From: Gao feng <gaofeng@cn.fujitsu.com>
To: Stephen Hemminger <stephen@networkplumber.org>,
Jiri Pirko <jiri@resnulli.us>
Cc: jtluka@redhat.com, mst@redhat.com, netdev@vger.kernel.org,
bridge@lists.linux-foundation.org, edumazet@google.com,
laine@redhat.com, zhiguohong@tencent.com, davem@davemloft.net
Subject: Re: [Bridge] [patch net/stable v2] br: fix use of ->rx_handler_data in code executed on non-rx_handler path
Date: Fri, 06 Dec 2013 10:26:10 +0800 [thread overview]
Message-ID: <52A135C2.9020406@cn.fujitsu.com> (raw)
In-Reply-To: <20131205085514.4c079747@nehalam.linuxnetplumber.net>
On 12/06/2013 12:55 AM, Stephen Hemminger wrote:
> On Thu, 5 Dec 2013 16:27:37 +0100
> Jiri Pirko <jiri@resnulli.us> wrote:
>
>> br_stp_rcv() is reached by non-rx_handler path. That means there is no
>> guarantee that dev is bridge port and therefore simple NULL check of
>> ->rx_handler_data is not enough. There is need to check if dev is really
>> bridge port and since only rcu read lock is held here, do it by checking
>> ->rx_handler pointer.
>>
>> Note that synchronize_net() in netdev_rx_handler_unregister() ensures
>> this approach as valid.
>>
>
>
> I think this patch is simpler/better, it restores the old logic.
>
> Ps. submitting patches to bugzilla is a good way to have them ignored.
>
>>From Stephen Hemminger <stephen@networkplumber.org>
>
> Check that incoming STP packet is received on a port assigned to bridge
> before processing. It is possible to receive packet on non-bridge port
> because they are multicast.
>
> See:
> https://bugzilla.kernel.org/show_bug.cgi?id=64911
>
>
> Regression introduced by:
> commit 716ec052d2280d511e10e90ad54a86f5b5d4dcc2
> Author: Hong Zhiguo <zhiguohong@tencent.com>
> Date: Sat Sep 14 22:42:28 2013 +0800
>
> bridge: fix NULL pointer deref of br_port_get_rcu
>
>
> Reported-by: Alexander Y. Fomichev
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
>
>
> --- a/net/bridge/br_stp_bpdu.c 2013-06-11 09:50:21.522919061 -0700
> +++ b/net/bridge/br_stp_bpdu.c 2013-12-05 08:46:56.090463702 -0800
> @@ -153,6 +153,9 @@ void br_stp_rcv(const struct stp_proto *
> if (buf[0] != 0 || buf[1] != 0 || buf[2] != 0)
> goto err;
>
> + if (!br_port_exists(dev))
> + goto err;
> +
> p = br_port_get_rcu(dev);
> if (!p)
> goto err;
We alreay did some cleanup jobs before mark this dev is not a port of bridge (dev->priv_flags &= ~IFF_BRIDGE_PORT),
such as remove the fdb related to this port(br_fdb_delete_by_port).
and seems like after these cleanup jobs, before unregister this device, if new skb is received,
br_handle_local_finish will call br_fdb_update to create a new fdb whose dst points to the will-be-destroied-port.
I don't know if this will cause some problems.
seems we should also make sure port is unavailable before we do cleanup.
WARNING: multiple messages have this Message-ID (diff)
From: Gao feng <gaofeng@cn.fujitsu.com>
To: Stephen Hemminger <stephen@networkplumber.org>,
Jiri Pirko <jiri@resnulli.us>
Cc: netdev@vger.kernel.org, davem@davemloft.net, jtluka@redhat.com,
zhiguohong@tencent.com, bridge@lists.linux-foundation.org,
edumazet@google.com, laine@redhat.com, mst@redhat.com
Subject: Re: [patch net/stable v2] br: fix use of ->rx_handler_data in code executed on non-rx_handler path
Date: Fri, 06 Dec 2013 10:26:10 +0800 [thread overview]
Message-ID: <52A135C2.9020406@cn.fujitsu.com> (raw)
In-Reply-To: <20131205085514.4c079747@nehalam.linuxnetplumber.net>
On 12/06/2013 12:55 AM, Stephen Hemminger wrote:
> On Thu, 5 Dec 2013 16:27:37 +0100
> Jiri Pirko <jiri@resnulli.us> wrote:
>
>> br_stp_rcv() is reached by non-rx_handler path. That means there is no
>> guarantee that dev is bridge port and therefore simple NULL check of
>> ->rx_handler_data is not enough. There is need to check if dev is really
>> bridge port and since only rcu read lock is held here, do it by checking
>> ->rx_handler pointer.
>>
>> Note that synchronize_net() in netdev_rx_handler_unregister() ensures
>> this approach as valid.
>>
>
>
> I think this patch is simpler/better, it restores the old logic.
>
> Ps. submitting patches to bugzilla is a good way to have them ignored.
>
>>From Stephen Hemminger <stephen@networkplumber.org>
>
> Check that incoming STP packet is received on a port assigned to bridge
> before processing. It is possible to receive packet on non-bridge port
> because they are multicast.
>
> See:
> https://bugzilla.kernel.org/show_bug.cgi?id=64911
>
>
> Regression introduced by:
> commit 716ec052d2280d511e10e90ad54a86f5b5d4dcc2
> Author: Hong Zhiguo <zhiguohong@tencent.com>
> Date: Sat Sep 14 22:42:28 2013 +0800
>
> bridge: fix NULL pointer deref of br_port_get_rcu
>
>
> Reported-by: Alexander Y. Fomichev
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
>
>
> --- a/net/bridge/br_stp_bpdu.c 2013-06-11 09:50:21.522919061 -0700
> +++ b/net/bridge/br_stp_bpdu.c 2013-12-05 08:46:56.090463702 -0800
> @@ -153,6 +153,9 @@ void br_stp_rcv(const struct stp_proto *
> if (buf[0] != 0 || buf[1] != 0 || buf[2] != 0)
> goto err;
>
> + if (!br_port_exists(dev))
> + goto err;
> +
> p = br_port_get_rcu(dev);
> if (!p)
> goto err;
We alreay did some cleanup jobs before mark this dev is not a port of bridge (dev->priv_flags &= ~IFF_BRIDGE_PORT),
such as remove the fdb related to this port(br_fdb_delete_by_port).
and seems like after these cleanup jobs, before unregister this device, if new skb is received,
br_handle_local_finish will call br_fdb_update to create a new fdb whose dst points to the will-be-destroied-port.
I don't know if this will cause some problems.
seems we should also make sure port is unavailable before we do cleanup.
next prev parent reply other threads:[~2013-12-06 2:26 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-05 15:27 [Bridge] [patch net/stable v2] br: fix use of ->rx_handler_data in code executed on non-rx_handler path Jiri Pirko
2013-12-05 15:27 ` Jiri Pirko
2013-12-05 15:35 ` [Bridge] " Michael S. Tsirkin
2013-12-05 15:35 ` Michael S. Tsirkin
2013-12-05 15:37 ` [Bridge] " Eric Dumazet
2013-12-05 15:37 ` Eric Dumazet
2013-12-05 16:55 ` [Bridge] " Stephen Hemminger
2013-12-05 16:55 ` Stephen Hemminger
2013-12-06 2:26 ` Gao feng [this message]
2013-12-06 2:26 ` Gao feng
2013-12-07 1:44 ` [Bridge] " Vlad Yasevich
2013-12-07 1:44 ` Vlad Yasevich
2013-12-06 20:43 ` [Bridge] " David Miller
2013-12-06 20:43 ` David Miller
2013-12-06 21:10 ` [Bridge] " Stephen Hemminger
2013-12-06 21:10 ` Stephen Hemminger
2013-12-06 21:16 ` [Bridge] " David Miller
2013-12-06 21:16 ` David Miller
2013-12-07 8:51 ` [Bridge] " Jiri Pirko
2013-12-07 8:51 ` Jiri Pirko
2013-12-07 17:42 ` [Bridge] " Stephen Hemminger
2013-12-07 17:42 ` Stephen Hemminger
2013-12-07 18:18 ` [Bridge] " Jiri Pirko
2013-12-07 18:18 ` Jiri Pirko
2013-12-07 19:10 ` [Bridge] " Vlad Yasevich
2013-12-07 19:10 ` Vlad Yasevich
2013-12-07 20:07 ` [Bridge] " Jiri Pirko
2013-12-07 20:07 ` Jiri Pirko
2013-12-09 2:07 ` [Bridge] " Vlad Yasevich
2013-12-09 2:07 ` Vlad Yasevich
2013-12-09 9:36 ` [Bridge] " Jiri Pirko
2013-12-09 9:36 ` Jiri Pirko
2013-12-09 11:58 ` [Bridge] " Michael S. Tsirkin
2013-12-09 11:58 ` Michael S. Tsirkin
2013-12-09 12:13 ` [Bridge] " Jiri Pirko
2013-12-09 12:13 ` Jiri Pirko
2013-12-09 19:31 ` [Bridge] " Vlad Yasevich
2013-12-09 19:31 ` Vlad Yasevich
2013-12-09 21:52 ` [Bridge] " Jiri Pirko
2013-12-09 21:52 ` Jiri Pirko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52A135C2.9020406@cn.fujitsu.com \
--to=gaofeng@cn.fujitsu.com \
--cc=bridge@lists.linux-foundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jiri@resnulli.us \
--cc=jtluka@redhat.com \
--cc=laine@redhat.com \
--cc=mst@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=stephen@networkplumber.org \
--cc=zhiguohong@tencent.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.