Davide Caratti 0614f90f91 net: fix NULL pointer dereference in l3mdev_l3_rcv ... JIRA: https://issues.redhat.com/browse/RHEL-84583 Upstream Status: net.git commit 0032c99e83b9ce6d5995d65900aa4b6ffb501cce commit 0032c99e83b9ce6d5995d65900aa4b6ffb501cce Author: Wang Liang <wangliang74@huawei.com> Date: Fri Mar 21 17:03:53 2025 +0800 net: fix NULL pointer dereference in l3mdev_l3_rcv When delete l3s ipvlan: ip link del link eth0 ipvlan1 type ipvlan mode l3s This may cause a null pointer dereference: Call trace: ip_rcv_finish+0x48/0xd0 ip_rcv+0x5c/0x100 __netif_receive_skb_one_core+0x64/0xb0 __netif_receive_skb+0x20/0x80 process_backlog+0xb4/0x204 napi_poll+0xe8/0x294 net_rx_action+0xd8/0x22c __do_softirq+0x12c/0x354 This is because l3mdev_l3_rcv() visit dev->l3mdev_ops after ipvlan_l3s_unregister() assign the dev->l3mdev_ops to NULL. The process like this: (CPU1) | (CPU2) l3mdev_l3_rcv() | check dev->priv_flags: | master = skb->dev; | | | ipvlan_l3s_unregister() | set dev->priv_flags | dev->l3mdev_ops = NULL; | visit master->l3mdev_ops | To avoid this by do not set dev->l3mdev_ops when unregister l3s ipvlan. Suggested-by: David Ahern <dsahern@kernel.org> Fixes: c675e06a98 ("ipvlan: decouple l3s mode dependencies from other modes") Signed-off-by: Wang Liang <wangliang74@huawei.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20250321090353.1170545-1-wangliang74@huawei.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Davide Caratti <dcaratti@redhat.com>		2025-04-03 19:32:54 +02:00
..
Makefile	…
ipvlan.h	ipvlan: adopt u64_stats_t	2023-06-08 13:37:00 +02:00
ipvlan_core.c	ipvlan: ensure network headers are in skb linear part	2025-04-03 19:31:43 +02:00
ipvlan_l3s.c	net: fix NULL pointer dereference in l3mdev_l3_rcv	2025-04-03 19:32:54 +02:00
ipvlan_main.c	ipvlan: Support bonding events	2025-01-20 12:32:48 +08:00
ipvtap.c	drivers: remove struct module * setting from struct class	2023-11-01 11:12:29 -05:00