macvlan: Fix device ref leak when purging bc_queue

[ Upstream commit f6478218e6edc2a587b8f132f66373baa7b2497c ] When a parent macvlan device is destroyed we end up purging its broadcast queue without dropping the device reference count on the packet source device. This causes the source device to linger. This patch drops that reference count. Fixes: 260916dfb48c ("macvlan: Fix potential use-after free for...") Reported-by: Joe Ghalam <Joe.Ghalam@dell.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Herbert Xu <herbert@gondor.apana.org.au> 2017-04-20 08:55:12 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-05-03 11:36:37 -0400
commit: ae88c43c019f5f6f5390e42e62fbc762c52bbe9b (patch)
tree: 309f03bc2cab3877433c6959c30c798b66a9d5ad
parent: 7bf657201c211fde8002a82c6c0d7f0b3082fb97 (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
index 26d6f0bbe14b..dc8ccac0a01d 100644
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -1140,6 +1140,7 @@ static int macvlan_port_create(struct net_device *dev)
 static void macvlan_port_destroy(struct net_device *dev)
 {
        struct macvlan_port *port = macvlan_port_get_rtnl(dev);
+        struct sk_buff *skb;
        dev->priv_flags &= ~IFF_MACVLAN_PORT;
        netdev_rx_handler_unregister(dev);
@@ -1148,7 +1149,15 @@ static void macvlan_port_destroy(struct net_device *dev)
         * but we need to cancel it and purge left skbs if any.
         */
        cancel_work_sync(&port->bc_work);
-        __skb_queue_purge(&port->bc_queue);
+        while ((skb = __skb_dequeue(&port->bc_queue))) {
+                const struct macvlan_dev *src = MACVLAN_SKB_CB(skb)->src;
+                if (src)
+                        dev_put(src->dev);
+                kfree_skb(skb);
+        }
        kfree_rcu(port, rcu);
 }
author	Herbert Xu <herbert@gondor.apana.org.au>	2017-04-20 08:55:12 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-05-03 11:36:37 -0400
commit	ae88c43c019f5f6f5390e42e62fbc762c52bbe9b (patch)
tree	309f03bc2cab3877433c6959c30c798b66a9d5ad
parent	7bf657201c211fde8002a82c6c0d7f0b3082fb97 (diff)

diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c index 26d6f0bbe14b..dc8ccac0a01d 100644 --- a/drivers/net/macvlan.c +++ b/drivers/net/macvlan.c
@@ -1140,6 +1140,7 @@ static int macvlan_port_create(struct net_device *dev)
1140	static void macvlan_port_destroy(struct net_device *dev)	1140	static void macvlan_port_destroy(struct net_device *dev)
1141	{	1141	{
1142	struct macvlan_port *port = macvlan_port_get_rtnl(dev);	1142	struct macvlan_port *port = macvlan_port_get_rtnl(dev);
		1143	struct sk_buff *skb;
1143		1144
1144	dev->priv_flags &= ~IFF_MACVLAN_PORT;	1145	dev->priv_flags &= ~IFF_MACVLAN_PORT;
1145	netdev_rx_handler_unregister(dev);	1146	netdev_rx_handler_unregister(dev);
@@ -1148,7 +1149,15 @@ static void macvlan_port_destroy(struct net_device *dev)
1148	* but we need to cancel it and purge left skbs if any.	1149	* but we need to cancel it and purge left skbs if any.
1149	*/	1150	*/
1150	cancel_work_sync(&port->bc_work);	1151	cancel_work_sync(&port->bc_work);
1151	__skb_queue_purge(&port->bc_queue);	1152
		1153	while ((skb = __skb_dequeue(&port->bc_queue))) {
		1154	const struct macvlan_dev *src = MACVLAN_SKB_CB(skb)->src;
		1155
		1156	if (src)
		1157	dev_put(src->dev);
		1158
		1159	kfree_skb(skb);
		1160	}
1152		1161
1153	kfree_rcu(port, rcu);	1162	kfree_rcu(port, rcu);
1154	}	1163	}