[5.10,031/102] net: fix dev_ifsioc_locked() race condition

Message ID	20210305120904.814003997@linuxfoundation.org
State	Superseded
Headers	show Return-Path: <stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, "Gong, Sishuai" <sishuai@purdue.edu>, Eric Dumazet <eric.dumazet@gmail.com>, Jakub Kicinski <kuba@kernel.org>, Cong Wang <cong.wang@bytedance.com>, "David S. Miller" <davem@davemloft.net> Subject: [PATCH 5.10 031/102] net: fix dev_ifsioc_locked() race condition Date: Fri, 5 Mar 2021 13:20:50 +0100 Message-Id: <20210305120904.814003997@linuxfoundation.org> In-Reply-To: <20210305120903.276489876@linuxfoundation.org> References: <20210305120903.276489876@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	None \| expand [5.10,002/102] Input: elantech - fix protocol errors for some trackpoints in SMBus mode [5.10,003/102] Input: elan_i2c - add new trackpoint report type 0x5F [5.10,004/102] drm/virtio: use kvmalloc for large allocations [5.10,005/102] x86/build: Treat R_386_PLT32 relocation as R_386_PC32 [5.10,006/102] JFS: more checks for invalid superblock [5.10,007/102] sched/core: Allow try_invoke_on_locked_down_task() with irqs disabled [5.10,008/102] udlfb: Fix memory leak in dlfb_usb_probe [5.10,009/102] media: mceusb: sanity check for prescaler value [5.10,010/102] erofs: fix shift-out-of-bounds of blkszbits [5.10,011/102] media: v4l2-ctrls.c: fix shift-out-of-bounds in std_validate [5.10,012/102] xfs: Fix assert failure in xfs_setattr_size() [5.10,013/102] net/af_iucv: remove WARN_ONCE on malformed RX packets [5.10,014/102] smackfs: restrict bytes count in smackfs write functions [5.10,015/102] tomoyo: ignore data race while checking quota [5.10,016/102] net: fix up truesize of cloned skb in skb_prepare_for_shift() [5.10,017/102] riscv: Get rid of MAX_EARLY_MAPPING_SIZE [5.10,018/102] nbd: handle device refs for DESTROY_ON_DISCONNECT properly [5.10,019/102] mm/hugetlb.c: fix unnecessary address expansion of pmd sharing [5.10,020/102] RDMA/rtrs: Do not signal for heatbeat [5.10,021/102] RDMA/rtrs-clt: Use bitmask to check sess->flags [5.10,022/102] RDMA/rtrs-srv: Do not signal REG_MR [5.10,023/102] tcp: fix tcp_rmem documentation [5.10,024/102] mptcp: do not wakeup listener for MPJ subflows [5.10,025/102] net: bridge: use switchdev for port flags set through sysfs too [5.10,026/102] net/sched: cls_flower: Reject invalid ct_state flags rules [5.10,027/102] net: dsa: tag_rtl4_a: Support also egress tags [5.10,028/102] net: ag71xx: remove unnecessary MTU reservation [5.10,029/102] net: hsr: add support for EntryForgetTime [5.10,030/102] net: psample: Fix netlink skb length with tunnel info [5.10,031/102] net: fix dev_ifsioc_locked() race condition [5.10,032/102] dt-bindings: ethernet-controller: fix fixed-link specification [5.10,033/102] dt-bindings: net: btusb: DT fix s/interrupt-name/interrupt-names/ [5.10,034/102] ASoC: qcom: Remove useless debug print [5.10,035/102] rsi: Fix TX EAPOL packet handling against iwlwifi AP [5.10,036/102] rsi: Move card interrupt handling to RX thread [5.10,037/102] rcu/nocb: Trigger self-IPI on late deferred wake up before user resume [5.10,038/102] entry: Explicitly flush pending rcuog wakeup before last rescheduling point [5.10,039/102] entry/kvm: Explicitly flush pending rcuog wakeup before last rescheduling point [5.10,040/102] EDAC/amd64: Do not load on family 0x15, model 0x13 [5.10,041/102] staging: fwserial: Fix error handling in fwserial_create [5.10,042/102] x86/reboot: Add Zotac ZBOX CI327 nano PCI reboot quirk [5.10,043/102] vt/consolemap: do font sum unsigned [5.10,044/102] wlcore: Fix command execute failure 19 for wl12xx [5.10,045/102] Bluetooth: hci_h5: Set HCI_QUIRK_SIMULTANEOUS_DISCOVERY for btrtl [5.10,046/102] Bluetooth: btusb: fix memory leak on suspend and resume [5.10,047/102] mt76: mt7615: reset token when mac_reset happens [5.10,048/102] pktgen: fix misuse of BUG_ON() in pktgen_thread_worker() [5.10,049/102] ath10k: fix wmi mgmt tx queue full due to race condition [5.10,050/102] net: sfp: add mode quirk for GPON module Ubiquiti U-Fiber Instant [5.10,051/102] Bluetooth: Add new HCI_QUIRK_NO_SUSPEND_NOTIFIER quirk [5.10,052/102] Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data [5.10,053/102] staging: most: sound: add sanity check for function argument [5.10,054/102] staging: bcm2835-audio: Replace unsafe strcpy() with strscpy() [5.10,055/102] brcmfmac: Add DMI nvram filename quirk for Predia Basic tablet [5.10,056/102] brcmfmac: Add DMI nvram filename quirk for Voyo winpad A15 tablet [5.10,057/102] drm/hisilicon: Fix use-after-free [5.10,058/102] crypto: tcrypt - avoid signed overflow in byte count [5.10,059/102] fs: make unlazy_walk() error handling consistent [5.10,060/102] drm/amdgpu: Add check to prevent IH overflow [5.10,061/102] PCI: Add a REBAR size quirk for Sapphire RX 5600 XT Pulse [5.10,062/102] ASoC: Intel: bytcr_rt5640: Add new BYT_RT5640_NO_SPEAKERS quirk-flag [5.10,063/102] drm/amd/display: Guard against NULL pointer deref when get_i2c_info fails [5.10,064/102] drm/amd/amdgpu: add error handling to amdgpu_virt_read_pf2vf_data [5.10,065/102] media: uvcvideo: Allow entities with no pads [5.10,066/102] f2fs: handle unallocated section and zone on pinned/atgc [5.10,067/102] f2fs: fix to set/clear I_LINKABLE under i_lock [5.10,068/102] nvme-core: add cancel tagset helpers [5.10,069/102] nvme-rdma: add clean action for failed reconnection [5.10,070/102] nvme-tcp: add clean action for failed reconnection [5.10,071/102] ASoC: Intel: Add DMI quirk table to soc_intel_is_byt_cr() [5.10,072/102] btrfs: fix error handling in commit_fs_roots [5.10,073/102] drm/amdgpu: enable only one high prio compute queue [5.10,074/102] perf/x86/kvm: Add Cascade Lake Xeon steppings to isolation_ucodes[] [5.10,075/102] ASoC: Intel: sof-sdw: indent and add quirks consistently [5.10,076/102] ASoC: Intel: sof_sdw: detect DMIC number based on mach params [5.10,077/102] parisc: Bump 64-bit IRQ stack size to 64 KB [5.10,078/102] sched/features: Fix hrtick reprogramming [5.10,079/102] ASoC: Intel: bytcr_rt5640: Add quirk for the Estar Beauty HD MID 7316R tablet [5.10,080/102] ASoC: Intel: bytcr_rt5640: Add quirk for the Voyo Winpad A15 tablet [5.10,081/102] ASoC: Intel: bytcr_rt5651: Add quirk for the Jumper EZpad 7 tablet [5.10,082/102] ASoC: Intel: bytcr_rt5640: Add quirk for the Acer One S1002 tablet [5.10,083/102] scsi: iscsi: Restrict sessions and handles to admin capabilities [5.10,084/102] scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE [5.10,085/102] scsi: iscsi: Verify lengths on passthrough PDUs [5.10,086/102] Xen/gnttab: handle p2m update errors on a per-slot basis [5.10,087/102] xen-netback: respect gnttab_map_refs()s return value [5.10,088/102] xen: fix p2m size in dom0 for disabled memory hotplug case [5.10,089/102] zsmalloc: account the number of compacted pages correctly [5.10,090/102] remoteproc/mediatek: Fix kernel test robot warning [5.10,091/102] swap: fix swapfile read/write offset [5.10,092/102] powerpc/sstep: Check instruction validity against ISA version before emulation [5.10,093/102] powerpc/sstep: Fix incorrect return from analyze_instr() [5.10,094/102] tty: fix up iterate_tty_read() EOVERFLOW handling [5.10,095/102] tty: fix up hung_up_tty_read() conversion [5.10,096/102] tty: clean up legacy leftovers from n_tty line discipline [5.10,097/102] tty: teach n_tty line discipline about the new "cookie continuations" [5.10,098/102] tty: teach the n_tty ICANON case about the new "cookie continuations" too [5.10,099/102] media: v4l: ioctl: Fix memory leak in video_usercopy [5.10,100/102] ALSA: hda/realtek: Add quirk for Clevo NH55RZQ [5.10,101/102] ALSA: hda/realtek: Add quirk for Intel NUC 10 [5.10,102/102] ALSA: hda/realtek: Apply dual codec quirks for MSI Godlike X570 board

Message ID

20210305120904.814003997@linuxfoundation.org

State

Superseded

Headers

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, "Gong, Sishuai" <sishuai@purdue.edu>,
	Eric Dumazet <eric.dumazet@gmail.com>, Jakub Kicinski <kuba@kernel.org>,
	Cong Wang <cong.wang@bytedance.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.10 031/102] net: fix dev_ifsioc_locked() race condition
Date: Fri,  5 Mar 2021 13:20:50 +0100
Message-Id: <20210305120904.814003997@linuxfoundation.org>
In-Reply-To: <20210305120903.276489876@linuxfoundation.org>
References: <20210305120903.276489876@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

None | expand

Commit Message

Greg Kroah-Hartman March 5, 2021, 12:20 p.m. UTC

From: Cong Wang <cong.wang@bytedance.com>

commit 3b23a32a63219f51a5298bc55a65ecee866e79d0 upstream.

dev_ifsioc_locked() is called with only RCU read lock, so when
there is a parallel writer changing the mac address, it could
get a partially updated mac address, as shown below:

Thread 1			Thread 2
// eth_commit_mac_addr_change()
memcpy(dev->dev_addr, addr->sa_data, ETH_ALEN);
				// dev_ifsioc_locked()
				memcpy(ifr->ifr_hwaddr.sa_data,
					dev->dev_addr,...);

Close this race condition by guarding them with a RW semaphore,
like netdev_get_name(). We can not use seqlock here as it does not
allow blocking. The writers already take RTNL anyway, so this does
not affect the slow path. To avoid bothering existing
dev_set_mac_address() callers in drivers, introduce a new wrapper
just for user-facing callers on ioctl and rtnetlink paths.

Note, bonding also changes slave mac addresses but that requires
a separate patch due to the complexity of bonding code.

Fixes: 3710becf8a58 ("net: RCU locking for simple ioctl()")
Reported-by: "Gong, Sishuai" <sishuai@purdue.edu>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/tap.c         |    7 +++----
 drivers/net/tun.c         |    5 ++---
 include/linux/netdevice.h |    3 +++
 net/core/dev.c            |   42 ++++++++++++++++++++++++++++++++++++++++++
 net/core/dev_ioctl.c      |   20 +++++++-------------
 net/core/rtnetlink.c      |    2 +-
 6 files changed, 58 insertions(+), 21 deletions(-)

Comments

Pavel Machek March 8, 2021, 12:50 p.m. UTC | #1

Hi!

> commit 3b23a32a63219f51a5298bc55a65ecee866e79d0 upstream.

> 

> dev_ifsioc_locked() is called with only RCU read lock, so when

> there is a parallel writer changing the mac address, it could

> get a partially updated mac address, as shown below:

> 

> Thread 1			Thread 2

> // eth_commit_mac_addr_change()

> memcpy(dev->dev_addr, addr->sa_data, ETH_ALEN);

> 				// dev_ifsioc_locked()

> 				memcpy(ifr->ifr_hwaddr.sa_data,

> 					dev->dev_addr,...);

> 

> Close this race condition by guarding them with a RW semaphore,

> like netdev_get_name(). We can not use seqlock here as it does not


I guess it may fix a race, but... does it leak kernel stack data to
userland?


> +++ b/drivers/net/tap.c

> @@ -1093,10 +1093,9 @@ static long tap_ioctl(struct file *file,

>  			return -ENOLINK;

>  		}

>  		ret = 0;

> -		u = tap->dev->type;

> +		dev_get_mac_address(&sa, dev_net(tap->dev), tap->dev->name);

>  		if (copy_to_user(&ifr->ifr_name, tap->dev->name, IFNAMSIZ) ||

> -		    copy_to_user(&ifr->ifr_hwaddr.sa_data, tap->dev->dev_addr, ETH_ALEN) ||

> -		    put_user(u, &ifr->ifr_hwaddr.sa_family))

> +		    copy_to_user(&ifr->ifr_hwaddr, &sa, sizeof(sa)))

>  			ret = -EFAULT;

>  		tap_put_tap_dev(tap);

>  		rtnl_unlock();


We copy whole "struct sockaddr".

> +int dev_get_mac_address(struct sockaddr *sa, struct net *net, char *dev_name)

> +{

> +	size_t size = sizeof(sa->sa_data);

> +	struct net_device *dev;

> +	int ret = 0;

...
> +	if (!dev->addr_len)

> +		memset(sa->sa_data, 0, size);

> +	else

> +		memcpy(sa->sa_data, dev->dev_addr,

> +		       min_t(size_t, size, dev->addr_len));


But we only coppied dev->addr_len bytes in.

This would be very simple way to plug the leak.

Signed-off-by: Pavel Machek (CIP) <pavel@denx.de>


diff --git a/net/core/dev.c b/net/core/dev.c
index 75ca6c6d01d6..b67ff23a1f0d 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -8714,11 +8714,9 @@ int dev_get_mac_address(struct sockaddr *sa, struct net *net, char *dev_name)
 		ret = -ENODEV;
 		goto unlock;
 	}
-	if (!dev->addr_len)
-		memset(sa->sa_data, 0, size);
-	else
-		memcpy(sa->sa_data, dev->dev_addr,
-		       min_t(size_t, size, dev->addr_len));
+	memset(sa->sa_data, 0, size);
+	memcpy(sa->sa_data, dev->dev_addr,
+	       min_t(size_t, size, dev->addr_len));
 	sa->sa_family = dev->type;
 
 unlock:

Best regards,
								Pavel

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

Greg Kroah-Hartman March 8, 2021, 1:21 p.m. UTC | #2

On Mon, Mar 08, 2021 at 01:50:57PM +0100, Pavel Machek wrote:
> Hi!

> 

> > commit 3b23a32a63219f51a5298bc55a65ecee866e79d0 upstream.

> > 

> > dev_ifsioc_locked() is called with only RCU read lock, so when

> > there is a parallel writer changing the mac address, it could

> > get a partially updated mac address, as shown below:

> > 

> > Thread 1			Thread 2

> > // eth_commit_mac_addr_change()

> > memcpy(dev->dev_addr, addr->sa_data, ETH_ALEN);

> > 				// dev_ifsioc_locked()

> > 				memcpy(ifr->ifr_hwaddr.sa_data,

> > 					dev->dev_addr,...);

> > 

> > Close this race condition by guarding them with a RW semaphore,

> > like netdev_get_name(). We can not use seqlock here as it does not

> 

> I guess it may fix a race, but... does it leak kernel stack data to

> userland?

> 

> 

> > +++ b/drivers/net/tap.c

> > @@ -1093,10 +1093,9 @@ static long tap_ioctl(struct file *file,

> >  			return -ENOLINK;

> >  		}

> >  		ret = 0;

> > -		u = tap->dev->type;

> > +		dev_get_mac_address(&sa, dev_net(tap->dev), tap->dev->name);

> >  		if (copy_to_user(&ifr->ifr_name, tap->dev->name, IFNAMSIZ) ||

> > -		    copy_to_user(&ifr->ifr_hwaddr.sa_data, tap->dev->dev_addr, ETH_ALEN) ||

> > -		    put_user(u, &ifr->ifr_hwaddr.sa_family))

> > +		    copy_to_user(&ifr->ifr_hwaddr, &sa, sizeof(sa)))

> >  			ret = -EFAULT;

> >  		tap_put_tap_dev(tap);

> >  		rtnl_unlock();

> 

> We copy whole "struct sockaddr".

> 

> > +int dev_get_mac_address(struct sockaddr *sa, struct net *net, char *dev_name)

> > +{

> > +	size_t size = sizeof(sa->sa_data);

> > +	struct net_device *dev;

> > +	int ret = 0;

> ...

> > +	if (!dev->addr_len)

> > +		memset(sa->sa_data, 0, size);

> > +	else

> > +		memcpy(sa->sa_data, dev->dev_addr,

> > +		       min_t(size_t, size, dev->addr_len));

> 

> But we only coppied dev->addr_len bytes in.

> 

> This would be very simple way to plug the leak.

> 

> Signed-off-by: Pavel Machek (CIP) <pavel@denx.de>

> 

> diff --git a/net/core/dev.c b/net/core/dev.c

> index 75ca6c6d01d6..b67ff23a1f0d 100644

> --- a/net/core/dev.c

> +++ b/net/core/dev.c

> @@ -8714,11 +8714,9 @@ int dev_get_mac_address(struct sockaddr *sa, struct net *net, char *dev_name)

>  		ret = -ENODEV;

>  		goto unlock;

>  	}

> -	if (!dev->addr_len)

> -		memset(sa->sa_data, 0, size);

> -	else

> -		memcpy(sa->sa_data, dev->dev_addr,

> -		       min_t(size_t, size, dev->addr_len));

> +	memset(sa->sa_data, 0, size);

> +	memcpy(sa->sa_data, dev->dev_addr,

> +	       min_t(size_t, size, dev->addr_len));

>  	sa->sa_family = dev->type;

>  

>  unlock:

> 


Please submit this change properly to the networking developers, they
are not going to pick anything up this way.

greg k-h

--- a/drivers/net/tap.c
+++ b/drivers/net/tap.c
@@ -1093,10 +1093,9 @@  static long tap_ioctl(struct file *file,
 			return -ENOLINK;
 		}
 		ret = 0;
-		u = tap->dev->type;
+		dev_get_mac_address(&sa, dev_net(tap->dev), tap->dev->name);
 		if (copy_to_user(&ifr->ifr_name, tap->dev->name, IFNAMSIZ) ||
-		    copy_to_user(&ifr->ifr_hwaddr.sa_data, tap->dev->dev_addr, ETH_ALEN) ||
-		    put_user(u, &ifr->ifr_hwaddr.sa_family))
+		    copy_to_user(&ifr->ifr_hwaddr, &sa, sizeof(sa)))
 			ret = -EFAULT;
 		tap_put_tap_dev(tap);
 		rtnl_unlock();
@@ -1111,7 +1110,7 @@  static long tap_ioctl(struct file *file,
 			rtnl_unlock();
 			return -ENOLINK;
 		}
-		ret = dev_set_mac_address(tap->dev, &sa, NULL);
+		ret = dev_set_mac_address_user(tap->dev, &sa, NULL);
 		tap_put_tap_dev(tap);
 		rtnl_unlock();
 		return ret;
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -3157,15 +3157,14 @@  static long __tun_chr_ioctl(struct file
 
 	case SIOCGIFHWADDR:
 		/* Get hw address */
-		memcpy(ifr.ifr_hwaddr.sa_data, tun->dev->dev_addr, ETH_ALEN);
-		ifr.ifr_hwaddr.sa_family = tun->dev->type;
+		dev_get_mac_address(&ifr.ifr_hwaddr, net, tun->dev->name);
 		if (copy_to_user(argp, &ifr, ifreq_len))
 			ret = -EFAULT;
 		break;
 
 	case SIOCSIFHWADDR:
 		/* Set hw address */
-		ret = dev_set_mac_address(tun->dev, &ifr.ifr_hwaddr, NULL);
+		ret = dev_set_mac_address_user(tun->dev, &ifr.ifr_hwaddr, NULL);
 		break;
 
 	case TUNGETSNDBUF:
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -3879,6 +3879,9 @@  int dev_pre_changeaddr_notify(struct net
 			      struct netlink_ext_ack *extack);
 int dev_set_mac_address(struct net_device *dev, struct sockaddr *sa,
 			struct netlink_ext_ack *extack);
+int dev_set_mac_address_user(struct net_device *dev, struct sockaddr *sa,
+			     struct netlink_ext_ack *extack);
+int dev_get_mac_address(struct sockaddr *sa, struct net *net, char *dev_name);
 int dev_change_carrier(struct net_device *, bool new_carrier);
 int dev_get_phys_port_id(struct net_device *dev,
 			 struct netdev_phys_item_id *ppid);
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -8686,6 +8686,48 @@  int dev_set_mac_address(struct net_devic
 }
 EXPORT_SYMBOL(dev_set_mac_address);
 
+static DECLARE_RWSEM(dev_addr_sem);
+
+int dev_set_mac_address_user(struct net_device *dev, struct sockaddr *sa,
+			     struct netlink_ext_ack *extack)
+{
+	int ret;
+
+	down_write(&dev_addr_sem);
+	ret = dev_set_mac_address(dev, sa, extack);
+	up_write(&dev_addr_sem);
+	return ret;
+}
+EXPORT_SYMBOL(dev_set_mac_address_user);
+
+int dev_get_mac_address(struct sockaddr *sa, struct net *net, char *dev_name)
+{
+	size_t size = sizeof(sa->sa_data);
+	struct net_device *dev;
+	int ret = 0;
+
+	down_read(&dev_addr_sem);
+	rcu_read_lock();
+
+	dev = dev_get_by_name_rcu(net, dev_name);
+	if (!dev) {
+		ret = -ENODEV;
+		goto unlock;
+	}
+	if (!dev->addr_len)
+		memset(sa->sa_data, 0, size);
+	else
+		memcpy(sa->sa_data, dev->dev_addr,
+		       min_t(size_t, size, dev->addr_len));
+	sa->sa_family = dev->type;
+
+unlock:
+	rcu_read_unlock();
+	up_read(&dev_addr_sem);
+	return ret;
+}
+EXPORT_SYMBOL(dev_get_mac_address);
+
 /**
  *	dev_change_carrier - Change device carrier
  *	@dev: device
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -123,17 +123,6 @@  static int dev_ifsioc_locked(struct net
 		ifr->ifr_mtu = dev->mtu;
 		return 0;
 
-	case SIOCGIFHWADDR:
-		if (!dev->addr_len)
-			memset(ifr->ifr_hwaddr.sa_data, 0,
-			       sizeof(ifr->ifr_hwaddr.sa_data));
-		else
-			memcpy(ifr->ifr_hwaddr.sa_data, dev->dev_addr,
-			       min(sizeof(ifr->ifr_hwaddr.sa_data),
-				   (size_t)dev->addr_len));
-		ifr->ifr_hwaddr.sa_family = dev->type;
-		return 0;
-
 	case SIOCGIFSLAVE:
 		err = -EINVAL;
 		break;
@@ -274,7 +263,7 @@  static int dev_ifsioc(struct net *net, s
 	case SIOCSIFHWADDR:
 		if (dev->addr_len > sizeof(struct sockaddr))
 			return -EINVAL;
-		return dev_set_mac_address(dev, &ifr->ifr_hwaddr, NULL);
+		return dev_set_mac_address_user(dev, &ifr->ifr_hwaddr, NULL);
 
 	case SIOCSIFHWBROADCAST:
 		if (ifr->ifr_hwaddr.sa_family != dev->type)
@@ -418,6 +407,12 @@  int dev_ioctl(struct net *net, unsigned
 	 */
 
 	switch (cmd) {
+	case SIOCGIFHWADDR:
+		dev_load(net, ifr->ifr_name);
+		ret = dev_get_mac_address(&ifr->ifr_hwaddr, net, ifr->ifr_name);
+		if (colon)
+			*colon = ':';
+		return ret;
 	/*
 	 *	These ioctl calls:
 	 *	- can be done by all.
@@ -427,7 +422,6 @@  int dev_ioctl(struct net *net, unsigned
 	case SIOCGIFFLAGS:
 	case SIOCGIFMETRIC:
 	case SIOCGIFMTU:
-	case SIOCGIFHWADDR:
 	case SIOCGIFSLAVE:
 	case SIOCGIFMAP:
 	case SIOCGIFINDEX:
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2658,7 +2658,7 @@  static int do_setlink(const struct sk_bu
 		sa->sa_family = dev->type;
 		memcpy(sa->sa_data, nla_data(tb[IFLA_ADDRESS]),
 		       dev->addr_len);
-		err = dev_set_mac_address(dev, sa, extack);
+		err = dev_set_mac_address_user(dev, sa, extack);
 		kfree(sa);
 		if (err)
 			goto errout;

[5.10,031/102] net: fix dev_ifsioc_locked() race condition

Commit Message

Comments

Patch