• Ziyang Xuan's avatar
    net: vlan: fix underflow for the real_dev refcnt · 01d9cc2d
    Ziyang Xuan authored
    Inject error before dev_hold(real_dev) in register_vlan_dev(),
    and execute the following testcase:
    
    ip link add dev dummy1 type dummy
    ip link add name dummy1.100 link dummy1 type vlan id 100
    ip link del dev dummy1
    
    When the dummy netdevice is removed, we will get a WARNING as following:
    
    =======================================================================
    refcount_t: decrement hit 0; leaking memory.
    WARNING: CPU: 2 PID: 0 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0
    
    and an endless loop of:
    
    =======================================================================
    unregister_netdevice: waiting for dummy1 to become free. Usage count = -1073741824
    
    That is because dev_put(real_dev) in vlan_dev_free() be called without
    dev_hold(real_dev) in register_vlan_dev(). It makes the refcnt of real_dev
    underflow.
    
    Move the dev_hold(real_dev) to vlan_dev_init() which is the call-back of
    ndo_init(). That makes dev_hold() and dev_put() for vlan's real_dev
    symmetrical.
    
    Fixes: 563bcbae ("net: vlan: fix a UAF in vlan_dev_real_dev()")
    Reported-by: default avatarPetr Machata <petrm@nvidia.com>
    Suggested-by: default avatarJakub Kicinski <kuba@kernel.org>
    Signed-off-by: default avatarZiyang Xuan <william.xuanziyang@huawei.com>
    Link: https://lore.kernel.org/r/20211126015942.2918542-1-william.xuanziyang@huawei.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
    01d9cc2d
vlan.c 17.6 KB