Commit 219b2730 authored Apr 11, 2025 by Kuniyuki Iwashima Committed by Zhang Changzhong Apr 11, 2025

geneve: Suppress list corruption splat in geneve_destroy_tunnels().

stable inclusion
from stable-v5.10.235
commit ba2402f24c930e8d50071a941695fe425af18b45
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBSVZF
CVE: CVE-2025-21858

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ba2402f24c930e8d50071a941695fe425af18b45



--------------------------------

[ Upstream commit 62fab6eef61f245dc8797e3a6a5b890ef40e8628 ]

As explained in the previous patch, iterating for_each_netdev() and
gn->geneve_list during ->exit_batch_rtnl() could trigger ->dellink()
twice for the same device.

If CONFIG_DEBUG_LIST is enabled, we will see a list_del() corruption
splat in the 2nd call of geneve_dellink().

Let's remove for_each_netdev() in geneve_destroy_tunnels() and delegate
that part to default_device_exit_batch().

Fixes: 9593172d93b9 ("geneve: Fix use-after-free in geneve_find_dev().")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250217203705.40342-3-kuniyu@amazon.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>

parent 59444d4c

drivers/net/geneve.c

+0 −7

Original line number	Diff line number	Diff line
		@@ -1920,14 +1920,7 @@ static void geneve_destroy_tunnels(struct net net, struct list_head head)
		{
		struct geneve_net *gn = net_generic(net, geneve_net_id);
		struct geneve_dev geneve, next;
		struct net_device dev, aux;

		/* gather any geneve devices that were moved into this ns */
		for_each_netdev_safe(net, dev, aux)
		if (dev->rtnl_link_ops == &geneve_link_ops)
		geneve_dellink(dev, head);

		/* now gather any other geneve devices that were created in this ns */
		list_for_each_entry_safe(geneve, next, &gn->geneve_list, next)
		geneve_dellink(geneve->dev, head);
		}