This is a note to let you know that I've just added the patch titled
8021q: fix a potential use-after-free
to the 3.0-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
8021q-fix-a-potential-use-after-free.patch
and it can be found in the queue-3.0 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From 5df252fbe8f672a24dc75dc5ce5d0c5f8532f105 Mon Sep 17 00:00:00 2001
From: Cong Wang <[email protected]>
Date: Fri, 22 Mar 2013 19:14:07 +0000
Subject: 8021q: fix a potential use-after-free
From: Cong Wang <[email protected]>
[ Upstream commit 4a7df340ed1bac190c124c1601bfc10cde9fb4fb ]
vlan_vid_del() could possibly free ->vlan_info after a RCU grace
period, however, we may still refer to the freed memory area
by 'grp' pointer. Found by code inspection.
This patch moves vlan_vid_del() as behind as possible.
Cc: Patrick McHardy <[email protected]>
Cc: "David S. Miller" <[email protected]>
Signed-off-by: Cong Wang <[email protected]>
Acked-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/8021q/vlan.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -108,13 +108,6 @@ void unregister_vlan_dev(struct net_devi
grp = rtnl_dereference(real_dev->vlgrp);
BUG_ON(!grp);
- /* Take it out of our own structures, but be sure to interlock with
- * HW accelerating devices or SW vlan input packet processing if
- * VLAN is not 0 (leave it there for 802.1p).
- */
- if (vlan_id && (real_dev->features & NETIF_F_HW_VLAN_FILTER))
- ops->ndo_vlan_rx_kill_vid(real_dev, vlan_id);
-
grp->nr_vlans--;
if (vlan->flags & VLAN_FLAG_GVRP)
@@ -139,6 +132,13 @@ void unregister_vlan_dev(struct net_devi
call_rcu(&grp->rcu, vlan_rcu_free);
}
+ /* Take it out of our own structures, but be sure to interlock with
+ * HW accelerating devices or SW vlan input packet processing if
+ * VLAN is not 0 (leave it there for 802.1p).
+ */
+ if (vlan_id && (real_dev->features & NETIF_F_HW_VLAN_FILTER))
+ ops->ndo_vlan_rx_kill_vid(real_dev, vlan_id);
+
/* Get rid of the vlan's reference to real_dev */
dev_put(real_dev);
}
Patches currently in stable-queue which might be from [email protected] are
queue-3.0/8021q-fix-a-potential-use-after-free.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
