From: Cong Wang <xiyou.wangc...@gmail.com>
Date: Thu, 9 Nov 2017 16:43:13 -0800
> After refcnt reaches zero, vlan_vid_del() could free
> dev->vlan_info via RCU:
>
> RCU_INIT_POINTER(dev->vlan_info, NULL);
> call_rcu(&vlan_info->rcu, vlan_info_rcu_free);
>
> However, the pointer 'grp' still points to that memory
> since it is set before vlan_vid_del():
>
> vlan_info = rtnl_dereference(dev->vlan_info);
> if (!vlan_info)
> goto out;
> grp = &vlan_info->grp;
>
> Depends on when that RCU callback is scheduled, we could
> trigger a use-after-free in vlan_group_for_each_dev()
> right following this vlan_vid_del().
>
> Fix it by moving vlan_vid_del() before setting grp. This
> is also symmetric to the vlan_vid_add() we call in
> vlan_device_event().
>
> Reported-by: Fengguang Wu <fengguang...@intel.com>
> Fixes: efc73f4bbc23 ("net: Fix memory leak - vlan_info struct")
> Cc: Alexander Duyck <alexander.du...@gmail.com>
> Cc: Linus Torvalds <torva...@linux-foundation.org>
> Cc: Girish Moodalbail <girish.moodalb...@oracle.com>
> Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com>
Applied and queued up for -stable, thanks Cong!
