archives/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-03-08 03:44:45 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/net
History
Jiayuan Chen 83b67cc9be linkwatch: use __dev_put() in callers to prevent UAF 
After linkwatch_do_dev() calls __dev_put() to release the linkwatch
reference, the device refcount may drop to 1. At this point,
netdev_run_todo() can proceed (since linkwatch_sync_dev() sees an
empty list and returns without blocking), wait for the refcount to
become 1 via netdev_wait_allrefs_any(), and then free the device
via kobject_put().

This creates a use-after-free when __linkwatch_run_queue() tries to
call netdev_unlock_ops() on the already-freed device.

Note that adding netdev_lock_ops()/netdev_unlock_ops() pair in
netdev_run_todo() before kobject_put() would not work, because
netdev_lock_ops() is conditional - it only locks when
netdev_need_ops_lock() returns true. If the device doesn't require
ops_lock, linkwatch won't hold any lock, and netdev_run_todo()
acquiring the lock won't provide synchronization.

Fix this by moving __dev_put() from linkwatch_do_dev() to its
callers. The device reference logically pairs with de-listing the
device, so it's reasonable for the caller that did the de-listing
to release it. This allows placing __dev_put() after all device
accesses are complete, preventing UAF.

The bug can be reproduced by adding mdelay(2000) after
linkwatch_do_dev() in __linkwatch_run_queue(), then running:

  ip tuntap add mode tun name tun_test
  ip link set tun_test up
  ip link set tun_test carrier off
  ip link set tun_test carrier on
  sleep 0.5
  ip tuntap del mode tun name tun_test

KASAN report:

 ==================================================================
 BUG: KASAN: use-after-free in netdev_need_ops_lock include/net/netdev_lock.h:33 [inline]
 BUG: KASAN: use-after-free in netdev_unlock_ops include/net/netdev_lock.h:47 [inline]
 BUG: KASAN: use-after-free in __linkwatch_run_queue+0x865/0x8a0 net/core/link_watch.c:245
 Read of size 8 at addr ffff88804de5c008 by task kworker/u32:10/8123

 CPU: 0 UID: 0 PID: 8123 Comm: kworker/u32:10 Not tainted syzkaller #0 PREEMPT(full)
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
 Workqueue: events_unbound linkwatch_event
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:94 [inline]
  dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
  print_address_description mm/kasan/report.c:378 [inline]
  print_report+0x156/0x4c9 mm/kasan/report.c:482
  kasan_report+0xdf/0x1a0 mm/kasan/report.c:595
  netdev_need_ops_lock include/net/netdev_lock.h:33 [inline]
  netdev_unlock_ops include/net/netdev_lock.h:47 [inline]
  __linkwatch_run_queue+0x865/0x8a0 net/core/link_watch.c:245
  linkwatch_event+0x8f/0xc0 net/core/link_watch.c:304
  process_one_work+0x9c2/0x1840 kernel/workqueue.c:3257
  process_scheduled_works kernel/workqueue.c:3340 [inline]
  worker_thread+0x5da/0xe40 kernel/workqueue.c:3421
  kthread+0x3b3/0x730 kernel/kthread.c:463
  ret_from_fork+0x754/0xaf0 arch/x86/kernel/process.c:158
  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
  </TASK>
 ==================================================================

Fixes: 04efcee6ef ("net: hold instance lock during NETDEV_CHANGE")
Reported-by: syzbot+1ec2f6a450f0b54af8c8@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6824d064.a70a0220.3e9d8.001a.GAE@google.com/T/
Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260201135915.393451-1-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-02-02 16:59:18 -08:00
..
6lowpan net: replace ND_PRINTK with dynamic debug 2025-07-10 15:27:32 -07:00
9p - fix a bug with O_APPEND in cached mode causing data to be written multiple times on server 2025-12-07 08:29:09 -08:00
802 treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
8021q net: vlan: sync VLAN features with lower device 2025-10-31 17:42:35 -07:00
appletalk net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00
atm Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-11-27 12:19:08 -08:00
ax25 net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-10-31 06:46:03 -07:00
bluetooth Bluetooth: MGMT: Fix memory leak in set_ssp_complete 2026-01-22 13:26:53 -05:00
bpf bpf: Fix reference count leak in bpf_prog_test_run_xdp() 2026-01-12 16:37:40 -08:00
bridge net: bridge: fix static key check 2026-01-28 19:34:01 -08:00
caif caif: fix integer underflow in cffrml_receive() 2025-12-11 01:35:41 -08:00
can net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts 2026-01-15 09:52:39 +01:00
ceph libceph: make calc_target() set t->paused, not just clear it 2026-01-06 00:39:43 +01:00
core linkwatch: use __dev_put() in callers to prevent UAF 2026-02-02 16:59:18 -08:00
dcb Revert "Documentation: net: add flow control guide and document ethtool API" 2025-10-01 09:48:21 +02:00
devlink tools: ynl-gen: add regeneration comment 2025-11-25 19:20:42 -08:00
dns_resolver net/dns_resolver: use credential guards in dns_query() 2025-11-04 12:36:51 +01:00
dsa net: dsa: fix off-by-one in maximum bridge ID determination 2026-01-21 19:52:29 -08:00
ethernet net: optimize eth_type_trans() vs CONFIG_STACKPROTECTOR_STRONG=y 2025-11-24 19:27:31 -08:00
ethtool ethtool: Avoid overflowing userspace buffer on stats query 2025-12-18 12:24:25 +01:00
handshake net/handshake: Fix null-ptr-deref in handshake_complete() 2025-12-22 12:36:40 +01:00
hsr net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() 2025-12-04 11:15:13 +01:00
ieee802154 net: Convert proto callbacks from sockaddr to sockaddr_unsized 2025-11-04 19:10:33 -08:00
ife
ipv4 net: fix segmentation of forwarding fraglist GRO 2026-01-29 14:40:12 +01:00
ipv6 net: fix segmentation of forwarding fraglist GRO 2026-01-29 14:40:12 +01:00
iucv net: Remove KMSG_COMPONENT macro 2025-11-28 19:20:27 -08:00
kcm Networking changes for 6.19. 2025-12-03 17:24:33 -08:00
key pfkey: Deprecate pfkey 2025-10-30 09:03:12 +01:00
l2tp l2tp: avoid one data-race in l2tp_tunnel_del_work() 2026-01-19 09:55:41 -08:00
l3mdev net: fib_rules: Fix iif / oif matching on L3 master device 2025-04-15 17:54:56 -07:00
lapb treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
llc net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00
mac80211 wifi: mac80211: correctly decode TTLM with default link map 2026-01-29 11:46:43 +01:00
mac802154
mctp net: mctp: test: move TX packetqueue from dst to dev 2025-12-01 13:52:13 -08:00
mpls mpls: Drop RTNL for RTM_NEWROUTE, RTM_DELROUTE, and RTM_GETROUTE. 2025-11-03 17:40:54 -08:00
mptcp mptcp: only reset subflow errors when propagated 2026-01-28 20:58:50 -08:00
ncsi net: ncsi: Fix buffer overflow in fetching version id 2025-06-12 18:21:59 -07:00
netfilter netfilter: nf_conncount: update last_gc only when GC has been performed 2026-01-02 10:44:28 +01:00
netlabel audit: add record for multiple task security contexts 2025-08-30 10:15:30 -04:00
netlink net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00
netrom netrom: fix double-free in nr_route_frame() 2026-01-20 19:15:40 -08:00
nfc nfc: nci: Fix race between rfkill and nci_unregister_device(). 2026-01-28 19:32:26 -08:00
nsh
openvswitch net: openvswitch: fix data race in ovs_vport_get_upcall_stats 2026-01-22 12:55:22 +01:00
packet net: Convert struct sockaddr to fixed-size "sa_data[14]" 2025-11-04 19:10:33 -08:00
phonet net: Convert proto callbacks from sockaddr to sockaddr_unsized 2025-11-04 19:10:33 -08:00
psample
psp tools: ynl-gen: add regeneration comment 2025-11-25 19:20:42 -08:00
qrtr net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00
rds net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00
rfkill net: replace use of system_wq with system_percpu_wq 2025-09-22 17:40:30 -07:00
rose net: rose: fix invalid array index in rose_kill_by_device() 2025-12-30 11:45:51 +01:00
rxrpc rxrpc: Fix data-race warning and potential load/store tearing 2026-01-21 19:59:29 -08:00
sched net/sched: cls_u32: use skb_header_pointer_careful() 2026-01-29 18:25:22 -08:00
sctp sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT 2026-01-17 15:10:34 -08:00
shaper tools: ynl-gen: add regeneration comment 2025-11-25 19:20:42 -08:00
smc net: smc: SMC_HS_CTRL_BPF should depend on BPF_JIT 2025-12-04 11:07:18 -08:00
strparser Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-11-13 12:35:38 -08:00
sunrpc nfsd-6.19 fixes: 2025-12-24 09:23:04 -08:00
switchdev
tipc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-11-13 12:35:38 -08:00
tls Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-10-31 06:46:03 -07:00
unix net: do not write to msg_get_inq in callee 2026-01-08 08:45:13 -08:00
vmw_vsock vsock/virtio: cap TX credit to local buffer size 2026-01-22 15:41:33 +01:00
wireless wifi: cfg80211: ignore link disabled flag from userspace 2026-01-20 10:02:01 +01:00
x25 net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00
xdp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-11-27 12:19:08 -08:00
xfrm xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set 2025-12-15 11:06:25 +01:00
compat.c socket: Unify getsockname and getpeername implementation 2025-11-26 13:45:23 -07:00
devres.c
Kconfig net: Kconfig: discourage drop_monitor enablement 2025-10-17 16:29:26 -07:00
Kconfig.debug
Makefile psp: base PSP device support 2025-09-18 12:32:06 +02:00
socket.c vfs-6.19-rc1.fixes 2025-12-05 15:52:30 -08:00
sysctl_net.c