LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Fengguang Wu <fengguang.wu@intel.com>,
Alexander Duyck <alexander.duyck@gmail.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Girish Moodalbail <girish.moodalbail@oracle.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.18 08/12] vlan: fix a use-after-free in vlan_device_event()
Date: Wed, 22 Nov 2017 11:11:51 +0100 [thread overview]
Message-ID: <20171122101057.442837605@linuxfoundation.org> (raw)
In-Reply-To: <20171122101056.996363808@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
[ Upstream commit 052d41c01b3a2e3371d66de569717353af489d63 ]
After refcnt reaches zero, vlan_vid_del() could free
dev->vlan_info via RCU:
RCU_INIT_POINTER(dev->vlan_info, NULL);
call_rcu(&vlan_info->rcu, vlan_info_rcu_free);
However, the pointer 'grp' still points to that memory
since it is set before vlan_vid_del():
vlan_info = rtnl_dereference(dev->vlan_info);
if (!vlan_info)
goto out;
grp = &vlan_info->grp;
Depends on when that RCU callback is scheduled, we could
trigger a use-after-free in vlan_group_for_each_dev()
right following this vlan_vid_del().
Fix it by moving vlan_vid_del() before setting grp. This
is also symmetric to the vlan_vid_add() we call in
vlan_device_event().
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Fixes: efc73f4bbc23 ("net: Fix memory leak - vlan_info struct")
Cc: Alexander Duyck <alexander.duyck@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Girish Moodalbail <girish.moodalbail@oracle.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Girish Moodalbail <girish.moodalbail@oracle.com>
Tested-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/8021q/vlan.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -376,6 +376,9 @@ static int vlan_device_event(struct noti
dev->name);
vlan_vid_add(dev, htons(ETH_P_8021Q), 0);
}
+ if (event == NETDEV_DOWN &&
+ (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER))
+ vlan_vid_del(dev, htons(ETH_P_8021Q), 0);
vlan_info = rtnl_dereference(dev->vlan_info);
if (!vlan_info)
@@ -420,9 +423,6 @@ static int vlan_device_event(struct noti
break;
case NETDEV_DOWN:
- if (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)
- vlan_vid_del(dev, htons(ETH_P_8021Q), 0);
-
/* Put all VLANs for this dev in the down state too. */
vlan_group_for_each_dev(grp, i, vlandev) {
flgs = vlandev->flags;
next prev parent reply other threads:[~2017-11-22 10:12 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-22 10:11 [PATCH 3.18 00/12] 3.18.84-stable review Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 3.18 01/12] ipv6/dccp: do not inherit ipv6_mc_list from parent Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 3.18 02/12] net/sctp: Always set scope_id in sctp_inet6_skb_msgname Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 3.18 03/12] tcp: do not mangle skb->cb[] in tcp_make_synack() Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 3.18 04/12] netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 3.18 05/12] sctp: do not peel off an assoc from one netns to another one Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 3.18 06/12] fealnx: Fix building error on MIPS Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 3.18 07/12] af_netlink: ensure that NLMSG_DONE never fails in dumps Greg Kroah-Hartman
2017-11-22 10:11 ` Greg Kroah-Hartman [this message]
2017-11-22 10:11 ` [PATCH 3.18 09/12] ima: do not update security.ima if appraisal status is not INTEGRITY_PASS Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 3.18 10/12] ocfs2: should wait dio before inode lock in ocfs2_setattr() Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 3.18 11/12] ipmi: fix unsigned long underflow Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 3.18 12/12] coda: fix kernel memory exposure attempt in fsync Greg Kroah-Hartman
[not found] ` <5a158394.8dd71c0a.b55f.a18c@mx.google.com>
2017-11-22 14:57 ` [PATCH 3.18 00/12] 3.18.84-stable review Greg Kroah-Hartman
[not found] ` <7hvai1zxg0.fsf@baylibre.com>
2017-11-23 7:29 ` Greg Kroah-Hartman
2017-11-22 21:32 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171122101057.442837605@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.duyck@gmail.com \
--cc=davem@davemloft.net \
--cc=fengguang.wu@intel.com \
--cc=girish.moodalbail@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).