From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Laine Stump <laine@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
Jiri Pirko <jiri@resnulli.us>, Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.12 11/77] br: fix use of ->rx_handler_data in code executed on non-rx_handler path
Date: Mon, 13 Jan 2014 16:27:32 -0800 [thread overview]
Message-ID: <20140114002752.822231261@linuxfoundation.org> (raw)
In-Reply-To: <20140114002752.497010554@linuxfoundation.org>
3.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Pirko <jiri@resnulli.us>
[ Upstream commit 859828c0ea476b42f3a93d69d117aaba90994b6f ]
br_stp_rcv() is reached by non-rx_handler path. That means there is no
guarantee that dev is bridge port and therefore simple NULL check of
->rx_handler_data is not enough. There is need to check if dev is really
bridge port and since only rcu read lock is held here, do it by checking
->rx_handler pointer.
Note that synchronize_net() in netdev_rx_handler_unregister() ensures
this approach as valid.
Introduced originally by:
commit f350a0a87374418635689471606454abc7beaa3a
"bridge: use rx_handler_data pointer to store net_bridge_port pointer"
Fixed but not in the best way by:
commit b5ed54e94d324f17c97852296d61a143f01b227a
"bridge: fix RCU races with bridge port"
Reintroduced by:
commit 716ec052d2280d511e10e90ad54a86f5b5d4dcc2
"bridge: fix NULL pointer deref of br_port_get_rcu"
Please apply to stable trees as well. Thanks.
RH bugzilla reference: https://bugzilla.redhat.com/show_bug.cgi?id=1025770
Reported-by: Laine Stump <laine@redhat.com>
Debugged-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bridge/br_private.h | 10 ++++++++++
net/bridge/br_stp_bpdu.c | 2 +-
2 files changed, 11 insertions(+), 1 deletion(-)
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -442,6 +442,16 @@ extern netdev_features_t br_features_rec
extern int br_handle_frame_finish(struct sk_buff *skb);
extern rx_handler_result_t br_handle_frame(struct sk_buff **pskb);
+static inline bool br_rx_handler_check_rcu(const struct net_device *dev)
+{
+ return rcu_dereference(dev->rx_handler) == br_handle_frame;
+}
+
+static inline struct net_bridge_port *br_port_get_check_rcu(const struct net_device *dev)
+{
+ return br_rx_handler_check_rcu(dev) ? br_port_get_rcu(dev) : NULL;
+}
+
/* br_ioctl.c */
extern int br_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd);
extern int br_ioctl_deviceless_stub(struct net *net, unsigned int cmd, void __user *arg);
--- a/net/bridge/br_stp_bpdu.c
+++ b/net/bridge/br_stp_bpdu.c
@@ -153,7 +153,7 @@ void br_stp_rcv(const struct stp_proto *
if (buf[0] != 0 || buf[1] != 0 || buf[2] != 0)
goto err;
- p = br_port_get_rcu(dev);
+ p = br_port_get_check_rcu(dev);
if (!p)
goto err;
next prev parent reply other threads:[~2014-01-14 0:28 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-14 0:27 [PATCH 3.12 00/77] 3.12.8-stable review Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 01/77] IPv6: Fixed support for blackhole and prohibit routes Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 02/77] net: do not pretend FRAGLIST support Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 03/77] rds: prevent BUG_ON triggered on congestion update to loopback Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 04/77] net: clear local_df when passing skb between namespaces Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 05/77] macvtap: update file current position Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 06/77] tun: " Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 07/77] tun: unbreak truncated packet signalling Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 08/77] macvtap: Do not double-count received packets Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 09/77] macvtap: signal truncated packets Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 10/77] virtio: delete napi structures from netdev before releasing memory Greg Kroah-Hartman
2014-01-14 0:27 ` Greg Kroah-Hartman [this message]
2014-01-14 0:27 ` [PATCH 3.12 12/77] packet: fix send path when running with proto == 0 Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 13/77] ipv6: dont count addrconf generated routes against gc limit Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 14/77] net: drop_monitor: fix the value of maxattr Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 15/77] inet: fix NULL pointer Oops in fib(6)_rule_suppress Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 16/77] net: unix: allow set_peek_off to fail Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 17/77] vxlan: release rt when found circular route Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 18/77] tg3: Initialize REG_BASE_ADDR at PCI config offset 120 to 0 Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 19/77] netvsc: dont flush peers notifying work during setting mtu Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 20/77] ipv6: fix illegal mac_header comparison on 32bit Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 21/77] net: unix: allow bind to fail on mutex lock Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 23/77] net: inet_diag: zero out uninitialized idiag_{src,dst} fields Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 24/77] drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl() Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 26/77] net: fec: fix potential use after free Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 27/77] ipv6: always set the new created dsts from in ip6_rt_copy Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 28/77] rds: prevent dereference of a NULL device Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 29/77] arc_emac: fix potential use after free Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 30/77] net: rose: restore old recvmsg behavior Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 31/77] vlan: Fix header ops passthru when doing TX VLAN offload Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 32/77] virtio_net: fix error handling for mergeable buffers Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 33/77] virtio-net: make all RX paths handle errors consistently Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 34/77] virtio_net: dont leak memory or block when too many frags Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 35/77] ipv4: fix tunneled VM traffic over hw VXLAN/GRE GSO NIC Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 36/77] virtio-net: fix refill races during restore Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 37/77] net: llc: fix use after free in llc_ui_recvmsg Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.12 38/77] netpoll: Fix missing TXQ unlock and and OOPS Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 39/77] bridge: use spin_lock_bh() in br_multicast_set_hash_max Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 40/77] sfc: Add length checks to efx_xmit_with_hwtstamp() and efx_ptp_is_ptp_tx() Greg Kroah-Hartman
2014-01-14 0:45 ` Ben Hutchings
2014-01-16 10:50 ` Luis Henriques
2014-01-16 19:42 ` David Miller
2014-01-16 20:51 ` Luis Henriques
2014-01-16 21:15 ` Ben Hutchings
2014-01-14 0:28 ` [PATCH 3.12 41/77] sfc: PTP: Moderate log message on event queue overflow Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 42/77] sfc: Rate-limit log message for PTP packets without a matching timestamp event Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 43/77] sfc: Stop/re-start PTP when stopping/starting the datapath Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 44/77] sfc: Maintain current frequency adjustment when applying a time offset Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 45/77] sfc: RX buffer allocation takes prefix size into account in IP header alignment Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 46/77] sfc: Refactor efx_mcdi_poll() by introducing efx_mcdi_poll_once() Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 47/77] sfc: Poll for MCDI completion once before timeout occurs Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 48/77] ARM: fix footbridge clockevent device Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 49/77] ARM: fix "bad mode in ... handler" message for undefined instructions Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 50/77] ARM: 7923/1: mm: fix dcache flush logic for compound high pages Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 51/77] ARM: dts: exynos5250: Fix MDMA0 clock number Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 52/77] ARM: shmobile: kzm9g: Fix coherent DMA mask Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 53/77] ARM: shmobile: armadillo: " Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 54/77] ARM: shmobile: mackerel: " Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 56/77] parisc: Ensure full cache coherency for kmap/kunmap Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 57/77] ahci: add PCI ID for Marvell 88SE9170 SATA controller Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 58/77] clk: clk-divider: fix divisor > 255 bug Greg Kroah-Hartman
2014-01-14 0:28 ` Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 59/77] clk: samsung: exynos4: Correct SRC_MFC register Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 60/77] clk: samsung: exynos5250: Fix ACP gate register offset Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 61/77] clk: samsung: exynos5250: Add MDMA0 clocks Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 62/77] clk: samsung: exynos5250: Add CLK_IGNORE_UNUSED flag for the sysreg clock Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 63/77] clk: exynos5250: fix sysmmu_mfc{l,r} gate clocks Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 65/77] mfd: rtsx_pcr: Disable interrupts before cancelling delayed works Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 66/77] ACPI / TPM: fix memory leak when walking ACPI namespace Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 67/77] ACPI / Battery: Add a _BIX quirk for NEC LZ750/LS Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 68/77] mac80211: move "bufferable MMPDU" check to fix AP mode scan Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 69/77] intel_pstate: Add X86_FEATURE_APERFMPERF to cpu match parameters Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 70/77] SCSI: sd: Reduce buffer size for vpd request Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 71/77] netfilter: fix wrong byte order in nf_ct_seqadj_set internal information Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 72/77] netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 73/77] x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 74/77] sched: Fix race on toggling cfs_bandwidth_used Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 75/77] sched: Fix cfs_bandwidth misuse of hrtimer_expires_remaining Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 76/77] sched: Fix hrtimer_cancel()/rq->lock deadlock Greg Kroah-Hartman
2014-01-14 0:28 ` [PATCH 3.12 77/77] sched: Guarantee new group-entities always have weight Greg Kroah-Hartman
2014-01-14 3:03 ` [PATCH 3.12 00/77] 3.12.8-stable review Guenter Roeck
2014-01-14 14:42 ` Satoru Takeuchi
2014-01-14 23:12 ` Greg Kroah-Hartman
2014-01-14 19:31 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140114002752.822231261@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jiri@resnulli.us \
--cc=laine@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.