macvlan: Fix potential use-after free for broadcasts

When we postpone a broadcast packet we save the source port in
the skb if it is local.  However, the source port can disappear
before we get a chance to process the packet.

This patch fixes this by holding a ref count on the netdev.

It also delays the skb->cb modification until after we allocate
the new skb as you should not modify shared skbs.

Fixes: 412ca1550cbe ("macvlan: Move broadcasts into a work queue")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
index cb01023..a71fa59 100644 (file)
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -305,11 +305,14 @@ static void macvlan_process_broadcast(struct work_struct *w)
 
                rcu_read_unlock();
 
+               if (src)
+                       dev_put(src->dev);
                kfree_skb(skb);
        }
 }
 
 static void macvlan_broadcast_enqueue(struct macvlan_port *port,
+                                     const struct macvlan_dev *src,
                                      struct sk_buff *skb)
 {
        struct sk_buff *nskb;
@@ -319,8 +322,12 @@ static void macvlan_broadcast_enqueue(struct macvlan_port *port,
        if (!nskb)
                goto err;
 
+       MACVLAN_SKB_CB(nskb)->src = src;
+
        spin_lock(&port->bc_queue.lock);
        if (skb_queue_len(&port->bc_queue) < MACVLAN_BC_QUEUE_LEN) {
+               if (src)
+                       dev_hold(src->dev);
                __skb_queue_tail(&port->bc_queue, nskb);
                err = 0;
        }
@@ -429,8 +436,7 @@ static rx_handler_result_t macvlan_handle_frame(struct sk_buff **pskb)
                        goto out;
                }
 
-               MACVLAN_SKB_CB(skb)->src = src;
-               macvlan_broadcast_enqueue(port, skb);
+               macvlan_broadcast_enqueue(port, src, skb);
 
                return RX_HANDLER_PASS;
        }