• E
    macvlan: Fix use after free of struct macvlan_port. · d5cd9244
    Eric W. Biederman 提交于
    When the macvlan driver was extended to call unregisgter_netdevice_queue
    in 23289a37, a use after free of struct
    macvlan_port was introduced.  The code in dellink relied on unregister_netdevice
    actually unregistering the net device so it would be safe to free macvlan_port.
    
    Since unregister_netdevice_queue can just queue up the unregister instead of
    performing the unregiser immediately we free the macvlan_port too soon and
    then the code in macvlan_stop removes the macaddress for the set of macaddress
    to listen for and uses memory that has already been freed.
    
    To fix this add a reference count to track when it is safe to free the macvlan_port
    and move the call of macvlan_port_destroy into macvlan_uninit which is guaranteed
    to be called after the final macvlan_port_close.
    Signed-off-by: NEric W. Biederman <ebiederm@aristanetworks.com>
    Signed-off-by: NDavid S. Miller <davem@davemloft.net>
    d5cd9244
macvlan.c 21.8 KB