Commit e090e184 authored by Herbert Xu's avatar Herbert Xu Committed by Kleber Sacilotto de Souza

macvlan: Fix potential use-after free for broadcasts

BugLink: https://bugs.launchpad.net/bugs/1878232

commit 260916df upstream.

When we postpone a broadcast packet we save the source port in
the skb if it is local.  However, the source port can disappear
before we get a chance to process the packet.

This patch fixes this by holding a ref count on the netdev.

It also delays the skb->cb modification until after we allocate
the new skb as you should not modify shared skbs.

Fixes: 412ca155 ("macvlan: Move broadcasts into a work queue")
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarIan May <ian.may@canonical.com>
Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
parent 8655fbb0
......@@ -305,6 +305,8 @@ static void macvlan_process_broadcast(struct work_struct *w)
rcu_read_unlock();
if (src)
dev_put(src->dev);
kfree_skb(skb);
cond_resched();
......@@ -312,6 +314,7 @@ static void macvlan_process_broadcast(struct work_struct *w)
}
static void macvlan_broadcast_enqueue(struct macvlan_port *port,
const struct macvlan_dev *src,
struct sk_buff *skb)
{
struct sk_buff *nskb;
......@@ -321,8 +324,12 @@ static void macvlan_broadcast_enqueue(struct macvlan_port *port,
if (!nskb)
goto err;
MACVLAN_SKB_CB(nskb)->src = src;
spin_lock(&port->bc_queue.lock);
if (skb_queue_len(&port->bc_queue) < MACVLAN_BC_QUEUE_LEN) {
if (src)
dev_hold(src->dev);
__skb_queue_tail(&port->bc_queue, nskb);
err = 0;
}
......@@ -432,8 +439,7 @@ static rx_handler_result_t macvlan_handle_frame(struct sk_buff **pskb)
goto out;
}
MACVLAN_SKB_CB(skb)->src = src;
macvlan_broadcast_enqueue(port, skb);
macvlan_broadcast_enqueue(port, src, skb);
return RX_HANDLER_PASS;
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment