[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 11 Nov 2017 19:36:07 +0900 (KST)
From: David Miller <davem@...emloft.net>
To: xiyou.wangcong@...il.com
Cc: netdev@...r.kernel.org, fengguang.wu@...el.com,
alexander.duyck@...il.com, torvalds@...ux-foundation.org,
girish.moodalbail@...cle.com
Subject: Re: [Patch net] vlan: fix a use-after-free in vlan_device_event()
From: Cong Wang <xiyou.wangcong@...il.com>
Date: Thu, 9 Nov 2017 16:43:13 -0800
> After refcnt reaches zero, vlan_vid_del() could free
> dev->vlan_info via RCU:
>
> RCU_INIT_POINTER(dev->vlan_info, NULL);
> call_rcu(&vlan_info->rcu, vlan_info_rcu_free);
>
> However, the pointer 'grp' still points to that memory
> since it is set before vlan_vid_del():
>
> vlan_info = rtnl_dereference(dev->vlan_info);
> if (!vlan_info)
> goto out;
> grp = &vlan_info->grp;
>
> Depends on when that RCU callback is scheduled, we could
> trigger a use-after-free in vlan_group_for_each_dev()
> right following this vlan_vid_del().
>
> Fix it by moving vlan_vid_del() before setting grp. This
> is also symmetric to the vlan_vid_add() we call in
> vlan_device_event().
>
> Reported-by: Fengguang Wu <fengguang.wu@...el.com>
> Fixes: efc73f4bbc23 ("net: Fix memory leak - vlan_info struct")
> Cc: Alexander Duyck <alexander.duyck@...il.com>
> Cc: Linus Torvalds <torvalds@...ux-foundation.org>
> Cc: Girish Moodalbail <girish.moodalbail@...cle.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@...il.com>
Applied and queued up for -stable, thanks Cong!
Powered by blists - more mailing lists