From nobody Sun Feb 8 17:03:57 2026 Received: from mail-ej1-f54.google.com (mail-ej1-f54.google.com [209.85.218.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3E96229B777 for ; Thu, 8 Jan 2026 17:45:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767894328; cv=none; b=KfyKIS0xYpOKQEWijijzoiiirRa4zz+ibCQA8B0tiX+NwhhW55yMD/bogo/WgZZsNHxz+zO/EC5joIn4H6fh+Qj1JSgwGh/9C+E9Uq3h69NfYFZIr7AXogjX5EIS7fAaADTU222V8kDZK87GZmarkaXjSeMxA0WE8epJQ6+QM5M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767894328; c=relaxed/simple; bh=DfSElPunnT3DQ2VoEPFNQt4PS9eIRe0lWDhQUGVTfxE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=hr1omDjBaUlldS8KPrjmpMncT71ojPUWVH5RPgvmiQicV0AA82jrDUhqBEq5EkeJIbkOVejnHLSPFubh3uGhZkIigarmUDBZKAiBtjuV5aytBoUnxOjtkXwrNymD7RtCPmJ5NxSixiuc0ff7aCtp2E0kRRC4hON3Bet3fhObCNo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=delta-utec.com; spf=none smtp.mailfrom=delta-utec.com; dkim=pass (2048-bit key) header.d=delta-utec-com.20230601.gappssmtp.com header.i=@delta-utec-com.20230601.gappssmtp.com header.b=A96yEUlE; arc=none smtp.client-ip=209.85.218.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=delta-utec.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=delta-utec.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=delta-utec-com.20230601.gappssmtp.com header.i=@delta-utec-com.20230601.gappssmtp.com header.b="A96yEUlE" Received: by mail-ej1-f54.google.com with SMTP id a640c23a62f3a-b7ce5d6627dso711400766b.2 for ; Thu, 08 Jan 2026 09:45:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delta-utec-com.20230601.gappssmtp.com; s=20230601; t=1767894315; x=1768499115; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=1UxTJ8YNxrjufokYjFRXPMXxOxHBYQQfpvqHnyHlCiE=; b=A96yEUlE5xcQS4VVINhFT9RQDwmGox92oOkvfQ6/QndVz7jWDQId63bX1/FsWu/ngn GSwYTwJJKoicopYyvnAoJogtXsbLJPd4zOQczcqat7TJTcUAhJY8ab6ooWvdwHm4Fp+t fRtJHMjPLWvxtnKcLBTaz3tVUtOlS8GQE96dHV0VmyrLDf4rddJ9amos830BIYV+dnDZ IQYxFwt6nK0hmM63IR2RMQ5ve6+1ySeax1uIWpnde8DGndygMSPGMjke7u6MXSXxfWk4 cVenj1npgebUiklB9frcwdomcxBy/H6zEuDPYrM48uU4Jy+Im7sXv3WSWPM+PsGLB4yS PzHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767894315; x=1768499115; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=1UxTJ8YNxrjufokYjFRXPMXxOxHBYQQfpvqHnyHlCiE=; b=CbR69rS8wFSYyru9q1qQeSrlijT45vnGyjRBRky1ludobaxSHOroc+r6PmZgi3e6sJ OoIRpNnGTOIv0R2y1qF8U/OPe8zINspzmA2y9+Tw+EApfQgk9a3xANRxvttq9fU4ig39 RqsylWRHVFN+OkfCTrboZLhEpdowlDekLpQvbmLeDACTMOlJgVugrqTvCK2s+tCdPNVD XDTa7fzHXhjS0uE1HFaep3uOe2qsvoSfUBOgrcZyfzE/c/Xunl/3Ly81xXAaLljwtOPP JquLuko0yRWX5+DvUnp70b5ZLTY51ZSNgifbfvYBMlsKE2brbgtJ2IMN7JOY9F1eTfZk CYPg== X-Forwarded-Encrypted: i=1; AJvYcCXySMEW+24bborDIGBA+MJtnFjtJZJDB5Rj5N3SHQwsqNnPkKMotC5QSOX2Gf38Lnx1nE06GKBb1dFjRvs=@vger.kernel.org X-Gm-Message-State: AOJu0YyIYZfVJQXdRh/WK0fYNUx7Neuhhv1GtkBpJhf5a2xheSHmnF5j S0keEyMGyFYrQ7eNMmwSPoaAAH4v8qOD8sCh8EvKsyo+o/jtJTz9GN0G0vUkROO4fA== X-Gm-Gg: AY/fxX4TPAmmgH025/Ke9SZjq2IKXNcLH9bpMYjpeFUyGTvcJfLBoKXLTmgHjY1NSq2 nPagfaDiJzpvgnIdcWQfGxlY8YDwj9+qtCThuEE51llCmTjKBRuBPlwwZKRbch5aI1nwUpQlB7q /Z9Dv+fw5rKsfZapSPTz2nugCaVNvB6uuNwxfofI3zkmVQDxy0OxVu2Ogh5CNCaTZGa3EdD9QwZ Bk6gIdg94KoL8S0u+EJR5GedJmwOHXuuKj1pOW3DLAC/3Z/lnPAEtVeTW1UOAJvKmdkRWyMpfFV 30psE41VOMl8A6v4iYcirq8QRHFu77RXJ3faSl50/eN5Tcpjtp96pIJUEtFmwaeGCBU6Au8luOY +4XRZj91uduVezK4bBDz6uEFRQzg409HsUEeQ9iPeN0rDsixPkzv8jcr2njRwZvmeDjYB08yfSR E5KwLEcNs+wMWBvtpH2wu23vHrH7cQnEnIl4iLeW8XBARIFZpooxXdJDVGLipRF7bCy+srkfZFc TtNDl/Px6GwLbFqpHV1TsWsal2CgUwChcMmqw== X-Google-Smtp-Source: AGHT+IGuCv7a9D6GBnr5zNdHvDJ7jtKQ5O4u7L3VXCO7uSiBz1b+IWvm/+GDnPrCZY0TATroDJDEHw== X-Received: by 2002:a17:907:72c9:b0:b80:3fb3:bea0 with SMTP id a640c23a62f3a-b844520f355mr752240166b.56.1767894314818; Thu, 08 Jan 2026 09:45:14 -0800 (PST) Received: from localhost.localdomain (2001-1c00-3405-d100-83e5-0d54-1593-059c.cable.dynamic.v6.ziggo.nl. [2001:1c00:3405:d100:83e5:d54:1593:59c]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b842a4d31e7sm890428966b.42.2026.01.08.09.45.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Jan 2026 09:45:14 -0800 (PST) From: Boudewijn van der Heide To: netdev@vger.kernel.org Cc: andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, linux-kernel@vger.kernel.org, Boudewijn van der Heide , syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com Subject: [PATCH net] macvlan: Fix use-after-free in macvlan_common_newlink Date: Thu, 8 Jan 2026 18:45:04 +0100 Message-ID: <20260108174504.86488-1-boudewijn@delta-utec.com> X-Mailer: git-send-email 2.47.3 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The macvlan_common_newlink() function calls macvlan_port_create(), which allocates a port structure and registers the RX handler via netdev_rx_handler_register(). Once registered, the handler is immediately live and can be invoked from softirq context. If the subsequent call to register_netdevice() fails (e.g., due to a name collision), the error path calls macvlan_port_destroy(), which unregisters the handler and immediately frees the port with kfree(). This creates a race condition: one thread may be processing a packet in the RX handler and accessing the port structure, while another thread is executing the error path and frees the port. This results in the first thread reading freed memory, leading to a use-after-free and undefined behavior. Fix this by replacing kfree() with kfree_rcu() to defer the memory release until all RCU read-side sections have completed, and add an rcu_head field to the macvlan_port structure. This ensures the port remains valid while any thread is still accessing it. This functionality was previously present but was removed in commit a1f5315ce4e1 ("driver: macvlan: Remove the rcu member of macvlan_por= t"), which inadvertently introduced this use-after-free. Fixes: a1f5315ce4e1 ("driver: macvlan: Remove the rcu member of macvlan_por= t") Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D7182fbe91e58602ec1fe Signed-off-by: Boudewijn van der Heide --- drivers/net/macvlan.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c index 7966545512cf..d6e8f7774055 100644 --- a/drivers/net/macvlan.c +++ b/drivers/net/macvlan.c @@ -47,6 +47,7 @@ struct macvlan_port { struct list_head vlans; struct sk_buff_head bc_queue; struct work_struct bc_work; + struct rcu_head rcu; u32 bc_queue_len_used; int bc_cutoff; u32 flags; @@ -1302,7 +1303,7 @@ static void macvlan_port_destroy(struct net_device *d= ev) dev_set_mac_address(port->dev, &ss, NULL); } =20 - kfree(port); + kfree_rcu(port, rcu); } =20 static int macvlan_validate(struct nlattr *tb[], struct nlattr *data[], --=20 2.47.3