diff options
| author | Paolo Abeni <pabeni@redhat.com> | 2025-01-14 11:20:06 +0100 |
|---|---|---|
| committer | Paolo Abeni <pabeni@redhat.com> | 2025-01-14 11:20:07 +0100 |
| commit | 0865b9fdb27219db79f3687bc50a0b534b437ee7 (patch) | |
| tree | 730ac22f6f3ff63e097c5711d7394d1fe856ec87 /drivers/net/gtp.c | |
| parent | 644f9108f3a505022ef43510e5143cb985e0cf8b (diff) | |
| parent | ffc90e9ca61b0f619326a1417ff32efd6cc71ed2 (diff) | |
Merge branch 'gtp-pfcp-fix-use-after-free-of-udp-tunnel-socket'
Kuniyuki Iwashima says:
====================
gtp/pfcp: Fix use-after-free of UDP tunnel socket.
Xiao Liang pointed out weird netns usages in ->newlink() of
gtp and pfcp.
This series fixes the issues.
Link: https://lore.kernel.org/netdev/20250104125732.17335-1-shaw.leon@gmail.com/
Changes:
v2:
* Patch 1
* Fix uninit/unused local var
v1: https://lore.kernel.org/netdev/20250108062834.11117-1-kuniyu@amazon.com/
====================
Link: https://patch.msgid.link/20250110014754.33847-1-kuniyu@amazon.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Diffstat (limited to 'drivers/net/gtp.c')
| -rw-r--r-- | drivers/net/gtp.c | 26 |
1 files changed, 17 insertions, 9 deletions
diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c index 89a996ad8cd0..fbabada7d3ba 100644 --- a/drivers/net/gtp.c +++ b/drivers/net/gtp.c @@ -1524,8 +1524,8 @@ static int gtp_newlink(struct net *src_net, struct net_device *dev, goto out_encap; } - gn = net_generic(dev_net(dev), gtp_net_id); - list_add_rcu(>p->list, &gn->gtp_dev_list); + gn = net_generic(src_net, gtp_net_id); + list_add(>p->list, &gn->gtp_dev_list); dev->priv_destructor = gtp_destructor; netdev_dbg(dev, "registered new GTP interface\n"); @@ -1551,7 +1551,7 @@ static void gtp_dellink(struct net_device *dev, struct list_head *head) hlist_for_each_entry_safe(pctx, next, >p->tid_hash[i], hlist_tid) pdp_context_delete(pctx); - list_del_rcu(>p->list); + list_del(>p->list); unregister_netdevice_queue(dev, head); } @@ -2271,16 +2271,19 @@ static int gtp_genl_dump_pdp(struct sk_buff *skb, struct gtp_dev *last_gtp = (struct gtp_dev *)cb->args[2], *gtp; int i, j, bucket = cb->args[0], skip = cb->args[1]; struct net *net = sock_net(skb->sk); + struct net_device *dev; struct pdp_ctx *pctx; - struct gtp_net *gn; - - gn = net_generic(net, gtp_net_id); if (cb->args[4]) return 0; rcu_read_lock(); - list_for_each_entry_rcu(gtp, &gn->gtp_dev_list, list) { + for_each_netdev_rcu(net, dev) { + if (dev->rtnl_link_ops != >p_link_ops) + continue; + + gtp = netdev_priv(dev); + if (last_gtp && last_gtp != gtp) continue; else @@ -2475,9 +2478,14 @@ static void __net_exit gtp_net_exit_batch_rtnl(struct list_head *net_list, list_for_each_entry(net, net_list, exit_list) { struct gtp_net *gn = net_generic(net, gtp_net_id); - struct gtp_dev *gtp; + struct gtp_dev *gtp, *gtp_next; + struct net_device *dev; + + for_each_netdev(net, dev) + if (dev->rtnl_link_ops == >p_link_ops) + gtp_dellink(dev, dev_to_kill); - list_for_each_entry(gtp, &gn->gtp_dev_list, list) + list_for_each_entry_safe(gtp, gtp_next, &gn->gtp_dev_list, list) gtp_dellink(gtp->dev, dev_to_kill); } } |