]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
macsec: fix promiscuity refcount leak in macsec_dev_open()
authorJames Raphael Tiovalen <jamestiotio@gmail.com>
Sun, 5 Jul 2026 11:36:29 +0000 (19:36 +0800)
committerPaolo Abeni <pabeni@redhat.com>
Sat, 11 Jul 2026 10:52:15 +0000 (12:52 +0200)
commit7410d11460eb90d6c9281162ccc6a128534d897d
tree8bd14ae2e646a958030be512f1b65dbfd4f74262
parent389704eb516b04c31f1b772f6385fd6ff1ba1b9a
macsec: fix promiscuity refcount leak in macsec_dev_open()

When a MACsec interface with IFF_PROMISC set is brought up on top of a
device that has hardware offload enabled, macsec_dev_open() first calls
dev_set_promiscuity(real_dev, 1) and then propagates the open to the
offload device. If that propagation fails, the error path jumps to the
clear_allmulti label, which only reverts allmulti and the unicast
address. The promiscuity taken on the lower device is never dropped, so
real_dev is left permanently stuck in promiscuous mode. Its promiscuity
count can no longer be balanced from software.

Add a clear_promisc label that drops the promiscuity reference and
route the two offload failure paths to it. The dev_set_promiscuity()
failure itself still jumps to clear_allmulti, since on that failure the
count was not incremented.

Fixes: 3cf3227a21d1 ("net: macsec: hardware offloading infrastructure")
Cc: stable@vger.kernel.org
Signed-off-by: James Raphael Tiovalen <jamestiotio@gmail.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://patch.msgid.link/20260705113629.187490-1-jamestiotio@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
drivers/net/macsec.c