linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Joe Ghalam <Joe.Ghalam@dell.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 32/43] macvlan: Fix device ref leak when purging bc_queue
Date: Mon,  1 May 2017 14:27:32 -0700	[thread overview]
Message-ID: <20170501212600.830206523@linuxfoundation.org> (raw)
In-Reply-To: <20170501212559.546911128@linuxfoundation.org>

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>


[ Upstream commit f6478218e6edc2a587b8f132f66373baa7b2497c ]

When a parent macvlan device is destroyed we end up purging its
broadcast queue without dropping the device reference count on
the packet source device.  This causes the source device to linger.

This patch drops that reference count.

Fixes: 260916dfb48c ("macvlan: Fix potential use-after free for...")
Reported-by: Joe Ghalam <Joe.Ghalam@dell.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/macvlan.c |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -1110,6 +1110,7 @@ static int macvlan_port_create(struct ne
 static void macvlan_port_destroy(struct net_device *dev)
 {
 	struct macvlan_port *port = macvlan_port_get_rtnl(dev);
+	struct sk_buff *skb;
 
 	dev->priv_flags &= ~IFF_MACVLAN_PORT;
 	netdev_rx_handler_unregister(dev);
@@ -1118,7 +1119,15 @@ static void macvlan_port_destroy(struct
 	 * but we need to cancel it and purge left skbs if any.
 	 */
 	cancel_work_sync(&port->bc_work);
-	__skb_queue_purge(&port->bc_queue);
+
+	while ((skb = __skb_dequeue(&port->bc_queue))) {
+		const struct macvlan_dev *src = MACVLAN_SKB_CB(skb)->src;
+
+		if (src)
+			dev_put(src->dev);
+
+		kfree_skb(skb);
+	}
 
 	kfree_rcu(port, rcu);
 }

next prev parent reply	other threads:[~2017-05-01 21:28 UTC|newest]

Thread overview: 45+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-05-01 21:27 [PATCH 4.4 00/43] 4.4.66-stable review Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 01/43] f2fs: do more integrity verification for superblock Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 02/43] [media] xc2028: unlock on error in xc2028_set_config() Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 03/43] ARM: OMAP2+: timer: add probe for clocksources Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 04/43] clk: sunxi: Add apb0 gates for H3 Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 05/43] crypto: testmgr - fix out of bound read in __test_aead() Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 06/43] drm/amdgpu: fix array out of bounds Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 07/43] ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea() Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 08/43] md:raid1: fix a dead loop when read from a WriteMostly disk Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 09/43] MIPS: Fix crash registers on non-crashing CPUs Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 10/43] net: cavium: liquidio: Avoid dma_unmap_single on uninitialized ndata Greg Kroah-Hartman
2017-05-10 15:30   ` Ben Hutchings
2018-04-06  8:26     ` Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 11/43] net_sched: close another race condition in tcf_mirred_release() Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 12/43] RDS: Fix the atomicity for congestion map update Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 13/43] regulator: core: Clear the supply pointer if enabling fails Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 14/43] usb: gadget: f_midi: Fixed a bug when buflen was smaller than wMaxPacketSize Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 15/43] xen/x86: dont lose event interrupts Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 16/43] sparc64: kern_addr_valid regression Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 17/43] sparc64: Fix kernel panic due to erroneous #ifdef surrounding pmd_write() Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 18/43] net: neigh: guard against NULL solicit() method Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 19/43] net: phy: handle state correctly in phy_stop_machine Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 20/43] l2tp: purge socket queues in the .destruct() callback Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 21/43] net/packet: fix overflow in check for tp_frame_nr Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 22/43] net/packet: fix overflow in check for tp_reserve Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 23/43] l2tp: take reference on sessions being dumped Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 24/43] l2tp: fix PPP pseudo-wire auto-loading Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 25/43] net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 26/43] sctp: listen on the sock only when its state is listening or closed Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 27/43] tcp: clear saved_syn in tcp_disconnect() Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 29/43] net: ipv6: RTF_PCPU should not be settable from userspace Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 30/43] netpoll: Check for skb->queue_mapping Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 31/43] ip6mr: fix notification device destruction Greg Kroah-Hartman
2017-05-01 21:27 ` Greg Kroah-Hartman [this message]
2017-05-01 21:27 ` [PATCH 4.4 33/43] ipv6: check skb->protocol before lookup for nexthop Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 34/43] ipv6: check raw payload size correctly in ioctl Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 35/43] ALSA: firewire-lib: fix inappropriate assignment between signed/unsigned type Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 36/43] ALSA: seq: Dont break snd_use_lock_sync() loop by timeout Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 37/43] MIPS: KGDB: Use kernel context for sleeping threads Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 38/43] MIPS: Avoid BUG warning in arch_check_elf Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 39/43] p9_client_readdir() fix Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 42/43] ARCv2: save r30 on kernel entry as gcc uses it for code-gen Greg Kroah-Hartman
2017-05-01 21:27 ` [PATCH 4.4 43/43] ftrace/x86: Fix triple fault with graph tracing and suspend-to-ram Greg Kroah-Hartman
     [not found] ` <59080414.87dfe90a.9590.db81@mx.google.com>
2017-05-02 13:53   ` [PATCH 4.4 00/43] 4.4.66-stable review Shuah Khan
2017-05-02 17:35 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170501212600.830206523@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=Joe.Ghalam@dell.com \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).