Patchwork [net-next] veth: fix NULL dereference in veth_dellink()

login
register
mail settings
Submitter Eric Dumazet
Date Feb. 9, 2013, 6:10 a.m.
Message ID <1360390249.6696.22.camel@edumazet-glaptop>
Download mbox | patch
Permalink /patch/219368/
State Accepted
Delegated to: David Miller
Headers show

Comments

Eric Dumazet - Feb. 9, 2013, 6:10 a.m.
From: Eric Dumazet <edumazet@google.com>

commit d0e2c55e7c940 (veth: avoid a NULL deref in veth_stats_one)
added another NULL deref in veth_dellink().

# ip link add name veth1 type veth peer name veth0
# rmmod veth

We crash because veth_dellink() is called twice, so we must
take care of NULL peer.

Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 drivers/net/veth.c |   11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
David Miller - Feb. 11, 2013, 1:43 a.m.
From: Eric Dumazet <erdnetdev@gmail.com>
Date: Fri, 08 Feb 2013 22:10:49 -0800

> From: Eric Dumazet <edumazet@google.com>
> 
> commit d0e2c55e7c940 (veth: avoid a NULL deref in veth_stats_one)
> added another NULL deref in veth_dellink().
> 
> # ip link add name veth1 type veth peer name veth0
> # rmmod veth
> 
> We crash because veth_dellink() is called twice, so we must
> take care of NULL peer.
> 
> Signed-off-by: Eric Dumazet <edumazet@google.com>

Applied, thanks Eric.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/drivers/net/veth.c b/drivers/net/veth.c
index e1da42a..07a4af0 100644
--- a/drivers/net/veth.c
+++ b/drivers/net/veth.c
@@ -426,12 +426,13 @@  static void veth_dellink(struct net_device *dev, struct list_head *head)
 	 * not being freed before one RCU grace period.
 	 */
 	RCU_INIT_POINTER(priv->peer, NULL);
-
-	priv = netdev_priv(peer);
-	RCU_INIT_POINTER(priv->peer, NULL);
-
 	unregister_netdevice_queue(dev, head);
-	unregister_netdevice_queue(peer, head);
+
+	if (peer) {
+		priv = netdev_priv(peer);
+		RCU_INIT_POINTER(priv->peer, NULL);
+		unregister_netdevice_queue(peer, head);
+	}
 }
 
 static const struct nla_policy veth_policy[VETH_INFO_MAX + 1] = {