From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0519512C54B; Tue, 30 Apr 2024 10:43:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714473830; cv=none; b=SrvKd1NDFX/FaiOJziMAPzsG5xly+nXPwUD4Veh1R7rFygqjcr+4GTV5MsG7K9I7y52mmRWzw1nWVIo8I3WWuZxuYdZc1XorH1GnVEFIh/7eGMe5ppzRHS5QM7y6erLnfl80eOpsRGrs+jnHvkFE+AXVa8KEToFVwAIO7X/efqI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714473830; c=relaxed/simple; bh=xCt7f1sQ1ukGpbbVUJhD76nIcRisWl4fNWnPPW1/OZk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XWKzTDPnQwIC0OkC3eEFN2iGfsmZTyZLEx1eF7y/pC17d600lI+FcqvYIy0mb5yAAY3jxnj5JCUHzRPFaRXX2nConstmDC2utYPiHkPgyVueiF0nWqX6YqVIQMM/OZNsGZm6HE8JLWQ+zlNsyeHbzm11jQzrYUlltg/8xtvuw9g= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=ryMPGtEh; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="ryMPGtEh" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 73B9CC2BBFC; Tue, 30 Apr 2024 10:43:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1714473829; bh=xCt7f1sQ1ukGpbbVUJhD76nIcRisWl4fNWnPPW1/OZk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ryMPGtEhJ0M2x2Oa3PXghBfoMsAn0CLKKOs7rQCeyxpb7ZRG4IK7yVZ7EvkcnJFV6 9KSRgYK8EfJEdPGTWbI+F7aD0qXK6FqcL+b0UoJSsAEKl0MsLfxhHTz3QmJoppJztP 1Rg2SFcrWK91TKSAYMit02mkYvfn1qukqLd+xk7A= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Hyunwoo Kim , Eric Dumazet , Aaron Conole , Jakub Kicinski , Sasha Levin Subject: [PATCH 4.19 51/77] net: openvswitch: Fix Use-After-Free in ovs_ct_exit Date: Tue, 30 Apr 2024 12:39:30 +0200 Message-ID: <20240430103042.643880996@linuxfoundation.org> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240430103041.111219002@linuxfoundation.org> References: <20240430103041.111219002@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Hyunwoo Kim [ Upstream commit 5ea7b72d4fac2fdbc0425cd8f2ea33abe95235b2 ] Since kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal of ovs_ct_limit_exit, is not part of the RCU read critical section, it is possible that the RCU grace period will pass during the traversal and the key will be free. To prevent this, it should be changed to hlist_for_each_entry_safe. Fixes: 11efd5cb04a1 ("openvswitch: Support conntrack zone limit") Signed-off-by: Hyunwoo Kim Reviewed-by: Eric Dumazet Reviewed-by: Aaron Conole Link: https://lore.kernel.org/r/ZiYvzQN/Ry5oeFQW@v4bel-B760M-AORUS-ELITE-AX Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- net/openvswitch/conntrack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 352e80e6cd75c..3ea1e5ffaf80d 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -1836,9 +1836,9 @@ static void ovs_ct_limit_exit(struct net *net, struct ovs_net *ovs_net) for (i = 0; i < CT_LIMIT_HASH_BUCKETS; ++i) { struct hlist_head *head = &info->limits[i]; struct ovs_ct_limit *ct_limit; + struct hlist_node *next; - hlist_for_each_entry_rcu(ct_limit, head, hlist_node, - lockdep_ovsl_is_held()) + hlist_for_each_entry_safe(ct_limit, next, head, hlist_node) kfree_rcu(ct_limit, rcu); } kfree(ovs_net->ct_limit_info->limits); -- 2.43.0