releases/4.14.110/vxlan-don-t-call-gro_cells_destroy-before-device-is-unregistered.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From foo@baz Thu Mar 28 21:57:57 CET 2019
 From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
 Date: Sat, 16 Mar 2019 17:02:54 +0800
 Subject: vxlan: Don't call gro_cells_destroy() before device is unregistered

 From: Zhiqiang Liu <liuzhiqiang26@huawei.com>

 [ Upstream commit cc4807bb609230d8959fd732b0bf3bd4c2de8eac ]

 Commit ad6c9986bcb62 ("vxlan: Fix GRO cells race condition between
 receive and link delete") fixed a race condition for the typical case a vxlan
 device is dismantled from the current netns. But if a netns is dismantled,
 vxlan_destroy_tunnels() is called to schedule a unregister_netdevice_queue()
 of all the vxlan tunnels that are related to this netns.

 In vxlan_destroy_tunnels(), gro_cells_destroy() is called and finished before
 unregister_netdevice_queue(). This means that the gro_cells_destroy() call is
 done too soon, for the same reasons explained in above commit.

 So we need to fully respect the RCU rules, and thus must remove the
 gro_cells_destroy() call or risk use after-free.

 Fixes: 58ce31cca1ff ("vxlan: GRO support at tunnel layer")
 Signed-off-by: Suanming.Mou <mousuanming@huawei.com>
 Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
 Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
 Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  drivers/net/vxlan.c |    4 +---
  1 file changed, 1 insertion(+), 3 deletions(-)

 --- a/drivers/net/vxlan.c
 +++ b/drivers/net/vxlan.c
 @@ -3793,10 +3793,8 @@ static void __net_exit vxlan_exit_net(st
  		/* If vxlan->dev is in the same netns, it has already been added
  		 * to the list by the previous loop.
  		 */
 -		if (!net_eq(dev_net(vxlan->dev), net)) {
 -			gro_cells_destroy(&vxlan->gro_cells);
 +		if (!net_eq(dev_net(vxlan->dev), net))
  			unregister_netdevice_queue(vxlan->dev, &list);
 -		}
  	}

  	unregister_netdevice_many(&list);
	From foo@baz Thu Mar 28 21:57:57 CET 2019
	From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
	Date: Sat, 16 Mar 2019 17:02:54 +0800
	Subject: vxlan: Don't call gro_cells_destroy() before device is unregistered

	From: Zhiqiang Liu <liuzhiqiang26@huawei.com>

	[ Upstream commit cc4807bb609230d8959fd732b0bf3bd4c2de8eac ]

	Commit ad6c9986bcb62 ("vxlan: Fix GRO cells race condition between
	receive and link delete") fixed a race condition for the typical case a vxlan
	device is dismantled from the current netns. But if a netns is dismantled,
	vxlan_destroy_tunnels() is called to schedule a unregister_netdevice_queue()
	of all the vxlan tunnels that are related to this netns.

	In vxlan_destroy_tunnels(), gro_cells_destroy() is called and finished before
	unregister_netdevice_queue(). This means that the gro_cells_destroy() call is
	done too soon, for the same reasons explained in above commit.

	So we need to fully respect the RCU rules, and thus must remove the
	gro_cells_destroy() call or risk use after-free.

	Fixes: 58ce31cca1ff ("vxlan: GRO support at tunnel layer")
	Signed-off-by: Suanming.Mou <mousuanming@huawei.com>
	Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
	Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
	Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	drivers/net/vxlan.c \| 4 +---
	1 file changed, 1 insertion(+), 3 deletions(-)

	--- a/drivers/net/vxlan.c
	+++ b/drivers/net/vxlan.c
	@@ -3793,10 +3793,8 @@ static void __net_exit vxlan_exit_net(st
	/* If vxlan->dev is in the same netns, it has already been added
	* to the list by the previous loop.
	*/
	- if (!net_eq(dev_net(vxlan->dev), net)) {
	- gro_cells_destroy(&vxlan->gro_cells);
	+ if (!net_eq(dev_net(vxlan->dev), net))
	unregister_netdevice_queue(vxlan->dev, &list);
	- }
	}

	unregister_netdevice_many(&list);