[3.8.y.z extended stable] Patch "ip6tnl: fix use after free of fb_tnl_dev" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Fri Dec 20 20:20:29 UTC 2013 

This is a note to let you know that I have just added a patch titled

    ip6tnl: fix use after free of fb_tnl_dev

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue

This patch is scheduled to be released in version 3.8.13.15.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From c2a0107c238b1ef46c8c33be512073fbf3aedf3e Mon Sep 17 00:00:00 2001
From: Nicolas Dichtel <nicolas.dichtel at 6wind.com>
Date: Fri, 13 Dec 2013 10:06:35 +0100
Subject: ip6tnl: fix use after free of fb_tnl_dev

The upstream commit bb8140947a24 ("ip6tnl: allow to use rtnl ops on fb tunnel")
(backported into linux-3.10.y) left a bug which was fixed upstream by commit
1e9f3d6f1c40 ("ip6tnl: fix use after free of fb_tnl_dev").

The problem is a bit different in linux-3.10.y, because there is no x-netns
support (upstream commit 0bd8762824e7 ("ip6tnl: add x-netns support")).
When ip6_tunnel.ko is unloaded, FB device is deleted by rtnl_link_unregister()
and then we try to delete it again in ip6_tnl_destroy_tunnels().

This patch removes the second deletion.

Reported-by: Steven Rostedt <rostedt at goodmis.org>
Suggested-by: Steven Rostedt <rostedt at goodmis.org>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel at 6wind.com>
Cc: David Miller <davem at davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 net/ipv6/ip6_tunnel.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index a953bfb..fa3fe70 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1725,8 +1725,6 @@ static void __net_exit ip6_tnl_destroy_tunnels(struct ip6_tnl_net *ip6n)
 		}
 	}

-	t = rtnl_dereference(ip6n->tnls_wc[0]);
-	unregister_netdevice_queue(t->dev, &list);
 	unregister_netdevice_many(&list);
 }

--
1.8.3.2

More information about the kernel-team mailing list