From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jiri Benc <jbenc@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 17/72] vxlan: fix hlist corruption
Date: Wed, 19 Jul 2017 12:24:11 +0200 [thread overview]
Message-ID: <20170719102438.560641074@linuxfoundation.org> (raw)
In-Reply-To: <20170719102435.760649060@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Benc <jbenc@redhat.com>
[ Upstream commit 69e766612c4bcb79e19cebed9eed61d4222c1d47 ]
It's not a good idea to add the same hlist_node to two different hash lists.
This leads to various hard to debug memory corruptions.
Fixes: b1be00a6c39f ("vxlan: support both IPv4 and IPv6 sockets in a single vxlan device")
Signed-off-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/vxlan.c | 30 ++++++++++++++++++++----------
include/net/vxlan.h | 10 +++++++++-
2 files changed, 29 insertions(+), 11 deletions(-)
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -227,15 +227,15 @@ static struct vxlan_sock *vxlan_find_soc
static struct vxlan_dev *vxlan_vs_find_vni(struct vxlan_sock *vs, __be32 vni)
{
- struct vxlan_dev *vxlan;
+ struct vxlan_dev_node *node;
/* For flow based devices, map all packets to VNI 0 */
if (vs->flags & VXLAN_F_COLLECT_METADATA)
vni = 0;
- hlist_for_each_entry_rcu(vxlan, vni_head(vs, vni), hlist) {
- if (vxlan->default_dst.remote_vni == vni)
- return vxlan;
+ hlist_for_each_entry_rcu(node, vni_head(vs, vni), hlist) {
+ if (node->vxlan->default_dst.remote_vni == vni)
+ return node->vxlan;
}
return NULL;
@@ -2309,17 +2309,22 @@ static void vxlan_vs_del_dev(struct vxla
struct vxlan_net *vn = net_generic(vxlan->net, vxlan_net_id);
spin_lock(&vn->sock_lock);
- hlist_del_init_rcu(&vxlan->hlist);
+ hlist_del_init_rcu(&vxlan->hlist4.hlist);
+#if IS_ENABLED(CONFIG_IPV6)
+ hlist_del_init_rcu(&vxlan->hlist6.hlist);
+#endif
spin_unlock(&vn->sock_lock);
}
-static void vxlan_vs_add_dev(struct vxlan_sock *vs, struct vxlan_dev *vxlan)
+static void vxlan_vs_add_dev(struct vxlan_sock *vs, struct vxlan_dev *vxlan,
+ struct vxlan_dev_node *node)
{
struct vxlan_net *vn = net_generic(vxlan->net, vxlan_net_id);
__be32 vni = vxlan->default_dst.remote_vni;
+ node->vxlan = vxlan;
spin_lock(&vn->sock_lock);
- hlist_add_head_rcu(&vxlan->hlist, vni_head(vs, vni));
+ hlist_add_head_rcu(&node->hlist, vni_head(vs, vni));
spin_unlock(&vn->sock_lock);
}
@@ -2778,6 +2783,7 @@ static int __vxlan_sock_add(struct vxlan
{
struct vxlan_net *vn = net_generic(vxlan->net, vxlan_net_id);
struct vxlan_sock *vs = NULL;
+ struct vxlan_dev_node *node;
if (!vxlan->cfg.no_share) {
spin_lock(&vn->sock_lock);
@@ -2795,12 +2801,16 @@ static int __vxlan_sock_add(struct vxlan
if (IS_ERR(vs))
return PTR_ERR(vs);
#if IS_ENABLED(CONFIG_IPV6)
- if (ipv6)
+ if (ipv6) {
rcu_assign_pointer(vxlan->vn6_sock, vs);
- else
+ node = &vxlan->hlist6;
+ } else
#endif
+ {
rcu_assign_pointer(vxlan->vn4_sock, vs);
- vxlan_vs_add_dev(vs, vxlan);
+ node = &vxlan->hlist4;
+ }
+ vxlan_vs_add_dev(vs, vxlan, node);
return 0;
}
--- a/include/net/vxlan.h
+++ b/include/net/vxlan.h
@@ -221,9 +221,17 @@ struct vxlan_config {
bool no_share;
};
+struct vxlan_dev_node {
+ struct hlist_node hlist;
+ struct vxlan_dev *vxlan;
+};
+
/* Pseudo network device */
struct vxlan_dev {
- struct hlist_node hlist; /* vni hash table */
+ struct vxlan_dev_node hlist4; /* vni hash table for IPv4 socket */
+#if IS_ENABLED(CONFIG_IPV6)
+ struct vxlan_dev_node hlist6; /* vni hash table for IPv6 socket */
+#endif
struct list_head next; /* vxlan's per namespace list */
struct vxlan_sock __rcu *vn4_sock; /* listening socket for IPv4 */
#if IS_ENABLED(CONFIG_IPV6)
next prev parent reply other threads:[~2017-07-19 10:24 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-19 10:23 [PATCH 4.9 00/72] 4.9.39-stable review Greg Kroah-Hartman
2017-07-19 10:23 ` [PATCH 4.9 01/72] xen-netfront: Rework the fix for Rx stall during OOM and network stress Greg Kroah-Hartman
2017-07-19 10:23 ` [PATCH 4.9 02/72] net_sched: fix error recovery at qdisc creation Greg Kroah-Hartman
2017-07-19 10:23 ` [PATCH 4.9 03/72] net: sched: Fix one possible panic when no destroy callback Greg Kroah-Hartman
2017-07-19 10:23 ` [PATCH 4.9 04/72] net/phy: micrel: configure intterupts after autoneg workaround Greg Kroah-Hartman
2017-07-19 10:23 ` [PATCH 4.9 05/72] ipv6: avoid unregistering inet6_dev for loopback Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 06/72] net: dp83640: Avoid NULL pointer dereference Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 07/72] tcp: reset sk_rx_dst in tcp_disconnect() Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 08/72] net: prevent sign extension in dev_get_stats() Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 09/72] bridge: mdb: fix leak on complete_info ptr on fail path Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 10/72] rocker: move dereference before free Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 11/72] bpf: prevent leaking pointer via xadd on unpriviledged Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 13/72] net/mlx5: Cancel delayed recovery work when unloading the driver Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 14/72] liquidio: fix bug in soft reset failure detection Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 15/72] net/mlx5e: Fix TX carrier errors report in get stats ndo Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 16/72] ipv6: dad: dont remove dynamic addresses if link is down Greg Kroah-Hartman
2017-07-19 10:24 ` Greg Kroah-Hartman [this message]
2017-07-19 10:24 ` [PATCH 4.9 18/72] net: core: Fix slab-out-of-bounds in netdev_stats_to_stats64 Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 20/72] vrf: fix bug_on triggered by rx when destroying a vrf Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 21/72] rds: tcp: use sock_create_lite() to create the accept socket Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 23/72] brcmfmac: Fix a memory leak in error handling path in brcmf_cfg80211_attach Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 24/72] brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 25/72] sfc: dont read beyond unicast address list Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 26/72] cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 27/72] cfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 28/72] cfg80211: Check if PMKID attribute is of expected size Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 29/72] cfg80211: Check if NAN service ID " Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 30/72] irqchip/gic-v3: Fix out-of-bound access in gic_set_affinity Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 31/72] parisc: Report SIGSEGV instead of SIGBUS when running out of stack Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 32/72] parisc: use compat_sys_keyctl() Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 33/72] parisc: DMA API: return error instead of BUG_ON for dma ops on non dma devs Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 34/72] parisc/mm: Ensure IRQs are off in switch_mm() Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 35/72] tools/lib/lockdep: Reduce MAX_LOCK_DEPTH to avoid overflowing lock_chain/: Depth Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 36/72] thp, mm: fix crash due race in MADV_FREE handling Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 37/72] kernel/extable.c: mark core_kernel_text notrace Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 38/72] mm/list_lru.c: fix list_lru_count_node() to be race free Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 39/72] fs/dcache.c: fix spin lockup issue on nlru->lock Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 40/72] checkpatch: silence perl 5.26.0 unescaped left brace warnings Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 41/72] binfmt_elf: use ELF_ET_DYN_BASE only for PIE Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 42/72] arm: move ELF_ET_DYN_BASE to 4MB Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 43/72] arm64: move ELF_ET_DYN_BASE to 4GB / 4MB Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 44/72] powerpc: " Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 45/72] s390: reduce ELF_ET_DYN_BASE Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 46/72] exec: Limit arg stack to at most 75% of _STK_LIM Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 47/72] ARM64: dts: marvell: armada37xx: Fix timer interrupt specifiers Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 48/72] vt: fix unchecked __put_user() in tioclinux ioctls Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 49/72] rcu: Add memory barriers for NOCB leader wakeup Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 50/72] nvmem: core: fix leaks on registration errors Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 51/72] mnt: In umount propagation reparent in a separate pass Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 52/72] mnt: In propgate_umount handle visiting mounts in any order Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 53/72] mnt: Make propagate_umount less slow for overlapping mount propagation trees Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 54/72] selftests/capabilities: Fix the test_execve test Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 57/72] crypto: atmel - only treat EBUSY as transient if backlog Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 58/72] crypto: sha1-ssse3 - Disable avx2 Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 61/72] Revert "sched/core: Optimize SCHED_SMT" Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 62/72] sched/fair, cpumask: Export for_each_cpu_wrap() Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 63/72] sched/topology: Fix building of overlapping sched-groups Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 64/72] sched/topology: Optimize build_group_mask() Greg Kroah-Hartman
2017-07-19 10:24 ` [PATCH 4.9 65/72] sched/topology: Fix overlapping sched_group_mask Greg Kroah-Hartman
2017-07-19 10:25 ` [PATCH 4.9 66/72] PM / wakeirq: Convert to SRCU Greg Kroah-Hartman
2017-07-19 10:25 ` [PATCH 4.9 67/72] PM / QoS: return -EINVAL for bogus strings Greg Kroah-Hartman
2017-07-19 10:25 ` [PATCH 4.9 68/72] tracing: Use SOFTIRQ_OFFSET for softirq dectection for more accurate results Greg Kroah-Hartman
2017-07-19 10:25 ` [PATCH 4.9 72/72] kvm: vmx: allow host to access guest MSR_IA32_BNDCFGS Greg Kroah-Hartman
2017-07-19 15:58 ` [PATCH 4.9 00/72] 4.9.39-stable review Sumit Semwal
2017-07-20 5:08 ` Greg Kroah-Hartman
2017-07-19 20:34 ` Guenter Roeck
2017-07-19 23:39 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170719102438.560641074@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=jbenc@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).