diff mbox series

[net-next] ipv6/addrconf: ensure addrconf_verify_rtnl() has completed

Message ID 20220216182037.3742-1-eric.dumazet@gmail.com (mailing list archive)
State Accepted
Commit be6b41c15dc09c067492bd23668763f551747e4e
Delegated to: Netdev Maintainers
Headers show
Series [net-next] ipv6/addrconf: ensure addrconf_verify_rtnl() has completed | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers warning 1 maintainers not CCed: yoshfuji@linux-ipv6.org
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Eric Dumazet Feb. 16, 2022, 6:20 p.m. UTC 
From: Eric Dumazet <edumazet@google.com>

Before freeing the hash table in addrconf_exit_net(),
we need to make sure the work queue has completed,
or risk NULL dereference or UAF.

Thus, use cancel_delayed_work_sync() to enforce this.
We do not hold RTNL in addrconf_exit_net(), making this safe.

Fixes: 8805d13ff1b2 ("ipv6/addrconf: use one delayed work per netns")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
---
 net/ipv6/addrconf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

David Ahern Feb. 17, 2022, 3:25 a.m. UTC | #1 
On 2/16/22 11:20 AM, Eric Dumazet wrote:
> From: Eric Dumazet <edumazet@google.com>
> 
> Before freeing the hash table in addrconf_exit_net(),
> we need to make sure the work queue has completed,
> or risk NULL dereference or UAF.
> 
> Thus, use cancel_delayed_work_sync() to enforce this.
> We do not hold RTNL in addrconf_exit_net(), making this safe.
> 
> Fixes: 8805d13ff1b2 ("ipv6/addrconf: use one delayed work per netns")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: syzbot <syzkaller@googlegroups.com>
> ---
>  net/ipv6/addrconf.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 

Reviewed-by: David Ahern <dsahern@kernel.org>
patchwork-bot+netdevbpf@kernel.org Feb. 17, 2022, 4:50 p.m. UTC | #2 
Hello:

This patch was applied to netdev/net-next.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 16 Feb 2022 10:20:37 -0800 you wrote:
> From: Eric Dumazet <edumazet@google.com>
> 
> Before freeing the hash table in addrconf_exit_net(),
> we need to make sure the work queue has completed,
> or risk NULL dereference or UAF.
> 
> Thus, use cancel_delayed_work_sync() to enforce this.
> We do not hold RTNL in addrconf_exit_net(), making this safe.
> 
> [...]

Here is the summary with links:
  - [net-next] ipv6/addrconf: ensure addrconf_verify_rtnl() has completed
    https://git.kernel.org/netdev/net-next/c/be6b41c15dc0

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 57fbd6f03ff8d118e50d8aa6ea0ab938a1bb3cbc..44e164706340959b85f8f2d5d562caf8e37aea67 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -7187,7 +7187,7 @@  static void __net_exit addrconf_exit_net(struct net *net)
 	kfree(net->ipv6.devconf_all);
 	net->ipv6.devconf_all = NULL;
 
-	cancel_delayed_work(&net->ipv6.addr_chk_work);
+	cancel_delayed_work_sync(&net->ipv6.addr_chk_work);
 	/*
 	 *	Check hash table, then free it.
 	 */