macvlan: Fix potential use-after free for broadcasts (260916df) · Commits · 戴 / test

When we postpone a broadcast packet we save the source port in the skb if it is local. However, the source port can disappear before we get a chance to process the packet. This patch fixes this by holding a ref count on the netdev. It also delays the skb->cb modification until after we allocate the new skb as you should not modify shared skbs. Fixes: ("macvlan: Move broadcasts into a work queue") Signed-off-by:

Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:

David S. Miller <davem@davemloft.net>

drivers/net/macvlan.c

+8 −2

Original line number	Diff line number	Diff line
		@@ -305,11 +305,14 @@ static void macvlan_process_broadcast(struct work_struct *w)

		rcu_read_unlock();

		if (src)
		dev_put(src->dev);
		kfree_skb(skb);
		}
		}

		static void macvlan_broadcast_enqueue(struct macvlan_port *port,
		const struct macvlan_dev *src,
		struct sk_buff *skb)
		{
		struct sk_buff *nskb;
		@@ -319,8 +322,12 @@ static void macvlan_broadcast_enqueue(struct macvlan_port *port,
		if (!nskb)
		goto err;

		MACVLAN_SKB_CB(nskb)->src = src;

		spin_lock(&port->bc_queue.lock);
		if (skb_queue_len(&port->bc_queue) < MACVLAN_BC_QUEUE_LEN) {
		if (src)
		dev_hold(src->dev);
		__skb_queue_tail(&port->bc_queue, nskb);
		err = 0;
		}
		@@ -429,8 +436,7 @@ static rx_handler_result_t macvlan_handle_frame(struct sk_buff **pskb)
		goto out;
		}

		MACVLAN_SKB_CB(skb)->src = src;
		macvlan_broadcast_enqueue(port, skb);
		macvlan_broadcast_enqueue(port, src, skb);

		return RX_HANDLER_PASS;
		}

Admin message