ACK: [SRU][J][PATCH 0/1] CVE-2022-49390

Sarah Emery sarah.emery at canonical.com
Fri Oct 17 12:34:12 UTC 2025 

On 14/10/2025 16:20, Massimiliano Pellizzer wrote:
> https://ubuntu.com/security/CVE-2022-49390
> 
> [ Impact ]
> 
> macsec: fix UAF bug for real_dev
> 
> Creating a new macsec device without getting a reference to real_dev may
> trigger a use-after-free bug.
> 
> [ Fix ]
> 
> Backport commit 2bce1ebed17d (macsec: fix refcnt leak in module exit routine)
> from mainline.
> 
> [ Test Plan ]
> 
> Compile and boot tested.
> Tested basic macsec functionalities:
> 
> $ unshare --map-root-user --net
> # ip link add dummy0 type dummy
> # ip link set dummy0 up
> # ip link add link dummy0 name macsec0 type macsec
> # ip link set macsec0 up
> # ip a
> 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
>      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> 2: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
>      link/ether aa:ca:71:b5:0f:dd brd ff:ff:ff:ff:ff:ff
>      inet6 fe80::a8ca:71ff:feb5:fdd/64 scope link
>         valid_lft forever preferred_lft forever
> 3: macsec0 at dummy0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1468 qdisc noqueue state UP group default qlen 1000
>      link/ether aa:ca:71:b5:0f:dd brd ff:ff:ff:ff:ff:ff
>      inet6 fe80::a8ca:71ff:feb5:fdd/64 scope link tentative
>         valid_lft forever preferred_lft forever
> # ip link del dummy0
> # ip a
> 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
>      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> 
> [ Regression Potential ]
> 
> The fix affects macsec's device handling of the lower (real) net_device
> lifetime. An issue with this patch may introduce refcount leaks that
> prevent lower devices from being freed, or incorrect release ordering
> that re-introduces use-after-free and breaks interface teardown.
> 
> Ziyang Xuan (1):
>    macsec: fix UAF bug for real_dev
> 
>   drivers/net/macsec.c | 5 +++++
>   1 file changed, 5 insertions(+)
> 

Acked-by: Sarah Emery <sarah.emery at canonical.com>

More information about the kernel-team mailing list