Re: [PATCH net] ip6tnl: fix use after free of fb_tnl_dev
From: David Miller
Date: Thu Nov 14 2013 - 17:05:41 EST
From: Nicolas Dichtel <nicolas.dichtel@xxxxxxxxx>
Date: Thu, 14 Nov 2013 15:47:03 +0100
> Bug has been introduced by commit bb8140947a24 ("ip6tnl: allow to use rtnl ops
> on fb tunnel").
>
> When ip6_tunnel.ko is unloaded, FB device is delete by rtnl_link_unregister()
> and then we try to use the pointer in ip6_tnl_destroy_tunnels().
>
> Let's add an handler for dellink, which will never remove the FB tunnel. With
> this patch it will no more be possible to remove it via 'ip link del ip6tnl0',
> but it's safer.
>
> The same fix was already proposed by Willem de Bruijn <willemb@xxxxxxxxxx> for
> sit interfaces.
>
> CC: Willem de Bruijn <willemb@xxxxxxxxxx>
> Reported-by: Steven Rostedt <rostedt@xxxxxxxxxxx>
> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@xxxxxxxxx>
Applied and queued up for -stable, thanks for being so proactive about this
Nicolas.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/