Patch "net: vlan: fix underflow for the real_dev refcnt" has been added to the 5.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 28 Nov 2021 19:49:38 -0500

This is a note to let you know that I've just added the patch titled

    net: vlan: fix underflow for the real_dev refcnt

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-vlan-fix-underflow-for-the-real_dev-refcnt.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit cc1973f2487d11a1fae3f765298ddc7ad0fc21d0
Author: Ziyang Xuan <william.xuanziyang@xxxxxxxxxx>
Date:   Fri Nov 26 09:59:42 2021 +0800

    net: vlan: fix underflow for the real_dev refcnt
    
    [ Upstream commit 01d9cc2dea3fde3bad6d27f464eff463496e2b00 ]
    
    Inject error before dev_hold(real_dev) in register_vlan_dev(),
    and execute the following testcase:
    
    ip link add dev dummy1 type dummy
    ip link add name dummy1.100 link dummy1 type vlan id 100
    ip link del dev dummy1
    
    When the dummy netdevice is removed, we will get a WARNING as following:
    
    =======================================================================
    refcount_t: decrement hit 0; leaking memory.
    WARNING: CPU: 2 PID: 0 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0
    
    and an endless loop of:
    
    =======================================================================
    unregister_netdevice: waiting for dummy1 to become free. Usage count = -1073741824
    
    That is because dev_put(real_dev) in vlan_dev_free() be called without
    dev_hold(real_dev) in register_vlan_dev(). It makes the refcnt of real_dev
    underflow.
    
    Move the dev_hold(real_dev) to vlan_dev_init() which is the call-back of
    ndo_init(). That makes dev_hold() and dev_put() for vlan's real_dev
    symmetrical.
    
    Fixes: 563bcbae3ba2 ("net: vlan: fix a UAF in vlan_dev_real_dev()")
    Reported-by: Petr Machata <petrm@xxxxxxxxxx>
    Suggested-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Ziyang Xuan <william.xuanziyang@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20211126015942.2918542-1-william.xuanziyang@xxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
index cd7c0429cddf8..796d95797ab40 100644
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -177,9 +177,6 @@ int register_vlan_dev(struct net_device *dev, struct netlink_ext_ack *extack)
 	if (err)
 		goto out_unregister_netdev;
 
-	/* Account for reference in struct vlan_dev_priv */
-	dev_hold(real_dev);
-
 	vlan_stacked_transfer_operstate(real_dev, dev, vlan);
 	linkwatch_fire_event(dev); /* _MUST_ call rfc2863_policy() */
 
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index 415a29d42cdf0..589615ec490bb 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -583,6 +583,9 @@ static int vlan_dev_init(struct net_device *dev)
 	if (!vlan->vlan_pcpu_stats)
 		return -ENOMEM;
 
+	/* Get vlan's reference to real_dev */
+	dev_hold(real_dev);
+
 	return 0;
 }
 






