From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Zhang Zhengming <zhangzhengming@huawei.com>,
Zhao Lei <zhaolei69@huawei.com>,
Wang Xiaogang <wangxiaogang3@huawei.com>,
Nikolay Aleksandrov <nikolay@nvidia.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 24/37] bridge: Fix possible races between assigning rx_handler_data and setting IFF_BRIDGE_PORT bit
Date: Thu, 20 May 2021 11:22:45 +0200 [thread overview]
Message-ID: <20210520092053.071466519@linuxfoundation.org> (raw)
In-Reply-To: <20210520092052.265851579@linuxfoundation.org>
From: Zhang Zhengming <zhangzhengming@huawei.com>
[ Upstream commit 59259ff7a81b9eb6213891c6451221e567f8f22f ]
There is a crash in the function br_get_link_af_size_filtered,
as the port_exists(dev) is true and the rx_handler_data of dev is NULL.
But the rx_handler_data of dev is correct saved in vmcore.
The oops looks something like:
...
pc : br_get_link_af_size_filtered+0x28/0x1c8 [bridge]
...
Call trace:
br_get_link_af_size_filtered+0x28/0x1c8 [bridge]
if_nlmsg_size+0x180/0x1b0
rtnl_calcit.isra.12+0xf8/0x148
rtnetlink_rcv_msg+0x334/0x370
netlink_rcv_skb+0x64/0x130
rtnetlink_rcv+0x28/0x38
netlink_unicast+0x1f0/0x250
netlink_sendmsg+0x310/0x378
sock_sendmsg+0x4c/0x70
__sys_sendto+0x120/0x150
__arm64_sys_sendto+0x30/0x40
el0_svc_common+0x78/0x130
el0_svc_handler+0x38/0x78
el0_svc+0x8/0xc
In br_add_if(), we found there is no guarantee that
assigning rx_handler_data to dev->rx_handler_data
will before setting the IFF_BRIDGE_PORT bit of priv_flags.
So there is a possible data competition:
CPU 0: CPU 1:
(RCU read lock) (RTNL lock)
rtnl_calcit() br_add_slave()
if_nlmsg_size() br_add_if()
br_get_link_af_size_filtered() -> netdev_rx_handler_register
...
// The order is not guaranteed
... -> dev->priv_flags |= IFF_BRIDGE_PORT;
// The IFF_BRIDGE_PORT bit of priv_flags has been set
-> if (br_port_exists(dev)) {
// The dev->rx_handler_data has NOT been assigned
-> p = br_port_get_rcu(dev);
....
-> rcu_assign_pointer(dev->rx_handler_data, rx_handler_data);
...
Fix it in br_get_link_af_size_filtered, using br_port_get_check_rcu() and checking the return value.
Signed-off-by: Zhang Zhengming <zhangzhengming@huawei.com>
Reviewed-by: Zhao Lei <zhaolei69@huawei.com>
Reviewed-by: Wang Xiaogang <wangxiaogang3@huawei.com>
Suggested-by: Nikolay Aleksandrov <nikolay@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_netlink.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index a0a54482aabc..8a664148f57a 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -99,8 +99,9 @@ static size_t br_get_link_af_size_filtered(const struct net_device *dev,
rcu_read_lock();
if (netif_is_bridge_port(dev)) {
- p = br_port_get_rcu(dev);
- vg = nbp_vlan_group_rcu(p);
+ p = br_port_get_check_rcu(dev);
+ if (p)
+ vg = nbp_vlan_group_rcu(p);
} else if (dev->priv_flags & IFF_EBRIDGE) {
br = netdev_priv(dev);
vg = br_vlan_group_rcu(br);
--
2.30.2
next prev parent reply other threads:[~2021-05-20 9:36 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-20 9:22 [PATCH 5.4 00/37] 5.4.121-rc1 review Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 01/37] x86/msr: Fix wr/rdmsr_safe_regs_on_cpu() prototypes Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 02/37] kgdb: fix gcc-11 warning on indentation Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 03/37] usb: sl811-hcd: improve misleading indentation Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 04/37] cxgb4: Fix the -Wmisleading-indentation warning Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 05/37] isdn: capi: fix mismatched prototypes Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 06/37] pinctrl: ingenic: Improve unreachable code generation Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 07/37] xsk: Simplify detection of empty and full rings Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 08/37] virtio_net: Do not pull payload in skb->head Greg Kroah-Hartman
2021-05-20 9:22 ` Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 09/37] ARM: 9058/1: cache-v7: refactor v7_invalidate_l1 to avoid clobbering r5/r6 Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 10/37] PCI: thunder: Fix compile testing Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 11/37] dmaengine: dw-edma: Fix crash on loading/unloading driver Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 12/37] ARM: 9066/1: ftrace: pause/unpause function graph tracer in cpu_suspend() Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 13/37] ACPI / hotplug / PCI: Fix reference count leak in enable_slot() Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 14/37] Input: elants_i2c - do not bind to i2c-hid compatible ACPI instantiated devices Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 15/37] Input: silead - add workaround for x86 BIOS-es which bring the chip up in a stuck state Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 16/37] um: Mark all kernel symbols as local Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 17/37] um: Disable CONFIG_GCOV with MODULES Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 18/37] ARM: 9075/1: kernel: Fix interrupted SMC calls Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 19/37] scripts/recordmcount.pl: Fix RISC-V regex for clang Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 20/37] riscv: Workaround mcount name prior to clang-13 Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 21/37] scsi: lpfc: Fix illegal memory access on Abort IOCBs Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 22/37] ceph: fix fscache invalidation Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 23/37] scsi: target: tcmu: Return from tcmu_handle_completions() if cmd_id not found Greg Kroah-Hartman
2021-05-20 9:22 ` Greg Kroah-Hartman [this message]
2021-05-20 9:22 ` [PATCH 5.4 25/37] drm/amd/display: Fix two cursor duplication when using overlay Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 26/37] gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro 5055 Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 27/37] ALSA: hda: generic: change the DAC ctl name for LO+SPK or LO+HP Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 28/37] block: reexpand iov_iter after read/write Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 29/37] lib: stackdepot: turn depot_lock spinlock to raw_spinlock Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 30/37] net: stmmac: Do not enable RX FIFO overflow interrupts Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 31/37] ip6_gre: proper dev_{hold|put} in ndo_[un]init methods Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 32/37] sit: " Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 33/37] ip6_tunnel: " Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 34/37] ipv6: remove extra dev_hold() for fallback tunnels Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 35/37] KVM: arm64: Initialize VCPU mdcr_el2 before loading it Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 36/37] tweewide: Fix most Shebang lines Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.4 37/37] scripts: switch explicitly to Python 3 Greg Kroah-Hartman
2021-05-20 15:24 ` [PATCH 5.4 00/37] 5.4.121-rc1 review Jon Hunter
2021-05-20 21:44 ` Shuah Khan
2021-05-20 22:53 ` Guenter Roeck
2021-05-21 4:39 ` Florian Fainelli
2021-05-22 9:39 ` Greg Kroah-Hartman
2021-05-21 5:23 ` Naresh Kamboju
2021-05-21 18:21 ` Sudip Mukherjee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210520092053.071466519@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=nikolay@nvidia.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=wangxiaogang3@huawei.com \
--cc=zhangzhengming@huawei.com \
--cc=zhaolei69@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.