[SRU][J/N/Q][PATCH 1/1] macvlan: fix error recovery in macvlan_common_newlink()
Ian Whitfield
ian.whitfield at canonical.com
Fri Feb 20 15:59:26 UTC 2026
On Fri, Feb 20, 2026 at 03:06:56PM +0100, Stefan Bader wrote:
> On 19/02/2026 21:08, Ian Whitfield wrote:
> > From: Eric Dumazet <edumazet at google.com>
> >
> > valis provided a nice repro to crash the kernel:
> >
> > ip link add p1 type veth peer p2
> > ip link set address 00:00:00:00:00:20 dev p1
> > ip link set up dev p1
> > ip link set up dev p2
> >
> > ip link add mv0 link p2 type macvlan mode source
> > ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20
> >
> > ping -c1 -I p1 1.2.3.4
> >
> > He also gave a very detailed analysis:
> >
> > <quote valis>
> >
> > The issue is triggered when a new macvlan link is created with
> > MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or
> > MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan
> > port and register_netdevice() called from macvlan_common_newlink()
> > fails (e.g. because of the invalid link name).
> >
> > In this case macvlan_hash_add_source is called from
> > macvlan_change_sources() / macvlan_common_newlink():
> >
> > This adds a reference to vlan to the port's vlan_source_hash using
> > macvlan_source_entry.
> >
> > vlan is a pointer to the priv data of the link that is being created.
> >
> > When register_netdevice() fails, the error is returned from
> > macvlan_newlink() to rtnl_newlink_create():
> >
> > if (ops->newlink)
> > err = ops->newlink(dev, ¶ms, extack);
> > else
> > err = register_netdevice(dev);
> > if (err < 0) {
> > free_netdev(dev);
> > goto out;
> > }
> >
> > and free_netdev() is called, causing a kvfree() on the struct
> > net_device that is still referenced in the source entry attached to
> > the lower device's macvlan port.
> >
> > Now all packets sent on the macvlan port with a matching source mac
> > address will trigger a use-after-free in macvlan_forward_source().
> >
> > </quote valis>
> >
> > With all that, my fix is to make sure we call macvlan_flush_sources()
> > regardless of @create value whenever "goto destroy_macvlan_port;"
> > path is taken.
> >
> > Many thanks to valis for following up on this issue.
> >
> > Fixes: aa5fd0fb7748 ("driver: macvlan: Destroy new macvlan port if macvlan_common_newlink failed.")
> > Signed-off-by: Eric Dumazet <edumazet at google.com>
> > Reported-by: valis <sec at valis.email>
> > Reported-by: syzbot+7182fbe91e58602ec1fe at syzkaller.appspotmail.com
> > Closes: https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE at google.com/T/#u
> > Cc: Boudewijn van der Heide <boudewijn at delta-utec.com>
> > Link: https://patch.msgid.link/20260129204359.632556-1-edumazet@google.com
> > Signed-off-by: Jakub Kicinski <kuba at kernel.org>
> > (cherry picked from commit f8db6475a83649689c087a8f52486fcc53e627e9)
>
> It might prove dangerous to rely on people spotting below and realizing it
> needs no BugLink. And some are rather insistant on a cover-email these
> days...
>
>
>
> -Stefan
Hi Stefan, I sent a cover letter, perhaps it didn't reach
you or I'm misunderstanding? I can see it on the web archive:
https://lists.ubuntu.com/archives/kernel-team/2026-February/165936.html
-Ian
> > CVE-2026-23209
> > Signed-off-by: Ian Whitfield <ian.whitfield at canonical.com>
> > ---
> > drivers/net/macvlan.c | 5 +++--
> > 1 file changed, 3 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
> > index cb349b99ea2a2..7e31b02c870e9 100644
> > --- a/drivers/net/macvlan.c
> > +++ b/drivers/net/macvlan.c
> > @@ -1475,9 +1475,10 @@ int macvlan_common_newlink(struct net *src_net, struct net_device *dev,
> > /* the macvlan port may be freed by macvlan_uninit when fail to register.
> > * so we destroy the macvlan port only when it's valid.
> > */
> > - if (create && macvlan_port_get_rtnl(lowerdev)) {
> > + if (macvlan_port_get_rtnl(lowerdev)) {
> > macvlan_flush_sources(port, vlan);
> > - macvlan_port_destroy(port->dev);
> > + if (create)
> > + macvlan_port_destroy(port->dev);
> > }
> > return err;
> > }
>
More information about the kernel-team
mailing list