From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5D591C433FE for ; Mon, 14 Feb 2022 09:42:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234352AbiBNJnE (ORCPT ); Mon, 14 Feb 2022 04:43:04 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:33346 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244553AbiBNJl7 (ORCPT ); Mon, 14 Feb 2022 04:41:59 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C359466FB8; Mon, 14 Feb 2022 01:37:44 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 5D21D60DFD; Mon, 14 Feb 2022 09:37:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 15F18C340E9; Mon, 14 Feb 2022 09:37:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1644831463; bh=BPMIo4tynHJXxOcnI45fP2l/HdokGMxypUolUYN5u8E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EHfQZ30RXc1MU2Y6xlJ7RLfYy1toTPHsgT6NFW/oG4Ri0LcZPSOR3CHgtwZ5gZsin 01XcWz5Ty9zjNk6hn0FIN++IFRiK1ZkFmBzSwerhT7kel2c3wjHf/DlrhgI5i5TGxS se7s44bW8GACz8dUsbQoL/xHkU0/stkGbjIfy3Cs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nikolay Aleksandrov , "David S. Miller" Subject: [PATCH 5.4 33/71] net: bridge: fix stale eth hdr pointer in br_dev_xmit Date: Mon, 14 Feb 2022 10:26:01 +0100 Message-Id: <20220214092453.134311359@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220214092452.020713240@linuxfoundation.org> References: <20220214092452.020713240@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Nikolay Aleksandrov commit 823d81b0fa2cd83a640734e74caee338b5d3c093 upstream. In br_dev_xmit() we perform vlan filtering in br_allowed_ingress() but if the packet has the vlan header inside (e.g. bridge with disabled tx-vlan-offload) then the vlan filtering code will use skb_vlan_untag() to extract the vid before filtering which in turn calls pskb_may_pull() and we may end up with a stale eth pointer. Moreover the cached eth header pointer will generally be wrong after that operation. Remove the eth header caching and just use eth_hdr() directly, the compiler does the right thing and calculates it only once so we don't lose anything. Fixes: 057658cb33fb ("bridge: suppress arp pkts on BR_NEIGH_SUPPRESS ports") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Cc: Eduardo Vela Signed-off-by: Greg Kroah-Hartman --- net/bridge/br_device.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) --- a/net/bridge/br_device.c +++ b/net/bridge/br_device.c @@ -33,7 +33,6 @@ netdev_tx_t br_dev_xmit(struct sk_buff * struct pcpu_sw_netstats *brstats = this_cpu_ptr(br->stats); const struct nf_br_ops *nf_ops; const unsigned char *dest; - struct ethhdr *eth; u16 vid = 0; rcu_read_lock(); @@ -53,15 +52,14 @@ netdev_tx_t br_dev_xmit(struct sk_buff * BR_INPUT_SKB_CB(skb)->frag_max_size = 0; skb_reset_mac_header(skb); - eth = eth_hdr(skb); skb_pull(skb, ETH_HLEN); if (!br_allowed_ingress(br, br_vlan_group_rcu(br), skb, &vid)) goto out; if (IS_ENABLED(CONFIG_INET) && - (eth->h_proto == htons(ETH_P_ARP) || - eth->h_proto == htons(ETH_P_RARP)) && + (eth_hdr(skb)->h_proto == htons(ETH_P_ARP) || + eth_hdr(skb)->h_proto == htons(ETH_P_RARP)) && br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED)) { br_do_proxy_suppress_arp(skb, br, vid, NULL); } else if (IS_ENABLED(CONFIG_IPV6) &&