AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
e1b60b5bd3
kernel_optimize_test/net
History
Cong Wang 052d41c01b vlan: fix a use-after-free in vlan_device_event() 
After refcnt reaches zero, vlan_vid_del() could free
dev->vlan_info via RCU:

	RCU_INIT_POINTER(dev->vlan_info, NULL);
	call_rcu(&vlan_info->rcu, vlan_info_rcu_free);

However, the pointer 'grp' still points to that memory
since it is set before vlan_vid_del():

        vlan_info = rtnl_dereference(dev->vlan_info);
        if (!vlan_info)
                goto out;
        grp = &vlan_info->grp;

Depends on when that RCU callback is scheduled, we could
trigger a use-after-free in vlan_group_for_each_dev()
right following this vlan_vid_del().

Fix it by moving vlan_vid_del() before setting grp. This
is also symmetric to the vlan_vid_add() we call in
vlan_device_event().

Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Fixes: efc73f4bbc ("net: Fix memory leak - vlan_info struct")
Cc: Alexander Duyck <alexander.duyck@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Girish Moodalbail <girish.moodalbail@oracle.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Girish Moodalbail <girish.moodalbail@oracle.com>
Tested-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-11-11 19:35:32 +09:00
..
6lowpan
9p
802
8021q vlan: fix a use-after-free in vlan_device_event() 2017-11-11 19:35:32 +09:00
appletalk
atm
ax25
batman-adv
bluetooth
bpf
bridge
caif
can
ceph
core netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed 2017-11-04 22:37:42 +09:00
dcb
dccp License cleanup: add SPDX license identifiers to some files 2017-11-02 10:04:46 -07:00
decnet
dns_resolver
dsa net: dsa: return after vlan prepare phase 2017-11-11 15:45:09 +09:00
ethernet
hsr
ieee802154
ife
ipv4 tcp: fix tcp_fastretrans_alert warning 2017-11-10 18:09:19 +09:00
ipv6 License cleanup: add SPDX license identifiers to some files 2017-11-02 10:04:46 -07:00
ipx
iucv
kcm
key
l2tp l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6 2017-11-05 22:22:15 +09:00
l3mdev
lapb
llc
mac80211 License cleanup: add SPDX license identifiers to some files 2017-11-02 10:04:46 -07:00
mac802154
mpls
ncsi
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-03 09:09:21 -07:00
netlabel
netlink
netrom
nfc
nsh
openvswitch
packet
phonet
psample
qrtr qrtr: Move to postcore_initcall 2017-11-08 14:32:18 +09:00
rds rds: ib: Fix NULL pointer dereference in debug code 2017-11-10 14:54:47 +09:00
rfkill
rose
rxrpc
sched cls_u32: use tcf_exts_get_net() before call_rcu() 2017-11-09 10:03:10 +09:00
sctp License cleanup: add SPDX license identifiers to some files 2017-11-02 10:04:46 -07:00
smc
strparser
sunrpc License cleanup: add SPDX license identifiers to some files 2017-11-02 10:04:46 -07:00
switchdev
tipc
tls
unix License cleanup: add SPDX license identifiers to some files 2017-11-02 10:04:46 -07:00
vmw_vsock
wimax
wireless License cleanup: add SPDX license identifiers to some files 2017-11-02 10:04:46 -07:00
x25
xfrm Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2017-11-09 10:58:35 +09:00
compat.c
Kconfig
Makefile
socket.c
sysctl_net.c