Commit f6478218 authored by Herbert Xu's avatar Herbert Xu Committed by David S. Miller

macvlan: Fix device ref leak when purging bc_queue

When a parent macvlan device is destroyed we end up purging its
broadcast queue without dropping the device reference count on
the packet source device.  This causes the source device to linger.

This patch drops that reference count.

Fixes: 260916df ("macvlan: Fix potential use-after free for...")
Reported-by: default avatarJoe Ghalam <Joe.Ghalam@dell.com>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 6f2aee0c
...@@ -1139,6 +1139,7 @@ static int macvlan_port_create(struct net_device *dev) ...@@ -1139,6 +1139,7 @@ static int macvlan_port_create(struct net_device *dev)
static void macvlan_port_destroy(struct net_device *dev) static void macvlan_port_destroy(struct net_device *dev)
{ {
struct macvlan_port *port = macvlan_port_get_rtnl(dev); struct macvlan_port *port = macvlan_port_get_rtnl(dev);
struct sk_buff *skb;
dev->priv_flags &= ~IFF_MACVLAN_PORT; dev->priv_flags &= ~IFF_MACVLAN_PORT;
netdev_rx_handler_unregister(dev); netdev_rx_handler_unregister(dev);
...@@ -1147,7 +1148,15 @@ static void macvlan_port_destroy(struct net_device *dev) ...@@ -1147,7 +1148,15 @@ static void macvlan_port_destroy(struct net_device *dev)
* but we need to cancel it and purge left skbs if any. * but we need to cancel it and purge left skbs if any.
*/ */
cancel_work_sync(&port->bc_work); cancel_work_sync(&port->bc_work);
__skb_queue_purge(&port->bc_queue);
while ((skb = __skb_dequeue(&port->bc_queue))) {
const struct macvlan_dev *src = MACVLAN_SKB_CB(skb)->src;
if (src)
dev_put(src->dev);
kfree_skb(skb);
}
kfree(port); kfree(port);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment