From nobody Mon Jun 22 19:20:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F163FC433FE for ; Fri, 18 Mar 2022 01:40:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231562AbiCRBls (ORCPT ); Thu, 17 Mar 2022 21:41:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51580 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229642AbiCRBlq (ORCPT ); Thu, 17 Mar 2022 21:41:46 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 929C51B087C; Thu, 17 Mar 2022 18:40:28 -0700 (PDT) Received: from canpemm500006.china.huawei.com (unknown [172.30.72.54]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4KKRVS352nzCqn7; Fri, 18 Mar 2022 09:38:24 +0800 (CST) Received: from localhost.localdomain (10.175.104.82) by canpemm500006.china.huawei.com (7.192.105.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Fri, 18 Mar 2022 09:40:26 +0800 From: Ziyang Xuan To: , , CC: , , , , Subject: [PATCH net-next v2 1/3] net: ipvlan: fix potential UAF problem for phy_dev Date: Fri, 18 Mar 2022 09:57:47 +0800 Message-ID: <83116bde1ddf39420e24466684c9488bff46f43c.1647568181.git.william.xuanziyang@huawei.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.175.104.82] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To canpemm500006.china.huawei.com (7.192.105.130) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Add the reference operation to phy_dev of ipvlan to avoid the potential UAF problem under the following known scenario: Someone module puts the NETDEV_UNREGISTER event handler to a work, and phy_dev is accessed in the work handler. But when the work is excuted, phy_dev has been destroyed because upper ipvlan did not get reference to phy_dev correctly. That likes as the scenario occurred by commit 563bcbae3ba2 ("net: vlan: fix a UAF in vlan_dev_real_dev()"). Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") Signed-off-by: Ziyang Xuan --- drivers/net/ipvlan/ipvlan_main.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_m= ain.c index 696e245f6d00..dcdc01403f22 100644 --- a/drivers/net/ipvlan/ipvlan_main.c +++ b/drivers/net/ipvlan/ipvlan_main.c @@ -158,6 +158,10 @@ static int ipvlan_init(struct net_device *dev) } port =3D ipvlan_port_get_rtnl(phy_dev); port->count +=3D 1; + + /* Get ipvlan's reference to phy_dev */ + dev_hold(phy_dev); + return 0; } =20 @@ -665,6 +669,14 @@ void ipvlan_link_delete(struct net_device *dev, struct= list_head *head) } EXPORT_SYMBOL_GPL(ipvlan_link_delete); =20 +static void ipvlan_dev_free(struct net_device *dev) +{ + struct ipvl_dev *ipvlan =3D netdev_priv(dev); + + /* Get rid of the ipvlan's reference to phy_dev */ + dev_put(ipvlan->phy_dev); +} + void ipvlan_link_setup(struct net_device *dev) { ether_setup(dev); @@ -674,6 +686,7 @@ void ipvlan_link_setup(struct net_device *dev) dev->priv_flags |=3D IFF_UNICAST_FLT | IFF_NO_QUEUE; dev->netdev_ops =3D &ipvlan_netdev_ops; dev->needs_free_netdev =3D true; + dev->priv_destructor =3D ipvlan_dev_free; dev->header_ops =3D &ipvlan_header_ops; dev->ethtool_ops =3D &ipvlan_ethtool_ops; } --=20 2.25.1 From nobody Mon Jun 22 19:20:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E3A10C433F5 for ; Fri, 18 Mar 2022 01:41:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231584AbiCRBmx (ORCPT ); Thu, 17 Mar 2022 21:42:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55350 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231575AbiCRBmt (ORCPT ); Thu, 17 Mar 2022 21:42:49 -0400 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1A90C2EE962; Thu, 17 Mar 2022 18:41:31 -0700 (PDT) Received: from canpemm500006.china.huawei.com (unknown [172.30.72.53]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4KKRZ02Y1Yzcb3x; Fri, 18 Mar 2022 09:41:28 +0800 (CST) Received: from localhost.localdomain (10.175.104.82) by canpemm500006.china.huawei.com (7.192.105.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Fri, 18 Mar 2022 09:41:29 +0800 From: Ziyang Xuan To: , , CC: , , , , Subject: [PATCH net-next v2 2/3] net: ipvlan: add net device refcount tracker Date: Fri, 18 Mar 2022 09:59:13 +0800 Message-ID: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.175.104.82] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To canpemm500006.china.huawei.com (7.192.105.130) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Add net device refcount tracker to ipvlan. Signed-off-by: Ziyang Xuan --- drivers/net/ipvlan/ipvlan.h | 1 + drivers/net/ipvlan/ipvlan_main.c | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/ipvlan/ipvlan.h b/drivers/net/ipvlan/ipvlan.h index 3837c897832e..6605199305b7 100644 --- a/drivers/net/ipvlan/ipvlan.h +++ b/drivers/net/ipvlan/ipvlan.h @@ -64,6 +64,7 @@ struct ipvl_dev { struct list_head pnode; struct ipvl_port *port; struct net_device *phy_dev; + netdevice_tracker dev_tracker; struct list_head addrs; struct ipvl_pcpu_stats __percpu *pcpu_stats; DECLARE_BITMAP(mac_filters, IPVLAN_MAC_FILTER_SIZE); diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_m= ain.c index dcdc01403f22..be06f122092e 100644 --- a/drivers/net/ipvlan/ipvlan_main.c +++ b/drivers/net/ipvlan/ipvlan_main.c @@ -160,7 +160,7 @@ static int ipvlan_init(struct net_device *dev) port->count +=3D 1; =20 /* Get ipvlan's reference to phy_dev */ - dev_hold(phy_dev); + dev_hold_track(phy_dev, &ipvlan->dev_tracker, GFP_KERNEL); =20 return 0; } @@ -674,7 +674,7 @@ static void ipvlan_dev_free(struct net_device *dev) struct ipvl_dev *ipvlan =3D netdev_priv(dev); =20 /* Get rid of the ipvlan's reference to phy_dev */ - dev_put(ipvlan->phy_dev); + dev_put_track(ipvlan->phy_dev, &ipvlan->dev_tracker); } =20 void ipvlan_link_setup(struct net_device *dev) --=20 2.25.1 From nobody Mon Jun 22 19:20:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 55E43C433EF for ; Fri, 18 Mar 2022 01:42:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231589AbiCRBn3 (ORCPT ); Thu, 17 Mar 2022 21:43:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56088 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230512AbiCRBn2 (ORCPT ); Thu, 17 Mar 2022 21:43:28 -0400 Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1F6C42EE962; Thu, 17 Mar 2022 18:42:11 -0700 (PDT) Received: from canpemm500006.china.huawei.com (unknown [172.30.72.54]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4KKRZl6dZ2z1GCQ9; Fri, 18 Mar 2022 09:42:07 +0800 (CST) Received: from localhost.localdomain (10.175.104.82) by canpemm500006.china.huawei.com (7.192.105.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Fri, 18 Mar 2022 09:42:08 +0800 From: Ziyang Xuan To: , , CC: , , , , Subject: [PATCH net-next v2 3/3] net: ipvtap: fix error comments Date: Fri, 18 Mar 2022 09:59:52 +0800 Message-ID: <4187107e37a18da54369f5fe867ece77e29fc3bb.1647568181.git.william.xuanziyang@huawei.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.175.104.82] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To canpemm500006.china.huawei.com (7.192.105.130) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Use "macvlan" comment inappropriately in ipvtap module. Fix them with "ipvlan" comment. Fixes: 235a9d89da97 ("ipvtap: IP-VLAN based tap driver") Signed-off-by: Ziyang Xuan --- drivers/net/ipvlan/ipvtap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/ipvlan/ipvtap.c b/drivers/net/ipvlan/ipvtap.c index ef02f2cf5ce1..c130cfb30822 100644 --- a/drivers/net/ipvlan/ipvtap.c +++ b/drivers/net/ipvlan/ipvtap.c @@ -83,7 +83,7 @@ static int ipvtap_newlink(struct net *src_net, struct net= _device *dev, =20 INIT_LIST_HEAD(&vlantap->tap.queue_list); =20 - /* Since macvlan supports all offloads by default, make + /* Since ipvlan supports all offloads by default, make * tap support all offloads also. */ vlantap->tap.tap_features =3D TUN_OFFLOADS; @@ -95,7 +95,7 @@ static int ipvtap_newlink(struct net *src_net, struct net= _device *dev, if (err) return err; =20 - /* Don't put anything that may fail after macvlan_common_newlink + /* Don't put anything that may fail after ipvlan_link_new * because we can't undo what it does. */ err =3D ipvlan_link_new(src_net, dev, tb, data, extack); --=20 2.25.1