* [PATCH linux-3.10.y] ip6tnl: fix use after free of fb_tnl_dev
[not found] <20131212.153545.1184197791301496227.davem@davemloft.net>
@ 2013-12-13 9:06 ` Nicolas Dichtel
2013-12-17 19:40 ` David Miller
0 siblings, 1 reply; 5+ messages in thread
From: Nicolas Dichtel @ 2013-12-13 9:06 UTC (permalink / raw)
To: netdev, davem
Cc: gregkh, rostedt, linux-kernel, stable, williams, linux-rt-users,
lclaudio, Nicolas Dichtel
The upstream commit bb8140947a24 ("ip6tnl: allow to use rtnl ops on fb tunnel")
(backported into linux-3.10.y) left a bug which was fixed upstream by commit
1e9f3d6f1c40 ("ip6tnl: fix use after free of fb_tnl_dev").
The problem is a bit different in linux-3.10.y, because there is no x-netns
support (upstream commit 0bd8762824e7 ("ip6tnl: add x-netns support")).
When ip6_tunnel.ko is unloaded, FB device is deleted by rtnl_link_unregister()
and then we try to delete it again in ip6_tnl_destroy_tunnels().
This patch removes the second deletion.
Reported-by: Steven Rostedt <rostedt@goodmis.org>
Suggested-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
net/ipv6/ip6_tunnel.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 0516ebbea80b..209bb4d6e188 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1711,8 +1711,6 @@ static void __net_exit ip6_tnl_destroy_tunnels(struct ip6_tnl_net *ip6n)
}
}
- t = rtnl_dereference(ip6n->tnls_wc[0]);
- unregister_netdevice_queue(t->dev, &list);
unregister_netdevice_many(&list);
}
--
1.8.4.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH linux-3.10.y] ip6tnl: fix use after free of fb_tnl_dev
2013-12-13 9:06 ` [PATCH linux-3.10.y] ip6tnl: fix use after free of fb_tnl_dev Nicolas Dichtel
@ 2013-12-17 19:40 ` David Miller
2013-12-17 19:54 ` Greg KH
2013-12-19 10:07 ` Luis Henriques
0 siblings, 2 replies; 5+ messages in thread
From: David Miller @ 2013-12-17 19:40 UTC (permalink / raw)
To: nicolas.dichtel
Cc: netdev, gregkh, rostedt, linux-kernel, stable, williams,
linux-rt-users, lclaudio
From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Date: Fri, 13 Dec 2013 10:06:35 +0100
> The upstream commit bb8140947a24 ("ip6tnl: allow to use rtnl ops on fb tunnel")
> (backported into linux-3.10.y) left a bug which was fixed upstream by commit
> 1e9f3d6f1c40 ("ip6tnl: fix use after free of fb_tnl_dev").
>
> The problem is a bit different in linux-3.10.y, because there is no x-netns
> support (upstream commit 0bd8762824e7 ("ip6tnl: add x-netns support")).
> When ip6_tunnel.ko is unloaded, FB device is deleted by rtnl_link_unregister()
> and then we try to delete it again in ip6_tnl_destroy_tunnels().
>
> This patch removes the second deletion.
>
> Reported-by: Steven Rostedt <rostedt@goodmis.org>
> Suggested-by: Steven Rostedt <rostedt@goodmis.org>
> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Greg please queue this up for 3.10 -stable if you haven't already.
Thanks a lot.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH linux-3.10.y] ip6tnl: fix use after free of fb_tnl_dev
2013-12-17 19:40 ` David Miller
@ 2013-12-17 19:54 ` Greg KH
2013-12-19 10:07 ` Luis Henriques
1 sibling, 0 replies; 5+ messages in thread
From: Greg KH @ 2013-12-17 19:54 UTC (permalink / raw)
To: David Miller
Cc: nicolas.dichtel, netdev, rostedt, linux-kernel, stable, williams,
linux-rt-users, lclaudio
On Tue, Dec 17, 2013 at 02:40:02PM -0500, David Miller wrote:
> From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
> Date: Fri, 13 Dec 2013 10:06:35 +0100
>
> > The upstream commit bb8140947a24 ("ip6tnl: allow to use rtnl ops on fb tunnel")
> > (backported into linux-3.10.y) left a bug which was fixed upstream by commit
> > 1e9f3d6f1c40 ("ip6tnl: fix use after free of fb_tnl_dev").
> >
> > The problem is a bit different in linux-3.10.y, because there is no x-netns
> > support (upstream commit 0bd8762824e7 ("ip6tnl: add x-netns support")).
> > When ip6_tunnel.ko is unloaded, FB device is deleted by rtnl_link_unregister()
> > and then we try to delete it again in ip6_tnl_destroy_tunnels().
> >
> > This patch removes the second deletion.
> >
> > Reported-by: Steven Rostedt <rostedt@goodmis.org>
> > Suggested-by: Steven Rostedt <rostedt@goodmis.org>
> > Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>
> Greg please queue this up for 3.10 -stable if you haven't already.
Thanks, will do.
greg k-h
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH linux-3.10.y] ip6tnl: fix use after free of fb_tnl_dev
2013-12-17 19:40 ` David Miller
2013-12-17 19:54 ` Greg KH
@ 2013-12-19 10:07 ` Luis Henriques
2013-12-19 10:23 ` Nicolas Dichtel
1 sibling, 1 reply; 5+ messages in thread
From: Luis Henriques @ 2013-12-19 10:07 UTC (permalink / raw)
To: David Miller
Cc: nicolas.dichtel, netdev, gregkh, rostedt, linux-kernel, stable,
williams, linux-rt-users, lclaudio
On Tue, Dec 17, 2013 at 02:40:02PM -0500, David Miller wrote:
> From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
> Date: Fri, 13 Dec 2013 10:06:35 +0100
>
> > The upstream commit bb8140947a24 ("ip6tnl: allow to use rtnl ops on fb tunnel")
> > (backported into linux-3.10.y) left a bug which was fixed upstream by commit
> > 1e9f3d6f1c40 ("ip6tnl: fix use after free of fb_tnl_dev").
> >
> > The problem is a bit different in linux-3.10.y, because there is no x-netns
> > support (upstream commit 0bd8762824e7 ("ip6tnl: add x-netns support")).
> > When ip6_tunnel.ko is unloaded, FB device is deleted by rtnl_link_unregister()
> > and then we try to delete it again in ip6_tnl_destroy_tunnels().
> >
> > This patch removes the second deletion.
> >
> > Reported-by: Steven Rostedt <rostedt@goodmis.org>
> > Suggested-by: Steven Rostedt <rostedt@goodmis.org>
> > Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>
> Greg please queue this up for 3.10 -stable if you haven't already.
As I'm picking the networking patches into the 3.11 kernel as well, I
believe this fix is also applicable. I'm queuing it for the 3.11 kernel.
Cheers,
--
Luis
>
> Thanks a lot.
> --
> To unsubscribe from this list: send the line "unsubscribe stable" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH linux-3.10.y] ip6tnl: fix use after free of fb_tnl_dev
2013-12-19 10:07 ` Luis Henriques
@ 2013-12-19 10:23 ` Nicolas Dichtel
0 siblings, 0 replies; 5+ messages in thread
From: Nicolas Dichtel @ 2013-12-19 10:23 UTC (permalink / raw)
To: Luis Henriques, David Miller
Cc: netdev, gregkh, rostedt, linux-kernel, stable, williams,
linux-rt-users, lclaudio
Le 19/12/2013 11:07, Luis Henriques a écrit :
> On Tue, Dec 17, 2013 at 02:40:02PM -0500, David Miller wrote:
>> From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>> Date: Fri, 13 Dec 2013 10:06:35 +0100
>>
>>> The upstream commit bb8140947a24 ("ip6tnl: allow to use rtnl ops on fb tunnel")
>>> (backported into linux-3.10.y) left a bug which was fixed upstream by commit
>>> 1e9f3d6f1c40 ("ip6tnl: fix use after free of fb_tnl_dev").
>>>
>>> The problem is a bit different in linux-3.10.y, because there is no x-netns
>>> support (upstream commit 0bd8762824e7 ("ip6tnl: add x-netns support")).
>>> When ip6_tunnel.ko is unloaded, FB device is deleted by rtnl_link_unregister()
>>> and then we try to delete it again in ip6_tnl_destroy_tunnels().
>>>
>>> This patch removes the second deletion.
>>>
>>> Reported-by: Steven Rostedt <rostedt@goodmis.org>
>>> Suggested-by: Steven Rostedt <rostedt@goodmis.org>
>>> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>>
>> Greg please queue this up for 3.10 -stable if you haven't already.
>
> As I'm picking the networking patches into the 3.11 kernel as well, I
> believe this fix is also applicable. I'm queuing it for the 3.11 kernel.
Yes, I agree.
Regards,
Nicolas
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-12-19 10:23 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20131212.153545.1184197791301496227.davem@davemloft.net>
2013-12-13 9:06 ` [PATCH linux-3.10.y] ip6tnl: fix use after free of fb_tnl_dev Nicolas Dichtel
2013-12-17 19:40 ` David Miller
2013-12-17 19:54 ` Greg KH
2013-12-19 10:07 ` Luis Henriques
2013-12-19 10:23 ` Nicolas Dichtel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).