev, &ipvlan->dev_tracker); } void ipvlan_link_setup(struct net_device *dev) From patchwork Fri Mar 18 01:59:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ziyang Xuan (William)" X-Patchwork-Id: 12784747 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4A7B9C433F5 for ; Fri, 18 Mar 2022 01:42:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231573AbiCRBn3 (ORCPT ); Thu, 17 Mar 2022 21:43:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56088 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230512AbiCRBn2 (ORCPT ); Thu, 17 Mar 2022 21:43:28 -0400 Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1F6C42EE962; Thu, 17 Mar 2022 18:42:11 -0700 (PDT) Received: from canpemm500006.china.huawei.com (unknown [172.30.72.54]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4KKRZl6dZ2z1GCQ9; Fri, 18 Mar 2022 09:42:07 +0800 (CST) Received: from localhost.localdomain (10.175.104.82) by canpemm500006.china.huawei.com (7.192.105.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Fri, 18 Mar 2022 09:42:08 +0800 From: Ziyang Xuan To: , , CC: , , , , Subject: [PATCH net-next v2 3/3] net: ipvtap: fix error comments Date: Fri, 18 Mar 2022 09:59:52 +0800 Message-ID: <4187107e37a18da54369f5fe867ece77e29fc3bb.1647568181.git.william.xuanziyang@huawei.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 X-Originating-IP: [10.175.104.82] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To canpemm500006.china.huawei.com (7.192.105.130) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Use "macvlan" comment inappropriately in ipvtap module. Fix them with "ipvlan" comment. Fixes: 235a9d89da97 ("ipvtap: IP-VLAN based tap driver") Signed-off-by: Ziyang Xuan --- drivers/net/ipvlan/ipvtap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/ipvlan/ipvtap.c b/drivers/net/ipvlan/ipvtap.c index ef02f2cf5ce1..c130cfb30822 100644 --- a/drivers/net/ipvlan/ipvtap.c +++ b/drivers/net/ipvlan/ipvtap.c @@ -83,7 +83,7 @@ static int ipvtap_newlink(struct net *src_net, struct net_device *dev, INIT_LIST_HEAD(&vlantap->tap.queue_list); - /* Since macvlan supports all offloads by default, make + /* Since ipvlan supports all offloads by default, make * tap support all offloads also. */ vlantap->tap.tap_features = TUN_OFFLOADS; @@ -95,7 +95,7 @@ static int ipvtap_newlink(struct net *src_net, struct net_device *dev, if (err) return err; - /* Don't put anything that may fail after macvlan_common_newlink + /* Don't put anything that may fail after ipvlan_link_new * because we can't undo what it does. */ err = ipvlan_link_new(src_net, dev, tb, data, extack);