| From 6f65a957266c290435e1dc27331a4f5b134a5599 Mon Sep 17 00:00:00 2001 |
| From: Herbert Xu <herbert@gondor.apana.org.au> |
| Date: Thu, 20 Apr 2017 20:55:12 +0800 |
| Subject: [PATCH] macvlan: Fix device ref leak when purging bc_queue |
| |
| commit f6478218e6edc2a587b8f132f66373baa7b2497c upstream. |
| |
| When a parent macvlan device is destroyed we end up purging its |
| broadcast queue without dropping the device reference count on |
| the packet source device. This causes the source device to linger. |
| |
| This patch drops that reference count. |
| |
| Fixes: 260916dfb48c ("macvlan: Fix potential use-after free for...") |
| Reported-by: Joe Ghalam <Joe.Ghalam@dell.com> |
| Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| |
| diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c |
| index 3234fcdea317..67f86639d06d 100644 |
| --- a/drivers/net/macvlan.c |
| +++ b/drivers/net/macvlan.c |
| @@ -1139,6 +1139,7 @@ static int macvlan_port_create(struct net_device *dev) |
| static void macvlan_port_destroy(struct net_device *dev) |
| { |
| struct macvlan_port *port = macvlan_port_get_rtnl(dev); |
| + struct sk_buff *skb; |
| |
| dev->priv_flags &= ~IFF_MACVLAN_PORT; |
| netdev_rx_handler_unregister(dev); |
| @@ -1147,7 +1148,15 @@ static void macvlan_port_destroy(struct net_device *dev) |
| * but we need to cancel it and purge left skbs if any. |
| */ |
| cancel_work_sync(&port->bc_work); |
| - __skb_queue_purge(&port->bc_queue); |
| + |
| + while ((skb = __skb_dequeue(&port->bc_queue))) { |
| + const struct macvlan_dev *src = MACVLAN_SKB_CB(skb)->src; |
| + |
| + if (src) |
| + dev_put(src->dev); |
| + |
| + kfree_skb(skb); |
| + } |
| |
| kfree_rcu(port, rcu); |
| } |
| -- |
| 2.12.0 |
| |