This is a note to let you know that I've just added the patch titled
net: mpls: fix stale pointer if allocation fails during device rename
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
net-mpls-fix-stale-pointer-if-allocation-fails-during-device-rename.patch
and it can be found in the queue-5.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From fda6c89fe3d9aca073495a664e1d5aea28cd4377 Mon Sep 17 00:00:00 2001
From: Jakub Kicinski <kuba@xxxxxxxxxx>
Date: Mon, 13 Feb 2023 22:53:55 -0800
Subject: net: mpls: fix stale pointer if allocation fails during device rename
From: Jakub Kicinski <kuba@xxxxxxxxxx>
commit fda6c89fe3d9aca073495a664e1d5aea28cd4377 upstream.
lianhui reports that when MPLS fails to register the sysctl table
under new location (during device rename) the old pointers won't
get overwritten and may be freed again (double free).
Handle this gracefully. The best option would be unregistering
the MPLS from the device completely on failure, but unfortunately
mpls_ifdown() can fail. So failing fully is also unreliable.
Another option is to register the new table first then only
remove old one if the new one succeeds. That requires more
code, changes order of notifications and two tables may be
visible at the same time.
sysctl point is not used in the rest of the code - set to NULL
on failures and skip unregister if already NULL.
Reported-by: lianhui tang <bluetlh@xxxxxxxxx>
Fixes: 0fae3bf018d9 ("mpls: handle device renames for per-device sysctls")
Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/mpls/af_mpls.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/mpls/af_mpls.c
+++ b/net/mpls/af_mpls.c
@@ -1428,6 +1428,7 @@ static int mpls_dev_sysctl_register(stru
free:
kfree(table);
out:
+ mdev->sysctl = NULL;
return -ENOBUFS;
}
@@ -1437,6 +1438,9 @@ static void mpls_dev_sysctl_unregister(s
struct net *net = dev_net(dev);
struct ctl_table *table;
+ if (!mdev->sysctl)
+ return;
+
table = mdev->sysctl->ctl_table_arg;
unregister_net_sysctl_table(mdev->sysctl);
kfree(table);
Patches currently in stable-queue which might be from kuba@xxxxxxxxxx are
queue-5.15/net-sched-tcindex-update-imperfect-hash-filters-respecting-rcu.patch
queue-5.15/ipv6-fix-datagram-socket-connection-with-dscp.patch
queue-5.15/net-ethernet-ti-am65-cpsw-add-rx-dma-channel-teardown-quirk.patch
queue-5.15/net-sched-sch-bounds-check-priority.patch
queue-5.15/net-rose-fix-to-not-accept-on-connected-socket.patch
queue-5.15/ipv6-fix-tcp-socket-connection-with-dscp.patch
queue-5.15/sctp-sctp_sock_filter-avoid-list_entry-on-possibly-empty-list.patch
queue-5.15/dccp-tcp-avoid-negative-sk_forward_alloc-by-ipv6_pinfo.pktoptions.patch
queue-5.15/net-mpls-fix-stale-pointer-if-allocation-fails-during-device-rename.patch
queue-5.15/net-bgmac-fix-bcm5358-support-by-setting-correct-flags.patch
queue-5.15/net-stmmac-fix-order-of-dwmac5-flexpps-parametrization-sequence.patch
