system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-09-06 09:51:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/net
History
Xin Long d6ff94afd9 vlan: move dev_put into vlan_dev_uninit 
Shuang Li reported an QinQ issue by simply doing:

  # ip link add dummy0 type dummy
  # ip link add link dummy0 name dummy0.1 type vlan id 1
  # ip link add link dummy0.1 name dummy0.1.2 type vlan id 2
  # rmmod 8021q

 unregister_netdevice: waiting for dummy0.1 to become free. Usage count = 1

When rmmods 8021q, all vlan devs are deleted from their real_dev's vlan grp
and added into list_kill by unregister_vlan_dev(). dummy0.1 is unregistered
before dummy0.1.2, as it's using for_each_netdev() in __rtnl_kill_links().

When unregisters dummy0.1, dummy0.1.2 is not unregistered in the event of
NETDEV_UNREGISTER, as it's been deleted from dummy0.1's vlan grp. However,
due to dummy0.1.2 still holding dummy0.1, dummy0.1 will keep waiting in
netdev_wait_allrefs(), while dummy0.1.2 will never get unregistered and
release dummy0.1, as it delays dev_put until calling dev->priv_destructor,
vlan_dev_free().

This issue was introduced by Commit 563bcbae3b ("net: vlan: fix a UAF in
vlan_dev_real_dev()"), and this patch is to fix it by moving dev_put() into
vlan_dev_uninit(), which is called after NETDEV_UNREGISTER event but before
netdev_wait_allrefs().

Fixes: 563bcbae3b ("net: vlan: fix a UAF in vlan_dev_real_dev()")
Reported-by: Shuang Li <shuali@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2022-02-09 13:33:39 +00:00
..
6lowpan
9p virtio,vdpa,qemu_fw_cfg: features, cleanups, fixes 2022-01-18 10:05:48 +02:00
802
8021q vlan: move dev_put into vlan_dev_uninit 2022-02-09 13:33:39 +00:00
appletalk
atm proc: remove PDE_DATA() completely 2022-01-22 08:33:37 +02:00
ax25 ax25: fix UAF bugs of net_device caused by rebinding operation 2022-02-09 13:30:07 +00:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-01-05 14:36:10 -08:00
bluetooth proc: remove PDE_DATA() completely 2022-01-22 08:33:37 +02:00
bpf
bpfilter
bridge Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2022-01-27 18:53:02 -08:00
caif Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2021-12-31 14:35:40 +00:00
can can: isotp: fix error path in isotp_sendmsg() to unlock wait queue 2022-02-09 08:47:47 +01:00
ceph The highlight is the new mount "device" string syntax implemented 2022-01-20 13:46:20 +02:00
core net, neigh: Do not trigger immediate probes on NUD_FAILED from neigh_managed_work 2022-02-02 20:30:18 -08:00
dcb
dccp
decnet Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2021-12-31 14:35:40 +00:00
dns_resolver
dsa net: dsa: fix panic when DSA master device unbinds on shutdown 2022-02-09 13:21:39 +00:00
ethernet
ethtool ethtool: use phydev variable 2022-01-06 12:33:35 +00:00
hsr
ieee802154 net: ieee802154: Return meaningful error codes from the netlink helpers 2022-01-27 08:20:47 +01:00
ife
ipv4 ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on failure path 2022-02-08 20:49:52 -08:00
ipv6 ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on failure path 2022-02-08 20:49:52 -08:00
iucv net: Don't include filter.h from net/sock.h 2021-12-29 08:48:14 -08:00
kcm net: Don't include filter.h from net/sock.h 2021-12-29 08:48:14 -08:00
key
l2tp
l3mdev
lapb
llc
mac80211 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-01-05 14:36:10 -08:00
mac802154
mctp mctp: test: zero out sockaddr 2022-01-11 20:26:36 -08:00
mpls
mptcp mptcp: Use struct_group() to avoid cross-field memset() 2022-01-21 19:26:03 -08:00
ncsi all: replace find_next{,_zero}_bit with find_first{,_zero}_bit where appropriate 2022-01-15 08:47:31 -08:00
netfilter netfilter: ctnetlink: disable helper autoassign 2022-02-04 05:39:57 +01:00
netlabel
netlink net: Don't include filter.h from net/sock.h 2021-12-29 08:48:14 -08:00
netrom netrom: fix api breakage in nr_setsockopt() 2022-01-07 14:11:05 +00:00
nfc Networking fixes for 5.17-rc1, including fixes from netfilter, bpf. 2022-01-20 10:57:05 +02:00
nsh
openvswitch Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-01-09 17:00:17 -08:00
packet af_packet: fix data-race in packet_setsockopt / packet_setsockopt 2022-02-01 20:21:10 -08:00
phonet phonet/pep: refuse to enable an unbound pipe 2021-12-20 11:49:51 +00:00
psample
qrtr
rds
rfkill
rose net: Don't include filter.h from net/sock.h 2021-12-29 08:48:14 -08:00
rxrpc rxrpc: Adjust retransmission backoff 2022-01-22 02:03:24 +00:00
sched net: sched: fix use-after-free in tc_new_tfilter() 2022-02-01 20:15:58 -08:00
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-01-05 14:36:10 -08:00
smc net/smc: use GFP_ATOMIC allocation in smc_pnet_add_eth() 2022-02-07 12:02:49 +00:00
strparser
sunrpc \n 2022-01-28 17:51:31 +02:00
switchdev
tipc tipc: rate limit warning for received illegal binding update 2022-02-09 12:48:22 +00:00
tls net/tls: Fix another skb memory leak when running kTLS traffic 2022-01-17 13:07:47 +00:00
unix af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress 2022-01-14 18:31:37 -08:00
vmw_vsock virtio,vdpa,qemu_fw_cfg: features, cleanups, fixes 2022-01-18 10:05:48 +02:00
wireless Kbuild updates for v5.17 2022-01-19 11:15:19 +02:00
x25
xdp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-01-05 14:36:10 -08:00
xfrm xfrm: Don't accidentally set RTO_ONLINK in decode_session4() 2022-01-11 20:36:08 -08:00
compat.c
devres.c
Kconfig
Kconfig.debug
Makefile
socket.c net: fix SOF_TIMESTAMPING_BIND_PHC to work with multiple sockets 2022-01-06 12:18:08 +00:00
sysctl_net.c