diff options
author | Patrick McHardy <kaber@trash.net> | 2008-01-20 17:25:14 -0800 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-01-20 20:31:45 -0800 |
commit | 68365458a4252fa993b91a00f7a0b18fed399f0d (patch) | |
tree | 824b1f32ba3b955c018626127602c365f986ccfc /net/core/rtnetlink.c | |
parent | d4782c323d10d3698b71b6a6b3c7bdad33824658 (diff) | |
download | op-kernel-dev-68365458a4252fa993b91a00f7a0b18fed399f0d.zip op-kernel-dev-68365458a4252fa993b91a00f7a0b18fed399f0d.tar.gz |
[NET]: rtnl_link: fix use-after-free
When unregistering the rtnl_link_ops, all existing devices using
the ops are destroyed. With nested devices this may lead to a
use-after-free despite the use of for_each_netdev_safe() in case
the upper device is next in the device list and is destroyed
by the NETDEV_UNREGISTER notifier.
The easy fix is to restart scanning the device list after removing
a device. Alternatively we could add new devices to the front of
the list to avoid having dependant devices follow the device they
depend on. A third option would be to only restart scanning if
dev->iflink of the next device matches dev->ifindex of the current
one. For now this seems like the safest solution.
With this patch, the veth rtnl_link_ops unregistration can use
rtnl_link_unregister() directly since it now also handles destruction
of multiple devices at once.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/core/rtnetlink.c')
-rw-r--r-- | net/core/rtnetlink.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index e1ba26f..fed95a3 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -308,9 +308,12 @@ void __rtnl_link_unregister(struct rtnl_link_ops *ops) struct net *net; for_each_net(net) { +restart: for_each_netdev_safe(net, dev, n) { - if (dev->rtnl_link_ops == ops) + if (dev->rtnl_link_ops == ops) { ops->dellink(dev); + goto restart; + } } } list_del(&ops->list); |