[SRU][J/N/Q][PATCH 1/1] macvlan: fix error recovery in macvlan_common_newlink()

Stefan Bader stefan.bader at canonical.com
Fri Feb 20 16:49:56 UTC 2026 

On 20/02/2026 16:59, Ian Whitfield wrote:
> On Fri, Feb 20, 2026 at 03:06:56PM +0100, Stefan Bader wrote:
>> On 19/02/2026 21:08, Ian Whitfield wrote:
>>> From: Eric Dumazet <edumazet at google.com>
>>>
>>> valis provided a nice repro to crash the kernel:
>>>
>>> ip link add p1 type veth peer p2
>>> ip link set address 00:00:00:00:00:20 dev p1
>>> ip link set up dev p1
>>> ip link set up dev p2
>>>
>>> ip link add mv0 link p2 type macvlan mode source
>>> ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20
>>>
>>> ping -c1 -I p1 1.2.3.4
>>>
>>> He also gave a very detailed analysis:
>>>
>>> <quote valis>
>>>
>>> The issue is triggered when a new macvlan link is created  with
>>> MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or
>>> MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan
>>> port and register_netdevice() called from macvlan_common_newlink()
>>> fails (e.g. because of the invalid link name).
>>>
>>> In this case macvlan_hash_add_source is called from
>>> macvlan_change_sources() / macvlan_common_newlink():
>>>
>>> This adds a reference to vlan to the port's vlan_source_hash using
>>> macvlan_source_entry.
>>>
>>> vlan is a pointer to the priv data of the link that is being created.
>>>
>>> When register_netdevice() fails, the error is returned from
>>> macvlan_newlink() to rtnl_newlink_create():
>>>
>>>           if (ops->newlink)
>>>                   err = ops->newlink(dev, &params, extack);
>>>           else
>>>                   err = register_netdevice(dev);
>>>           if (err < 0) {
>>>                   free_netdev(dev);
>>>                   goto out;
>>>           }
>>>
>>> and free_netdev() is called, causing a kvfree() on the struct
>>> net_device that is still referenced in the source entry attached to
>>> the lower device's macvlan port.
>>>
>>> Now all packets sent on the macvlan port with a matching source mac
>>> address will trigger a use-after-free in macvlan_forward_source().
>>>
>>> </quote valis>
>>>
>>> With all that, my fix is to make sure we call macvlan_flush_sources()
>>> regardless of @create value whenever "goto destroy_macvlan_port;"
>>> path is taken.
>>>
>>> Many thanks to valis for following up on this issue.
>>>
>>> Fixes: aa5fd0fb7748 ("driver: macvlan: Destroy new macvlan port if macvlan_common_newlink failed.")
>>> Signed-off-by: Eric Dumazet <edumazet at google.com>
>>> Reported-by: valis <sec at valis.email>
>>> Reported-by: syzbot+7182fbe91e58602ec1fe at syzkaller.appspotmail.com
>>> Closes: https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE at google.com/T/#u
>>> Cc: Boudewijn van der Heide <boudewijn at delta-utec.com>
>>> Link: https://patch.msgid.link/20260129204359.632556-1-edumazet@google.com
>>> Signed-off-by: Jakub Kicinski <kuba at kernel.org>
>>> (cherry picked from commit f8db6475a83649689c087a8f52486fcc53e627e9)
>>
>> It might prove dangerous to rely on people spotting below and realizing it
>> needs no BugLink. And some are rather insistant on a cover-email these
>> days...
>>
>>
>>
>> -Stefan
> 
> Hi Stefan, I sent a cover letter, perhaps it didn't reach
> you or I'm misunderstanding? I can see it on the web archive:
> https://lists.ubuntu.com/archives/kernel-team/2026-February/165936.html

Oh ok, it did not reach my inbox. Google must have "optimized" it away...
> 
> -Ian
> 
>>> CVE-2026-23209
>>> Signed-off-by: Ian Whitfield <ian.whitfield at canonical.com>
>>> ---
>>>    drivers/net/macvlan.c | 5 +++--
>>>    1 file changed, 3 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
>>> index cb349b99ea2a2..7e31b02c870e9 100644
>>> --- a/drivers/net/macvlan.c
>>> +++ b/drivers/net/macvlan.c
>>> @@ -1475,9 +1475,10 @@ int macvlan_common_newlink(struct net *src_net, struct net_device *dev,
>>>    	/* the macvlan port may be freed by macvlan_uninit when fail to register.
>>>    	 * so we destroy the macvlan port only when it's valid.
>>>    	 */
>>> -	if (create && macvlan_port_get_rtnl(lowerdev)) {
>>> +	if (macvlan_port_get_rtnl(lowerdev)) {
>>>    		macvlan_flush_sources(port, vlan);
>>> -		macvlan_port_destroy(port->dev);
>>> +		if (create)
>>> +			macvlan_port_destroy(port->dev);
>>>    	}
>>>    	return err;
>>>    }
>>
> 
> 
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260220/734b8e5c/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260220/734b8e5c/attachment-0001.sig>

More information about the kernel-team mailing list