[SRU][J/N/Q][PATCH 1/1] macvlan: fix error recovery in macvlan_common_newlink()

Stefan Bader stefan.bader at canonical.com
Fri Feb 20 14:06:56 UTC 2026 

On 19/02/2026 21:08, Ian Whitfield wrote:
> From: Eric Dumazet <edumazet at google.com>
> 
> valis provided a nice repro to crash the kernel:
> 
> ip link add p1 type veth peer p2
> ip link set address 00:00:00:00:00:20 dev p1
> ip link set up dev p1
> ip link set up dev p2
> 
> ip link add mv0 link p2 type macvlan mode source
> ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20
> 
> ping -c1 -I p1 1.2.3.4
> 
> He also gave a very detailed analysis:
> 
> <quote valis>
> 
> The issue is triggered when a new macvlan link is created  with
> MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or
> MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan
> port and register_netdevice() called from macvlan_common_newlink()
> fails (e.g. because of the invalid link name).
> 
> In this case macvlan_hash_add_source is called from
> macvlan_change_sources() / macvlan_common_newlink():
> 
> This adds a reference to vlan to the port's vlan_source_hash using
> macvlan_source_entry.
> 
> vlan is a pointer to the priv data of the link that is being created.
> 
> When register_netdevice() fails, the error is returned from
> macvlan_newlink() to rtnl_newlink_create():
> 
>          if (ops->newlink)
>                  err = ops->newlink(dev, &params, extack);
>          else
>                  err = register_netdevice(dev);
>          if (err < 0) {
>                  free_netdev(dev);
>                  goto out;
>          }
> 
> and free_netdev() is called, causing a kvfree() on the struct
> net_device that is still referenced in the source entry attached to
> the lower device's macvlan port.
> 
> Now all packets sent on the macvlan port with a matching source mac
> address will trigger a use-after-free in macvlan_forward_source().
> 
> </quote valis>
> 
> With all that, my fix is to make sure we call macvlan_flush_sources()
> regardless of @create value whenever "goto destroy_macvlan_port;"
> path is taken.
> 
> Many thanks to valis for following up on this issue.
> 
> Fixes: aa5fd0fb7748 ("driver: macvlan: Destroy new macvlan port if macvlan_common_newlink failed.")
> Signed-off-by: Eric Dumazet <edumazet at google.com>
> Reported-by: valis <sec at valis.email>
> Reported-by: syzbot+7182fbe91e58602ec1fe at syzkaller.appspotmail.com
> Closes: https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE at google.com/T/#u
> Cc: Boudewijn van der Heide <boudewijn at delta-utec.com>
> Link: https://patch.msgid.link/20260129204359.632556-1-edumazet@google.com
> Signed-off-by: Jakub Kicinski <kuba at kernel.org>
> (cherry picked from commit f8db6475a83649689c087a8f52486fcc53e627e9)

It might prove dangerous to rely on people spotting below and realizing 
it needs no BugLink. And some are rather insistant on a cover-email 
these days...



-Stefan
> CVE-2026-23209
> Signed-off-by: Ian Whitfield <ian.whitfield at canonical.com>
> ---
>   drivers/net/macvlan.c | 5 +++--
>   1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
> index cb349b99ea2a2..7e31b02c870e9 100644
> --- a/drivers/net/macvlan.c
> +++ b/drivers/net/macvlan.c
> @@ -1475,9 +1475,10 @@ int macvlan_common_newlink(struct net *src_net, struct net_device *dev,
>   	/* the macvlan port may be freed by macvlan_uninit when fail to register.
>   	 * so we destroy the macvlan port only when it's valid.
>   	 */
> -	if (create && macvlan_port_get_rtnl(lowerdev)) {
> +	if (macvlan_port_get_rtnl(lowerdev)) {
>   		macvlan_flush_sources(port, vlan);
> -		macvlan_port_destroy(port->dev);
> +		if (create)
> +			macvlan_port_destroy(port->dev);
>   	}
>   	return err;
>   }

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260220/2e99fec4/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260220/2e99fec4/attachment-0001.sig>

More information about the kernel-team mailing list