From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 564FFC433EF for ; Mon, 14 Feb 2022 09:36:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244305AbiBNJhD (ORCPT ); Mon, 14 Feb 2022 04:37:03 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:52396 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244361AbiBNJfx (ORCPT ); Mon, 14 Feb 2022 04:35:53 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 62372AE61; Mon, 14 Feb 2022 01:33:40 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 2192960F87; Mon, 14 Feb 2022 09:33:37 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DF4C9C340E9; Mon, 14 Feb 2022 09:33:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1644831216; bh=maGwADFh5ujhe3YbMq/qFuGWPGji6b+uUxhJF/LdLww=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=O2gFSKOSD+kG3Qo6fWTPOdyy2AE2MT6eL8LLXcX5pgtvV2K9wSpRmXd0NYZpEfjvd vlX69BVpQgn+YNfVv1QJQwgv2XR84SGQEx4+J33LIcnN/cxOiQ4s5r0W0VPtKDln7F 0e8DxGbqPZ3RCno6+A+0x3n9MVSUILrsFsQmH1nI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nikolay Aleksandrov , "David S. Miller" Subject: [PATCH 4.19 20/49] net: bridge: fix stale eth hdr pointer in br_dev_xmit Date: Mon, 14 Feb 2022 10:25:46 +0100 Message-Id: <20220214092448.956124456@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220214092448.285381753@linuxfoundation.org> References: <20220214092448.285381753@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nikolay Aleksandrov commit 823d81b0fa2cd83a640734e74caee338b5d3c093 upstream. In br_dev_xmit() we perform vlan filtering in br_allowed_ingress() but if the packet has the vlan header inside (e.g. bridge with disabled tx-vlan-offload) then the vlan filtering code will use skb_vlan_untag() to extract the vid before filtering which in turn calls pskb_may_pull() and we may end up with a stale eth pointer. Moreover the cached eth header pointer will generally be wrong after that operation. Remove the eth header caching and just use eth_hdr() directly, the compiler does the right thing and calculates it only once so we don't lose anything. Fixes: 057658cb33fb ("bridge: suppress arp pkts on BR_NEIGH_SUPPRESS ports") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Cc: Eduardo Vela Signed-off-by: Greg Kroah-Hartman --- net/bridge/br_device.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) --- a/net/bridge/br_device.c +++ b/net/bridge/br_device.c @@ -39,7 +39,6 @@ netdev_tx_t br_dev_xmit(struct sk_buff * struct pcpu_sw_netstats *brstats = this_cpu_ptr(br->stats); const struct nf_br_ops *nf_ops; const unsigned char *dest; - struct ethhdr *eth; u16 vid = 0; memset(skb->cb, 0, sizeof(struct br_input_skb_cb)); @@ -60,15 +59,14 @@ netdev_tx_t br_dev_xmit(struct sk_buff * BR_INPUT_SKB_CB(skb)->brdev = dev; skb_reset_mac_header(skb); - eth = eth_hdr(skb); skb_pull(skb, ETH_HLEN); if (!br_allowed_ingress(br, br_vlan_group_rcu(br), skb, &vid)) goto out; if (IS_ENABLED(CONFIG_INET) && - (eth->h_proto == htons(ETH_P_ARP) || - eth->h_proto == htons(ETH_P_RARP)) && + (eth_hdr(skb)->h_proto == htons(ETH_P_ARP) || + eth_hdr(skb)->h_proto == htons(ETH_P_RARP)) && br->neigh_suppress_enabled) { br_do_proxy_suppress_arp(skb, br, vid, NULL); } else if (IS_ENABLED(CONFIG_IPV6) &&