Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp3664848pxp; Tue, 15 Mar 2022 03:53:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxsDekewkgpH5HG/eIRCRjOn8f38NWHvaxmfYuuT3PMK95qa95q2ohwAI2l/NN9WwanR+B/ X-Received: by 2002:a63:87c2:0:b0:380:9259:e10e with SMTP id i185-20020a6387c2000000b003809259e10emr23120861pge.521.1647341588403; Tue, 15 Mar 2022 03:53:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647341588; cv=none; d=google.com; s=arc-20160816; b=H9B1nGK0ufJO6vfM7VsxdnfaiT9HGkVpCN6CkzuEQ3+rDoIj8lcLU6/LFsWe6ChQuz 5QpfJ4hND5sz4+y6qgzEXO9dxscwX9o1eW9ooWP+2bXoTjOBLAz/fuvMSSTMC0R7bbvb 5nO4KuFvEjsYgnWlMxDEI/4oYTma8VMvYoxsvetFgTtsu9KU8rw5y4BZMvZOEIWK3m8R xKjqR31BkRhqgan5XDaZIxZJNE7ivOs/GkPCFJAh9l/fMWL60a7bl55T2iWV5kiaQRU9 J9rUXvkLa8uCccYoGhbn8iQedeujj827msvWmLSe7C97Q6+H7JzdYjSwqU6Ys/KJpFmt 5Wnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=nIM2WgaeOe7Oad8pj23RRvmukruwEQzDbhHuVEzZZQg=; b=QDGJCt9GjGx1E8SZKq2jvNdm5I2YF5KPEz6Kle9c/cP2UpZoLwObVWVr6B3Kb8ZW3k hYwWLNQ9xUps3FOXeqmRSrbU3iCux0zQeMZ2IAlE4AZKRdKSJNrcaJavbEX6CqoEsW0P 8JR56v94xKQf993ecaGuRi29iiiCHLQbLbwkFqU6wCTCjLZwdhxsXePc+mu3r7/c2OcW A9u/d1REErks/1D3mFX+0oEvklJUnx3nlzTtUw1msKLDe4aw5UGwztAC7Ox+CRvvOwMC 9ccifsrogYJxqQZ4rOJvX2OV3tUoSlISlsOxaHlrumx+ySA8PSuuLDUyC8OZH6TMZhs0 dXog== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="M/NEZL/7"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k19-20020aa788d3000000b004f78e1cab93si11535838pff.13.2022.03.15.03.52.57; Tue, 15 Mar 2022 03:53:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="M/NEZL/7"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243148AbiCNRZZ (ORCPT + 99 others); Mon, 14 Mar 2022 13:25:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46092 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238982AbiCNRZY (ORCPT ); Mon, 14 Mar 2022 13:25:24 -0400 Received: from mail-yw1-x112a.google.com (mail-yw1-x112a.google.com [IPv6:2607:f8b0:4864:20::112a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BC2063EBB6 for ; Mon, 14 Mar 2022 10:24:13 -0700 (PDT) Received: by mail-yw1-x112a.google.com with SMTP id 00721157ae682-2db2add4516so172843957b3.1 for ; Mon, 14 Mar 2022 10:24:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nIM2WgaeOe7Oad8pj23RRvmukruwEQzDbhHuVEzZZQg=; b=M/NEZL/7d/FHDcGogjwbbDHJ3nyrseJag6k+W6e5B0VW0Pnfh0e1AT7AkJZeJtVvJM Jd2eDvXOVeV5R4n8ggGQEggw+R2R5b+7knYQe3oCYPlDi2Hxcca7pMAMqJi+70p+4Hod OhO4mYothVIMU7uHTGFOelPSurS71ZWZu5Dw9PcuChttdcHuVxbAU01D/ZJ7o3udxBjd TohGwdQjjlNw147K3O72+EcFmSmulCenbymo+4JChN8+xHKf6uxzPLd3MWMvwmMsoMXw ExXb83dMCKPmN2YD1ocm9Ho/NMBnVD4OnE/VYytbFCoOinEBytibdRKvNYZhav23Iep6 FFAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nIM2WgaeOe7Oad8pj23RRvmukruwEQzDbhHuVEzZZQg=; b=Xp5dpji8wLthSvgP/yx5965a33I+LUfmFXEaysKZQx0s7X0AwZ4CjQkhVTgHbmD8S5 tdA/Q1pv/PTL9RtOsZrIXnVuOvq835eof2UNxisiuAajbAx1maeeKz+38WylmEU7p5wK 7UpKZlzD2pZ0kYRfL2fU6xh3w5QqVkG+Enm3e0eV8d9RWGdlA33ua3wue7HfaVXo0z2D bTE4YCWu3YpJbHw3CGytYmYY4YvhSeMZzUPSinKlK1Q1AEgUZk7fxRCohoAKv1UcTa3m eQRheSQs/o2fL+C5AUvysXt43FbrSAhJsMfrDv8NY6UzY4yIY1bfj/4F0g4Z2H+c9oTC cQAQ== X-Gm-Message-State: AOAM531uHWjD5YhK8+XqkljpgzHI4PxAn9YFpk4Y36YngYHmv6J/o5DJ wwJiDQrsTaTKJt8wLVEKX8hR67N6Qj7nbdbXTgO0CQ== X-Received: by 2002:a81:1043:0:b0:2dc:289f:9533 with SMTP id 64-20020a811043000000b002dc289f9533mr19325113ywq.467.1647278652496; Mon, 14 Mar 2022 10:24:12 -0700 (PDT) MIME-Version: 1.0 References: <751f88c0846df798a403643cefcaab53922ffe2f.1647255926.git.william.xuanziyang@huawei.com> In-Reply-To: <751f88c0846df798a403643cefcaab53922ffe2f.1647255926.git.william.xuanziyang@huawei.com> From: Eric Dumazet Date: Mon, 14 Mar 2022 10:24:01 -0700 Message-ID: Subject: Re: [PATCH net-next 1/3] net: ipvlan: fix potential UAF problem for phy_dev To: Ziyang Xuan Cc: David Miller , Jakub Kicinski , netdev , sakiwit@gmail.com, LKML Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 14, 2022 at 3:54 AM Ziyang Xuan wrote: > > Add the reference operation to phy_dev of ipvlan to avoid > the potential UAF problem under the following known scenario: > > Someone module puts the NETDEV_UNREGISTER event handler to a > work, and phy_dev is accessed in the work handler. But when > the work is excuted, phy_dev has been destroyed because upper > ipvlan did not get reference to phy_dev correctly. Can you name the module deferring NETDEV_UNREGISTER to a work queue ? This sounds like a bug to me. > > That likes as the scenario occurred by > commit 563bcbae3ba2 ("net: vlan: fix a UAF in vlan_dev_real_dev()"). Mentioning a commit that added a bug and many other commits trying to fix it is a bit unfortunate. Can you instead add a Fixes: tag ? Do you have a repro to trigger the bug ? > > Signed-off-by: Ziyang Xuan > --- > drivers/net/ipvlan/ipvlan_main.c | 13 +++++++++++++ > 1 file changed, 13 insertions(+) > > diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c > index 696e245f6d00..dcdc01403f22 100644 > --- a/drivers/net/ipvlan/ipvlan_main.c > +++ b/drivers/net/ipvlan/ipvlan_main.c > @@ -158,6 +158,10 @@ static int ipvlan_init(struct net_device *dev) > } > port = ipvlan_port_get_rtnl(phy_dev); > port->count += 1; > + > + /* Get ipvlan's reference to phy_dev */ > + dev_hold(phy_dev); > + > return 0; > } > > @@ -665,6 +669,14 @@ void ipvlan_link_delete(struct net_device *dev, struct list_head *head) > } > EXPORT_SYMBOL_GPL(ipvlan_link_delete); > > +static void ipvlan_dev_free(struct net_device *dev) > +{ > + struct ipvl_dev *ipvlan = netdev_priv(dev); > + > + /* Get rid of the ipvlan's reference to phy_dev */ > + dev_put(ipvlan->phy_dev); > +} > + > void ipvlan_link_setup(struct net_device *dev) > { > ether_setup(dev); > @@ -674,6 +686,7 @@ void ipvlan_link_setup(struct net_device *dev) > dev->priv_flags |= IFF_UNICAST_FLT | IFF_NO_QUEUE; > dev->netdev_ops = &ipvlan_netdev_ops; > dev->needs_free_netdev = true; > + dev->priv_destructor = ipvlan_dev_free; > dev->header_ops = &ipvlan_header_ops; > dev->ethtool_ops = &ipvlan_ethtool_ops; > } > -- > 2.25.1 >