From: Herbert Xu Date: Wed, 1 Jun 2016 03:43:00 +0000 (+0800) Subject: macvlan: Fix potential use-after free for broadcasts X-Git-Tag: v3.16.39~345 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a218ab306039ef5699f5df10b0f203f71c665c62;p=thirdparty%2Fkernel%2Fstable.git macvlan: Fix potential use-after free for broadcasts commit 260916dfb48c374f7840f3b86e69afd3afdb6e96 upstream. When we postpone a broadcast packet we save the source port in the skb if it is local. However, the source port can disappear before we get a chance to process the packet. This patch fixes this by holding a ref count on the netdev. It also delays the skb->cb modification until after we allocate the new skb as you should not modify shared skbs. Fixes: 412ca1550cbe ("macvlan: Move broadcasts into a work queue") Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings --- diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c index bb33b0410a228..8432521408a77 100644 --- a/drivers/net/macvlan.c +++ b/drivers/net/macvlan.c @@ -234,11 +234,14 @@ static void macvlan_process_broadcast(struct work_struct *w) rcu_read_unlock(); + if (src) + dev_put(src->dev); kfree_skb(skb); } } static void macvlan_broadcast_enqueue(struct macvlan_port *port, + const struct macvlan_dev *src, struct sk_buff *skb) { struct sk_buff *nskb; @@ -248,8 +251,12 @@ static void macvlan_broadcast_enqueue(struct macvlan_port *port, if (!nskb) goto err; + MACVLAN_SKB_CB(nskb)->src = src; + spin_lock(&port->bc_queue.lock); if (skb_queue_len(&port->bc_queue) < MACVLAN_BC_QUEUE_LEN) { + if (src) + dev_hold(src->dev); __skb_queue_tail(&port->bc_queue, nskb); err = 0; } @@ -296,8 +303,7 @@ static rx_handler_result_t macvlan_handle_frame(struct sk_buff **pskb) goto out; } - MACVLAN_SKB_CB(skb)->src = src; - macvlan_broadcast_enqueue(port, skb); + macvlan_broadcast_enqueue(port, src, skb); return RX_HANDLER_PASS; }