[56/74] 8021q: fix a potential use-after-free
3.2.43-rc1 review patch. If anyone has any objections, please let me know. -- From: Cong Wang [ Upstream commit 4a7df340ed1bac190c124c1601bfc10cde9fb4fb ] vlan_vid_del() could possibly free ->vlan_info after a RCU grace period, however, we may still refer to the freed memory area by 'grp' pointer. Found by code inspection. This patch moves vlan_vid_del() as behind as possible. Cc: Patrick McHardy Cc: "David S. Miller" Signed-off-by: Cong Wang Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings --- net/8021q/vlan.c | 14 +++--- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c index 5471628..963f285 100644 --- a/net/8021q/vlan.c +++ b/net/8021q/vlan.c @@ -110,13 +110,6 @@ void unregister_vlan_dev(struct net_device *dev, struct list_head *head) grp = rtnl_dereference(real_dev->vlgrp); BUG_ON(!grp); - /* Take it out of our own structures, but be sure to interlock with -* HW accelerating devices or SW vlan input packet processing if -* VLAN is not 0 (leave it there for 802.1p). -*/ - if (vlan_id && (real_dev->features & NETIF_F_HW_VLAN_FILTER)) - ops->ndo_vlan_rx_kill_vid(real_dev, vlan_id); - grp->nr_vlans--; if (vlan->flags & VLAN_FLAG_GVRP) @@ -139,6 +132,13 @@ void unregister_vlan_dev(struct net_device *dev, struct list_head *head) call_rcu(>rcu, vlan_rcu_free); } + /* Take it out of our own structures, but be sure to interlock with +* HW accelerating devices or SW vlan input packet processing if +* VLAN is not 0 (leave it there for 802.1p). +*/ + if (vlan_id && (real_dev->features & NETIF_F_HW_VLAN_FILTER)) + ops->ndo_vlan_rx_kill_vid(real_dev, vlan_id); + /* Get rid of the vlan's reference to real_dev */ dev_put(real_dev); } -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[56/74] 8021q: fix a potential use-after-free
3.2.43-rc1 review patch. If anyone has any objections, please let me know. -- From: Cong Wang amw...@redhat.com [ Upstream commit 4a7df340ed1bac190c124c1601bfc10cde9fb4fb ] vlan_vid_del() could possibly free -vlan_info after a RCU grace period, however, we may still refer to the freed memory area by 'grp' pointer. Found by code inspection. This patch moves vlan_vid_del() as behind as possible. Cc: Patrick McHardy ka...@trash.net Cc: David S. Miller da...@davemloft.net Signed-off-by: Cong Wang amw...@redhat.com Acked-by: Eric Dumazet eduma...@google.com Signed-off-by: David S. Miller da...@davemloft.net Signed-off-by: Ben Hutchings b...@decadent.org.uk --- net/8021q/vlan.c | 14 +++--- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c index 5471628..963f285 100644 --- a/net/8021q/vlan.c +++ b/net/8021q/vlan.c @@ -110,13 +110,6 @@ void unregister_vlan_dev(struct net_device *dev, struct list_head *head) grp = rtnl_dereference(real_dev-vlgrp); BUG_ON(!grp); - /* Take it out of our own structures, but be sure to interlock with -* HW accelerating devices or SW vlan input packet processing if -* VLAN is not 0 (leave it there for 802.1p). -*/ - if (vlan_id (real_dev-features NETIF_F_HW_VLAN_FILTER)) - ops-ndo_vlan_rx_kill_vid(real_dev, vlan_id); - grp-nr_vlans--; if (vlan-flags VLAN_FLAG_GVRP) @@ -139,6 +132,13 @@ void unregister_vlan_dev(struct net_device *dev, struct list_head *head) call_rcu(grp-rcu, vlan_rcu_free); } + /* Take it out of our own structures, but be sure to interlock with +* HW accelerating devices or SW vlan input packet processing if +* VLAN is not 0 (leave it there for 802.1p). +*/ + if (vlan_id (real_dev-features NETIF_F_HW_VLAN_FILTER)) + ops-ndo_vlan_rx_kill_vid(real_dev, vlan_id); + /* Get rid of the vlan's reference to real_dev */ dev_put(real_dev); } -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
