Each devlink instance is associated with a parent device and a pointer to this device is stored in the devlink structure, but devlink does not hold a reference on this device. This is going to be a problem in the next patch where - among other things - devlink will acquire the device lock during netns dismantle, before the reload operation. Since netns dismantle is performed asynchronously and since a reference is not held on the parent device, it will be possible to hit a use-after-free. Prepare for the upcoming change by holding a reference on the parent device. Signed-off-by: Ido Schimmel <idosch@xxxxxxxxxx> Reviewed-by: Jiri Pirko <jiri@xxxxxxxxxx> --- net/devlink/core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/devlink/core.c b/net/devlink/core.c index bcbbb952569f..5b8b692b8c76 100644 --- a/net/devlink/core.c +++ b/net/devlink/core.c @@ -4,6 +4,7 @@ * Copyright (c) 2016 Jiri Pirko <jiri@xxxxxxxxxxxx> */ +#include <linux/device.h> #include <net/genetlink.h> #define CREATE_TRACE_POINTS #include <trace/events/devlink.h> @@ -310,6 +311,7 @@ static void devlink_release(struct work_struct *work) mutex_destroy(&devlink->lock); lockdep_unregister_key(&devlink->lock_key); + put_device(devlink->dev); kfree(devlink); } @@ -425,6 +427,7 @@ struct devlink *devlink_alloc_ns(const struct devlink_ops *ops, if (ret < 0) goto err_xa_alloc; + get_device(dev); devlink->dev = dev; devlink->ops = ops; xa_init_flags(&devlink->ports, XA_FLAGS_ALLOC); -- 2.40.1
