From: lizf@kernel.org
To: stable@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
Nikolay Aleksandrov <razor@blackwall.org>,
"David S. Miller" <davem@davemloft.net>,
Zefan Li <lizefan@huawei.com>
Subject: [PATCH 3.4 36/65] bridge: fix br_stp_set_bridge_priority race conditions
Date: Tue, 20 Oct 2015 08:47:46 +0800 [thread overview]
Message-ID: <1445302095-4695-36-git-send-email-lizf@kernel.org> (raw)
In-Reply-To: <1445302030-4607-1-git-send-email-lizf@kernel.org>
From: Nikolay Aleksandrov <razor@blackwall.org>
3.4.110-rc1 review patch. If anyone has any objections, please let me know.
------------------
commit 2dab80a8b486f02222a69daca6859519e05781d9 upstream.
After the ->set() spinlocks were removed br_stp_set_bridge_priority
was left running without any protection when used via sysfs. It can
race with port add/del and could result in use-after-free cases and
corrupted lists. Tested by running port add/del in a loop with stp
enabled while setting priority in a loop, crashes are easily
reproducible.
The spinlocks around sysfs ->set() were removed in commit:
14f98f258f19 ("bridge: range check STP parameters")
There's also a race condition in the netlink priority support that is
fixed by this change, but it was introduced recently and the fixes tag
covers it, just in case it's needed the commit is:
af615762e972 ("bridge: add ageing_time, stp_state, priority over netlink")
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Fixes: 14f98f258f19 ("bridge: range check STP parameters")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Zefan Li <lizefan@huawei.com>
---
net/bridge/br_ioctl.c | 2 --
net/bridge/br_stp_if.c | 4 +++-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c
index 7222fe1..ea0e15c 100644
--- a/net/bridge/br_ioctl.c
+++ b/net/bridge/br_ioctl.c
@@ -246,9 +246,7 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
if (!capable(CAP_NET_ADMIN))
return -EPERM;
- spin_lock_bh(&br->lock);
br_stp_set_bridge_priority(br, args[1]);
- spin_unlock_bh(&br->lock);
return 0;
case BRCTL_SET_PORT_PRIORITY:
diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
index 2f100cc..23ea159 100644
--- a/net/bridge/br_stp_if.c
+++ b/net/bridge/br_stp_if.c
@@ -242,12 +242,13 @@ bool br_stp_recalculate_bridge_id(struct net_bridge *br)
return true;
}
-/* called under bridge lock */
+/* Acquires and releases bridge lock */
void br_stp_set_bridge_priority(struct net_bridge *br, u16 newprio)
{
struct net_bridge_port *p;
int wasroot;
+ spin_lock_bh(&br->lock);
wasroot = br_is_root_bridge(br);
list_for_each_entry(p, &br->port_list, list) {
@@ -265,6 +266,7 @@ void br_stp_set_bridge_priority(struct net_bridge *br, u16 newprio)
br_port_state_selection(br);
if (br_is_root_bridge(br) && !wasroot)
br_become_root_bridge(br);
+ spin_unlock_bh(&br->lock);
}
/* called under bridge lock */
--
1.9.1
next prev parent reply other threads:[~2015-10-20 0:50 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-20 0:47 [PATCH 3.4 00/65] 3.4.110-rc1 review lizf
2015-10-20 0:47 ` [PATCH 3.4 01/65] hrtimer: Allow concurrent hrtimer_start() for self restarting timers lizf
2015-10-20 0:47 ` [PATCH 3.4 02/65] mtd: fix: avoid race condition when accessing mtd->usecount lizf
2015-10-20 0:47 ` [PATCH 3.4 03/65] crypto: talitos - avoid memleak in talitos_alg_alloc() lizf
2015-10-20 0:47 ` [PATCH 3.4 04/65] ASoC: wm8737: Fixup setting VMID Impedance control register lizf
2015-10-20 0:47 ` [PATCH 3.4 05/65] ASoC: wm8903: Fix define for WM8903_VMID_RES_250K lizf
2015-10-20 0:47 ` [PATCH 3.4 06/65] ASoC: wm8955: Fix setting wrong register for WM8955_K_8_0_MASK bits lizf
2015-10-20 0:47 ` [PATCH 3.4 07/65] pktgen: adjust spacing in proc file interface output lizf
2015-10-20 0:47 ` [PATCH 3.4 08/65] pktgen: document ability to add same device to several threads lizf
2015-10-20 0:47 ` [PATCH 3.4 09/65] tty/serial: at91: RS485 mode: 0 is valid for delay_rts_after_send lizf
2015-10-20 0:47 ` [PATCH 3.4 10/65] rndis_wlan: harmless issue calling set_bit() lizf
2015-10-20 0:47 ` [PATCH 3.4 11/65] drm/radeon: take the mode_config mutex when dealing with hpds (v2) lizf
2015-10-20 0:47 ` [PATCH 3.4 12/65] usb: dwc3: gadget: return error if command sent to DEPCMD register fails lizf
2015-10-20 0:47 ` [PATCH 3.4 13/65] rcu: Correctly handle non-empty Tiny RCU callback list with none ready lizf
2015-10-20 0:47 ` [PATCH 3.4 14/65] mtd: dc21285: use raw spinlock functions for nw_gpio_lock lizf
2015-10-20 0:47 ` [PATCH 3.4 15/65] staging: rtl8712: prevent buffer overrun in recvbuf2recvframe lizf
2015-10-20 0:47 ` [PATCH 3.4 16/65] usb: core: Fix USB 3.0 devices lost in NOTATTACHED state after a hub port reset lizf
2015-10-20 0:47 ` [PATCH 3.4 17/65] fixing infinite OPEN loop in 4.0 stateid recovery lizf
[not found] ` <3B7DC48D-0D7F-4F9A-9CE0-FAC640F60199@netapp.com>
2015-10-21 8:04 ` Zefan Li
2015-10-20 0:47 ` [PATCH 3.4 18/65] NFS: Fix size of NFSACL SETACL operations lizf
2015-10-20 0:47 ` [PATCH 3.4 19/65] SUNRPC: Fix a memory leak in the backchannel code lizf
2015-10-20 0:47 ` [PATCH 3.4 20/65] ipr: Increase default adapter init stage change timeout lizf
2015-10-20 0:47 ` [PATCH 3.4 21/65] ath3k: add support of 13d3:3474 AR3012 device lizf
2015-10-20 0:47 ` [PATCH 3.4 22/65] ath9k: fix DMA stop sequence for AR9003+ lizf
2015-10-20 0:47 ` [PATCH 3.4 23/65] regulator: core: fix constraints output buffer lizf
2015-10-20 0:47 ` [PATCH 3.4 24/65] x86/PCI: Use host bridge _CRS info on Foxconn K8M890-8237A lizf
2015-10-20 0:47 ` [PATCH 3.4 25/65] dmaengine: mv_xor: bug fix for racing condition in descriptors cleanup lizf
2015-10-20 0:47 ` [PATCH 3.4 26/65] ASoC: wm8960: the enum of "DAC Polarity" should be wm8960_enum[1] lizf
2015-10-20 0:47 ` [PATCH 3.4 27/65] ext4: fix race between truncate and __ext4_journalled_writepage() lizf
2015-10-20 0:47 ` [PATCH 3.4 28/65] Disable write buffering on Toshiba ToPIC95 lizf
2015-10-20 0:47 ` [PATCH 3.4 29/65] sctp: fix ASCONF list handling lizf
2015-10-20 0:47 ` [PATCH 3.4 30/65] jbd2: use GFP_NOFS in jbd2_cleanup_journal_tail() lizf
2015-10-20 0:47 ` [PATCH 3.4 31/65] regmap: Fix regmap_bulk_read in BE mode lizf
2015-10-20 0:47 ` [PATCH 3.4 32/65] jbd2: fix ocfs2 corrupt when updating journal superblock fails lizf
2015-10-20 0:47 ` [PATCH 3.4 33/65] ideapad: fix software rfkill setting lizf
2015-10-20 0:47 ` [PATCH 3.4 34/65] mmc: card: Fixup request missing in mmc_blk_issue_rw_rq lizf
2015-10-20 0:47 ` [PATCH 3.4 35/65] nfs: increase size of EXCHANGE_ID name string buffer lizf
2015-10-20 0:47 ` lizf [this message]
2015-10-20 0:47 ` [PATCH 3.4 37/65] ext4: call sync_blockdev() before invalidate_bdev() in put_super() lizf
2015-10-20 0:47 ` [PATCH 3.4 38/65] packet: read num_members once in packet_rcv_fanout() lizf
2015-10-20 0:47 ` [PATCH 3.4 39/65] packet: avoid out of bounds read in round robin fanout lizf
2015-10-20 0:47 ` [PATCH 3.4 40/65] ext4: don't retry file block mapping on bigalloc fs with non-extent file lizf
2015-10-20 0:47 ` [PATCH 3.4 41/65] watchdog: omap: assert the counter being stopped before reprogramming lizf
2015-10-20 0:47 ` [PATCH 3.4 42/65] bridge: multicast: restore router configuration on port link down/up lizf
2015-10-20 0:47 ` [PATCH 3.4 43/65] stmmac: troubleshoot unexpected bits in des0 & des1 lizf
2015-10-20 0:47 ` [PATCH 3.4 44/65] mm: kmemleak: allow safe memory scanning during kmemleak disabling lizf
2015-10-20 0:47 ` [PATCH 3.4 45/65] dell-laptop: Fix allocating & freeing SMI buffer page lizf
2015-10-20 0:47 ` [PATCH 3.4 46/65] tracing/filter: Do not WARN on operand count going below zero lizf
2015-10-20 0:47 ` [PATCH 3.4 47/65] tracing/filter: Do not allow infix to exceed end of string lizf
2015-10-20 0:47 ` [PATCH 3.4 48/65] __bitmap_parselist: fix bug in empty string handling lizf
2015-10-20 0:47 ` [PATCH 3.4 49/65] agp/intel: Fix typo in needs_ilk_vtd_wa() lizf
2015-10-20 0:48 ` [PATCH 3.4 50/65] crush: fix a bug in tree bucket decode lizf
2015-10-20 0:48 ` [PATCH 3.4 51/65] fuse: initialize fc->release before calling it lizf
2015-10-20 0:48 ` [PATCH 3.4 52/65] ACPICA: Tables: Fix an issue that FACS initialization is performed twice lizf
2015-10-20 13:35 ` Moore, Robert
2015-10-21 1:24 ` Zheng, Lv
2015-10-20 0:48 ` [PATCH 3.4 53/65] KVM: x86: make vapics_in_nmi_mode atomic lizf
2015-10-20 0:48 ` [PATCH 3.4 54/65] KVM: x86: properly restore LVT0 lizf
2015-10-20 0:48 ` [PATCH 3.4 55/65] 9p: forgetting to cancel request on interrupted zero-copy RPC lizf
2015-10-20 0:48 ` [PATCH 3.4 56/65] Revert "drm/i915: Don't skip request retirement if the active list is empty" lizf
2015-10-20 0:48 ` [PATCH 3.4 57/65] Revert "drm/radeon: Use drm_calloc_ab for CS relocs" lizf
2015-10-20 0:48 ` [PATCH 3.4 58/65] drm/radeon: partially revert "fix VM_CONTEXT*_PAGE_TABLE_END_ADDR handling" lizf
2015-10-20 0:48 ` [PATCH 3.4 59/65] crypto: s390/ghash: Fix incorrect backport of a1cae34e23b1 lizf
2015-10-20 0:48 ` [PATCH 3.4 60/65] ARM: Fix incorrect backport of 0b59d8806a31 lizf
2015-10-20 0:48 ` [PATCH 3.4 61/65] usb: dwc3: Reset the transfer resource index on SET_INTERFACE lizf
2015-10-20 0:48 ` [PATCH 3.4 62/65] jbd2: avoid infinite loop when destroying aborted journal lizf
2015-10-20 0:48 ` [PATCH 3.4 63/65] IB/qib: Change lkey table allocation to support more MRs lizf
2015-10-20 0:48 ` [PATCH 3.4 64/65] dcache: Handle escaped paths in prepend_path lizf
2015-10-20 0:48 ` [PATCH 3.4 65/65] vfs: Test for and handle paths that are unreachable from their mnt_root lizf
2015-10-20 1:06 ` [PATCH 3.4 00/65] 3.4.110-rc1 review Zefan Li
2015-10-20 2:17 ` Guenter Roeck
2015-10-20 7:05 ` Geert Uytterhoeven
2015-10-20 8:23 ` Zefan Li
2015-10-20 8:59 ` Geert Uytterhoeven
2015-10-20 12:56 ` Guenter Roeck
2015-10-20 13:15 ` Guenter Roeck
2015-10-21 8:05 ` Zefan Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1445302095-4695-36-git-send-email-lizf@kernel.org \
--to=lizf@kernel.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=razor@blackwall.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).