geneve: Suppress list corruption splat in geneve_destroy_tunnels().

[ Upstream commit 62fab6eef61f245dc8797e3a6a5b890ef40e8628 ]

As explained in the previous patch, iterating for_each_netdev() and
gn->geneve_list during ->exit_batch_rtnl() could trigger ->dellink()
twice for the same device.

If CONFIG_DEBUG_LIST is enabled, we will see a list_del() corruption
splat in the 2nd call of geneve_dellink().

Let's remove for_each_netdev() in geneve_destroy_tunnels() and delegate
that part to default_device_exit_batch().

Fixes: 9593172d93b9 ("geneve: Fix use-after-free in geneve_find_dev().")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250217203705.40342-3-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
index a79cebd7041beb78c2140e1d0bfee998aad09072..4dfe0dfb84e83ec407be57ac65cacc3f6aca3930 100644 (file)
--- a/drivers/net/geneve.c
+++ b/drivers/net/geneve.c
@@ -1963,14 +1963,7 @@ static void geneve_destroy_tunnels(struct net *net, struct list_head *head)
 {
        struct geneve_net *gn = net_generic(net, geneve_net_id);
        struct geneve_dev *geneve, *next;
-       struct net_device *dev, *aux;
 
-       /* gather any geneve devices that were moved into this ns */
-       for_each_netdev_safe(net, dev, aux)
-               if (dev->rtnl_link_ops == &geneve_link_ops)
-                       geneve_dellink(dev, head);
-
-       /* now gather any other geneve devices that were created in this ns */
        list_for_each_entry_safe(geneve, next, &gn->geneve_list, next)
                geneve_dellink(geneve->dev, head);
 }