Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753454AbbLNS7V (ORCPT <rfc822;w@1wt.eu>);
	Mon, 14 Dec 2015 13:59:21 -0500
Received: from mail-pf0-f175.google.com ([209.85.192.175]:35894 "EHLO
	mail-pf0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753300AbbLNS7T (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 14 Dec 2015 13:59:19 -0500
Subject: Re: [PATCH 4.3 34/71] vrf: fix double free and memory corruption on
 register_netdevice failure
To: Ben Hutchings <ben@decadent.org.uk>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        linux-kernel@vger.kernel.org
References: <20151212200536.761001328@linuxfoundation.org>
 <20151212200538.468407629@linuxfoundation.org>
 <1450115142.3944.10.camel@decadent.org.uk>
Cc: stable@vger.kernel.org, Nikolay Aleksandrov <nikolay@cumulusnetworks.com>,
        "David S. Miller" <davem@davemloft.net>
From: David Ahern <dsa@cumulusnetworks.com>
Message-ID: <566F1183.10907@cumulusnetworks.com>
Date: Mon, 14 Dec 2015 11:59:15 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0)
 Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <1450115142.3944.10.camel@decadent.org.uk>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2105
Lines: 77

On 12/14/15 10:45 AM, Ben Hutchings wrote:
> On Sat, 2015-12-12 at 12:05 -0800, Greg Kroah-Hartman wrote:
>> 4.3-stable review patch.  If anyone has any objections, please let me
>> know.
>>
>> ------------------
>>
>> From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
>>
>> [ Upstream commit 7f109f7cc37108cba7243bc832988525b0d85909 ]
> [...]
>> --- a/drivers/net/vrf.c
>> +++ b/drivers/net/vrf.c
>> @@ -581,7 +581,6 @@ static int vrf_newlink(struct net *src_n
>>   {
>>   	struct net_vrf *vrf = netdev_priv(dev);
>>   	struct net_vrf_dev *vrf_ptr;
>> -	int err;
>>
>>   	if (!data || !data[IFLA_VRF_TABLE])
>>   		return -EINVAL;
>> @@ -590,26 +589,16 @@ static int vrf_newlink(struct net *src_n
>>
>>   	dev->priv_flags |= IFF_VRF_MASTER;
>>
>> -	err = -ENOMEM;
>>   	vrf_ptr = kmalloc(sizeof(*dev->vrf_ptr), GFP_KERNEL);
>>   	if (!vrf_ptr)
>> -		goto out_fail;
>> +		return -ENOMEM;
>>
>>   	vrf_ptr->ifindex = dev->ifindex;
>>   	vrf_ptr->tb_id = vrf->tb_id;
>>
>> -	err = register_netdevice(dev);
>> -	if (err < 0)
>> -		goto out_fail;
>> -
>>   	rcu_assign_pointer(dev->vrf_ptr, vrf_ptr);
>>
>> -	return 0;
>> -
>> -out_fail:
>> -	kfree(vrf_ptr);
>> -	free_netdev(dev);
>> -	return err;
>> +	return register_netdev(dev);
>>   }
>>
>>   static size_t vrf_nl_getsize(const struct net_device *dev)
>
> This leaks *dev->vrf_ptr if register_netdevice() fails.  (This bug does
> not exist in the mainline version, as net_device::vrf_ptr no longer
> exists there.)

Good catch. The backport just needs to drop the free_netdev call:

diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
index 488c6f50df73..374feba02565 100644
--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -608,7 +608,6 @@ static int vrf_newlink(struct net *src_net, struct 
net_device *dev,

  out_fail:
         kfree(vrf_ptr);
-       free_netdev(dev);
         return err;
  }



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/