From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C8512C4167D for ; Tue, 23 Nov 2021 09:01:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235136AbhKWJEh (ORCPT ); Tue, 23 Nov 2021 04:04:37 -0500 Received: from szxga02-in.huawei.com ([45.249.212.188]:27282 "EHLO szxga02-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236384AbhKWJEN (ORCPT ); Tue, 23 Nov 2021 04:04:13 -0500 Received: from dggeml757-chm.china.huawei.com (unknown [172.30.72.54]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4HyyfW5hs6zcfV6; Tue, 23 Nov 2021 16:56:03 +0800 (CST) Received: from [10.174.179.200] (10.174.179.200) by dggeml757-chm.china.huawei.com (10.1.199.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.20; Tue, 23 Nov 2021 17:01:03 +0800 Subject: Re: [PATCH net v2] net: vlan: fix a UAF in vlan_dev_real_dev() To: Petr Machata CC: Jakub Kicinski , , , , References: <20211102021218.955277-1-william.xuanziyang@huawei.com> <87k0h9bb9x.fsf@nvidia.com> <20211115094940.138d86dc@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> <87a6i3t2zg.fsf@nvidia.com> <7f7cbbec-8c4e-a2dc-787b-570d1049a6b4@huawei.com> <20211118061735.5357f739@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> <8735nstq62.fsf@nvidia.com> From: "Ziyang Xuan (William)" Message-ID: Date: Tue, 23 Nov 2021 17:01:02 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: <8735nstq62.fsf@nvidia.com> Content-Type: text/plain; charset="gbk" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.179.200] X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To dggeml757-chm.china.huawei.com (10.1.199.137) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > > Ziyang Xuan (William) writes: > >> I need some time to test my some ideas. And anyone has good ideas, please >> do not be stingy. > > Jakub Kicinski writes: > >> I think we should move the dev_hold() to ndo_init(), otherwise it's >> hard to reason if destructor was invoked or not if >> register_netdevice() errors out. > > That makes sense to me. We always put real_dev in the destructor, so we > should always hold it in the constructor... Inject error before dev_hold(real_dev) in register_vlan_dev(), and execute the following testcase: ip link add dev dummy1 type dummy ip link add name dummy1.100 link dummy1 type vlan id 100 // failed for error injection ip link del dev dummy1 Make the problem repro. The problem is solved using the following fix according to the Jakub's suggestion: diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c index a3a0a5e994f5..abaa5d96ded2 100644 --- a/net/8021q/vlan.c +++ b/net/8021q/vlan.c @@ -184,9 +184,6 @@ int register_vlan_dev(struct net_device *dev, struct netlink_ext_ack *extack) if (err) goto out_unregister_netdev; - /* Account for reference in struct vlan_dev_priv */ - dev_hold(real_dev); - vlan_stacked_transfer_operstate(real_dev, dev, vlan); linkwatch_fire_event(dev); /* _MUST_ call rfc2863_policy() */ diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c index ab6dee28536d..a54535cbcf4c 100644 --- a/net/8021q/vlan_dev.c +++ b/net/8021q/vlan_dev.c @@ -615,6 +615,9 @@ static int vlan_dev_init(struct net_device *dev) if (!vlan->vlan_pcpu_stats) return -ENOMEM; + /* Get vlan's reference to real_dev */ + dev_hold(real_dev); If there is not any other idea and objection, I will send the fix patch later. Thank you!