ACK: [SRU][J/N/Q][PATCH 0/1] macvlan: observe an RCU grace period in macvlan_common_newlink() error path

Yufeng Gao yufeng.gao at canonical.com
Mon Mar 16 01:48:11 UTC 2026 

On 14/3/26 10:11, Ian Whitfield wrote:
> BugLink: https://bugs.launchpad.net/bugs/2144380
>
> [Impact]
>
> This is a follow-up fix to the CVE-2026-23209 fix already applied to the
> Jammy, Noble, and Questing trees. The ESM kernel trees did not already get the
> CVE-2026-23209 fix applied, so the follow-up was added in the initial patchset
> for those kernels, and this LP bug is not needed there. For generally available
> kernels, this LP bug was made to specifically track the follow-up being applied.
>
> Commit message of the follow-up:
>
> macvlan_common_newlink() might have made @dev visible before
> detecting an error, and its caller will directly call free_netdev(dev).
>
> We must respect an RCU period, either in macvlan or the core networking
> stack.
>
> After adding a temporary mdelay(1000) in macvlan_forward_source_one()
> to open the race window, valis repro was:
>
> ip link add p1 type veth peer p2
> ip link set address 00:00:00:00:00:20 dev p1
> ip link set up dev p1
> ip link set up dev p2
> ip link add mv0 link p2 type macvlan mode source
>
> (ip link add invalid% link p2 type macvlan mode source macaddr add
> 00:00:00:00:00:20 &) ; sleep 0.5 ; ping -c1 -I p1 1.2.3.4
> PING 1.2.3.4 (1.2.3.4): 56 data bytes
> RTNETLINK answers: Invalid argument
>
> BUG: KASAN: slab-use-after-free in macvlan_forward_source
> (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)
> Read of size 8 at addr ffff888016bb89c0 by task e/175
>
> CPU: 1 UID: 1000 PID: 175 Comm: e Not tainted 6.19.0-rc8+ #33 NONE
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
> Call Trace:
> <IRQ>
> dump_stack_lvl (lib/dump_stack.c:123)
> print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
> ? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)
> kasan_report (mm/kasan/report.c:597)
> ? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)
> macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)
> ? tasklet_init (kernel/softirq.c:983)
> macvlan_handle_frame (drivers/net/macvlan.c:501)
>
> Allocated by task 169:
> kasan_save_stack (mm/kasan/common.c:58)
> kasan_save_track (./arch/x86/include/asm/current.h:25
> mm/kasan/common.c:70 mm/kasan/common.c:79)
> __kasan_kmalloc (mm/kasan/common.c:419)
> __kvmalloc_node_noprof (./include/linux/kasan.h:263 mm/slub.c:5657
> mm/slub.c:7140)
> alloc_netdev_mqs (net/core/dev.c:12012)
> rtnl_create_link (net/core/rtnetlink.c:3648)
> rtnl_newlink (net/core/rtnetlink.c:3830 net/core/rtnetlink.c:3957
> net/core/rtnetlink.c:4072)
> rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)
> netlink_rcv_skb (net/netlink/af_netlink.c:2550)
> netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
> netlink_sendmsg (net/netlink/af_netlink.c:1894)
> __sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)
> __x64_sys_sendto (net/socket.c:2209)
> do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)
>
> Freed by task 169:
> kasan_save_stack (mm/kasan/common.c:58)
> kasan_save_track (./arch/x86/include/asm/current.h:25
> mm/kasan/common.c:70 mm/kasan/common.c:79)
> kasan_save_free_info (mm/kasan/generic.c:587)
> __kasan_slab_free (mm/kasan/common.c:287)
> kfree (mm/slub.c:6674 mm/slub.c:6882)
> rtnl_newlink (net/core/rtnetlink.c:3845 net/core/rtnetlink.c:3957
> net/core/rtnetlink.c:4072)
> rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)
> netlink_rcv_skb (net/netlink/af_netlink.c:2550)
> netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
> netlink_sendmsg (net/netlink/af_netlink.c:1894)
> __sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)
> __x64_sys_sendto (net/socket.c:2209)
> do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)
>
> [Backport]
>
> The patch was applied cleanly.
>
> [Fix]
>
> Questing: Cherry-pick
> Noble: Cherry-pick
> Jammy: Cherry-pick
> Focal: Included in initial CVE-2026-23209 patchset
> Bionic: Included in initial CVE-2026-23209 patchset
> Xenial: not affected
> Trusty: not affected
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> This fix affects those who use MAC-VLAN to create virtual interfaces that map
> packets to or from specific MAC addresses to a particular interface. An issue
> with this fix would be visible to the user via a kernel crash or networking
> issues with virtual interfaces (containers/VMs).
>
> Eric Dumazet (1):
>    macvlan: observe an RCU grace period in macvlan_common_newlink() error
>      path
>
>   drivers/net/macvlan.c | 5 +++++
>   1 file changed, 5 insertions(+)
>
Acked-by: Yufeng Gao <yufeng.gao at canonical.com>

More information about the kernel-team mailing list