diff options
| author | Taehee Yoo <ap420073@gmail.com> | 2019-10-21 18:47:55 +0000 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2019-10-24 14:53:48 -0700 |
| commit | 2bce1ebed17da54c65042ec2b962e3234bad5b47 (patch) | |
| tree | c72c76fcb1da9f1cc6e9af99599083cee38af725 /net/mac80211/vht.c | |
| parent | 369f61bee0f584aee09f0736431eb9b330c98571 (diff) | |
| download | linux-2bce1ebed17da54c65042ec2b962e3234bad5b47.tar.bz2 | |
macsec: fix refcnt leak in module exit routine
When a macsec interface is created, it increases a refcnt to a lower
device(real device). when macsec interface is deleted, the refcnt is
decreased in macsec_free_netdev(), which is ->priv_destructor() of
macsec interface.
The problem scenario is this.
When nested macsec interfaces are exiting, the exit routine of the
macsec module makes refcnt leaks.
Test commands:
ip link add dummy0 type dummy
ip link add macsec0 link dummy0 type macsec
ip link add macsec1 link macsec0 type macsec
modprobe -rv macsec
[ 208.629433] unregister_netdevice: waiting for macsec0 to become free. Usage count = 1
Steps of exit routine of macsec module are below.
1. Calls ->dellink() in __rtnl_link_unregister().
2. Checks refcnt and wait refcnt to be 0 if refcnt is not 0 in
netdev_run_todo().
3. Calls ->priv_destruvtor() in netdev_run_todo().
Step2 checks refcnt, but step3 decreases refcnt.
So, step2 waits forever.
This patch makes the macsec module do not hold a refcnt of the lower
device because it already holds a refcnt of the lower device with
netdev_upper_dev_link().
Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/mac80211/vht.c')
0 files changed, 0 insertions, 0 deletions