__vxlan_dev_create() destroys FDB using specific pointer which indicates
a fdb when error occurs.
But that pointer should not be used when register_netdevice() fails because
register_netdevice() internally destroys fdb when error occurs.
In order to avoid un-registered dev's notification, fdb destroying routine
checks dev's register status before notification.
Test command
ip link add bonding_masters type vxlan id 0 group 239.1.1.1 \
dev enp0s9 dstport 4789
Splat looks like:
[ 130.396714] kasan: CONFIG_KASAN_INLINE enabled
[ 130.397649] kasan: GPF could be caused by NULL-ptr deref or user memory
access
[ 130.398939] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[ 130.399829] CPU: 0 PID: 991 Comm: ip Not tainted 5.2.0-rc3+ #41
[ 130.401581] RIP: 0010:vxlan_fdb_destroy+0x120/0x220 [vxlan]
[ 130.402280] Code: df 48 8b 2b 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 06 01
00 00 4c 8b 63 08 48 b8 00 00 00 00d
[ 130.404578] RSP: 0018:ffff8880cfac7080 EFLAGS: 00010a02
[ 130.405235] RAX: dffffc0000000000 RBX: ffff8880d0613348 RCX: 0000000000000000
[ 130.406172] RDX: 1bd5a00000000040 RSI: ffff8880d0613348 RDI: ffff8880d0613350
[ 130.407056] RBP: 0000000000000000 R08: fffffbfff4378005 R09: 0000000000000000
[ 130.408011] R10: 00000000ffffffef R11: 0000000000000000 R12: dead000000000200
[ 130.408921] R13: ffff8880cfac71d8 R14: ffff8880b5d8cda0 R15: ffff8880b5d8cda0
[ 130.409811] FS: 00007f9ef157e0c0(0000) GS:ffff8880da400000(0000)
knlGS:0000000000000000
[ 130.410805] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 130.411515] CR2: 0000560fe8118d54 CR3: 00000000bc684006 CR4: 00000000000606f0
[ 130.412385] Call Trace:
[ 130.412708] __vxlan_dev_create+0x3a9/0x7d0 [vxlan]
[ 130.413314] ? vxlan_changelink+0x780/0x780 [vxlan]
[ 130.413919] ? rcu_read_unlock+0x60/0x60 [vxlan]
[ 130.414497] ? __kasan_kmalloc.constprop.3+0xa0/0xd0
[ 130.415112] vxlan_newlink+0x99/0xf0 [vxlan]
[ 130.415640] ? __vxlan_dev_create+0x7d0/0x7d0 [vxlan]
[ 130.416270] ? __netlink_ns_capable+0xc3/0xf0
[ 130.416806] __rtnl_newlink+0xb9f/0x11b0
[ ... ]
Fixes: 0241b836732f ("vxlan: fix default fdb entry netlink notify ordering
during netdev create")
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
drivers/net/vxlan.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index 4c9bc29fe3d5..0bc07e3232c4 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -861,7 +861,7 @@ static void vxlan_fdb_destroy(struct vxlan_dev *vxlan,
struct vxlan_fdb *f,
netdev_dbg(vxlan->dev, "delete %pM\n", f->eth_addr);
--vxlan->addrcnt;
- if (do_notify)
+ if (do_notify && vxlan->dev->reg_state >= NETREG_REGISTERED)
list_for_each_entry(rd, &f->remotes, list)
vxlan_fdb_notify(vxlan, f, rd, RTM_DELNEIGH,
swdev_notify, NULL);
@@ -3542,7 +3542,6 @@ static int __vxlan_dev_create(struct net *net, struct
net_device *dev,
struct vxlan_net *vn = net_generic(net, vxlan_net_id);
struct vxlan_dev *vxlan = netdev_priv(dev);
struct vxlan_fdb *f = NULL;
- bool unregister = false;
int err;
err = vxlan_dev_configure(net, dev, conf, false, extack);
@@ -3567,8 +3566,7 @@ static int __vxlan_dev_create(struct net *net, struct
net_device *dev,
err = register_netdevice(dev);
if (err)
- goto errout;
- unregister = true;
+ return err;
err = rtnl_configure_link(dev, NULL);
if (err)
@@ -3592,8 +3590,7 @@ static int __vxlan_dev_create(struct net *net, struct
net_device *dev,
*/
if (f)
vxlan_fdb_destroy(vxlan, f, false, false);
- if (unregister)
- unregister_netdevice(dev);
+ unregister_netdevice(dev);
return err;
}
--
2.17.1
