From patchwork Fri Nov 10 00:43:13 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cong Wang X-Patchwork-Id: 836574 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="fhqDOcjp"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3yY1VX5C1vz9sxR for ; Fri, 10 Nov 2017 11:43:32 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755343AbdKJAna (ORCPT ); Thu, 9 Nov 2017 19:43:30 -0500 Received: from mail-pg0-f68.google.com ([74.125.83.68]:54112 "EHLO mail-pg0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752060AbdKJAn3 (ORCPT ); Thu, 9 Nov 2017 19:43:29 -0500 Received: by mail-pg0-f68.google.com with SMTP id s2so6092323pge.10 for ; Thu, 09 Nov 2017 16:43:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=AsFScK8tufiVB6ts8OMTDsupRlLZORVgidH7NvMwTN4=; b=fhqDOcjpRRAesN3EEGjnLWdVuXZJH5gVbljLlERnxBfVjQwRgDU+aPA1gnx6RXQRoX Fv/ZdBxP0HqJ7dZeKPabiyIACQo7eX4eQ8xIR7utQXXkWCD1W835IuwuhpA7g0rvN5WS BIoUQcKcQMT4rkgAaaEahqG10NVfgfsLKIyUuLedjH5oMiDgp2AmbDhEveoM6r928Qie fZkXKvrjAoV76zGWhIW+sh3I4TuCJXTIipkHUaoRg/5CakRjRzeUCzFCq4eEfGiAehT0 sK9Z7RzM68E1hKfQ7oUxva1KMtabemI2olOjfsA8VcaKySeGvNaQXbHQ5ZH6lkNTujuP xBiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=AsFScK8tufiVB6ts8OMTDsupRlLZORVgidH7NvMwTN4=; b=T3/l1zP30jtv0Bz7YeqlJxJvGN0RNb8hCGrovDVHMKkuq0uFKzYutlynJLammTy5rN D1ubKVHHsfh4cf6lrSfiAJkRXOnWW9uQGtrFfa19reEhkE7NC5jndbq3JcsER0Jn7QKG CB7CVAXfdRwaEi9wP6/tZEWwIFZLewqo92tMYGCo9XUIbUAMjbjqJkukp9FLWbDpVXgF kR4YKPq+7z642k2MVobCSVxl+vSGF+8Fi7AkTAGtLl/lX4JkXG79KhfQqO21+fssQu7p xcr1bGMUl/jYEZJPl1PQ/mCYNufQW3HXdDxvSi/Rk1K0kB0z67hr98wCJv1WCLdyooC6 MD0Q== X-Gm-Message-State: AJaThX5bblvBEEN0AUZJqU7JQGHtCCGy+aaeyl5pGAztrKzs2OnFQazt ZvjaNwTsBDXSqQNYM2mdKoisDr1x X-Google-Smtp-Source: ABhQp+R8ITwi3VEp6o1odZWD9GVtr10Z2Ig7TTnSFNxxw/EKMMRvwDiQITTgYPiOjafFBOoyYCY/fQ== X-Received: by 10.98.198.138 with SMTP id x10mr2310805pfk.55.1510274609107; Thu, 09 Nov 2017 16:43:29 -0800 (PST) Received: from tw-172-25-30-113.office.twttr.net ([8.25.197.25]) by smtp.gmail.com with ESMTPSA id c8sm14470512pfm.47.2017.11.09.16.43.28 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 09 Nov 2017 16:43:28 -0800 (PST) From: Cong Wang To: netdev@vger.kernel.org Cc: fengguang.wu@intel.com, Cong Wang , Alexander Duyck , Linus Torvalds , Girish Moodalbail Subject: [Patch net] vlan: fix a use-after-free in vlan_device_event() Date: Thu, 9 Nov 2017 16:43:13 -0800 Message-Id: <20171110004313.20662-1-xiyou.wangcong@gmail.com> X-Mailer: git-send-email 2.9.4 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org After refcnt reaches zero, vlan_vid_del() could free dev->vlan_info via RCU: RCU_INIT_POINTER(dev->vlan_info, NULL); call_rcu(&vlan_info->rcu, vlan_info_rcu_free); However, the pointer 'grp' still points to that memory since it is set before vlan_vid_del(): vlan_info = rtnl_dereference(dev->vlan_info); if (!vlan_info) goto out; grp = &vlan_info->grp; Depends on when that RCU callback is scheduled, we could trigger a use-after-free in vlan_group_for_each_dev() right following this vlan_vid_del(). Fix it by moving vlan_vid_del() before setting grp. This is also symmetric to the vlan_vid_add() we call in vlan_device_event(). Reported-by: Fengguang Wu Fixes: efc73f4bbc23 ("net: Fix memory leak - vlan_info struct") Cc: Alexander Duyck Cc: Linus Torvalds Cc: Girish Moodalbail Signed-off-by: Cong Wang Reviewed-by: Girish Moodalbail Tested-by: Fengguang Wu --- net/8021q/vlan.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c index 9649579b5b9f..4a72ee4e2ae9 100644 --- a/net/8021q/vlan.c +++ b/net/8021q/vlan.c @@ -376,6 +376,9 @@ static int vlan_device_event(struct notifier_block *unused, unsigned long event, dev->name); vlan_vid_add(dev, htons(ETH_P_8021Q), 0); } + if (event == NETDEV_DOWN && + (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)) + vlan_vid_del(dev, htons(ETH_P_8021Q), 0); vlan_info = rtnl_dereference(dev->vlan_info); if (!vlan_info) @@ -423,9 +426,6 @@ static int vlan_device_event(struct notifier_block *unused, unsigned long event, struct net_device *tmp; LIST_HEAD(close_list); - if (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER) - vlan_vid_del(dev, htons(ETH_P_8021Q), 0); - /* Put all VLANs for this dev in the down state too. */ vlan_group_for_each_dev(grp, i, vlandev) { flgs = vlandev->flags;