From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D6CB417592; Tue, 30 Apr 2024 11:27:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714476476; cv=none; b=DJqrsstMEaKvWXb4wDJ5RnYBLOEJLY+yv9fRIqB0A6bHMs0FVTKEHdtLjj+R1U6/Z79jG6MEBvo6rHnFAaMkpBMNRFg7LPuHacrzb3Y3XCQ6opPTHzk2FHM2mS0CqXGtCLWxc/4kwEgEVnuXuWqRELUBOkrY8lNy3H8/GgpGB64= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714476476; c=relaxed/simple; bh=VAHXJEPYIchjv+JAJ22qzh+88pai8blMlfTxFFnZM1c=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NZrgDEWQMQN8aJdx8cCBa8jPGNfYMJEo4z5EZiiJhLq6jkWwqerevKfVFR7rHP4Oe4XvKkgSQ8dUTgq+A08h59Zxj//CWTnqCavMnww1whpMLm83/tDh6kXzCNJsOpGzZ/DDRD/l9wluwalrMP5KgF6YgKP+7hMXB7XqWXgjTIw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=oehUWzkF; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="oehUWzkF" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5BA0FC2BBFC; Tue, 30 Apr 2024 11:27:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1714476476; bh=VAHXJEPYIchjv+JAJ22qzh+88pai8blMlfTxFFnZM1c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oehUWzkFS/XRAjhZPXNsc2NeMwRbPYe8pCHUOSHiK5WZICONvLLY7OjbZZ82AlqzT uCvAqx4TVjnv14VPxdClichlbu8P4buuv6/mGn284MrCrdwSPyDU7/FWywVNefHBOs jEqOVQqss3KUfBldryx5MV3AQxv3FeYfVYQ5074k= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Hyunwoo Kim , Eric Dumazet , Aaron Conole , Jakub Kicinski , Sasha Levin Subject: [PATCH 6.1 043/110] net: openvswitch: Fix Use-After-Free in ovs_ct_exit Date: Tue, 30 Apr 2024 12:40:12 +0200 Message-ID: <20240430103048.838851168@linuxfoundation.org> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240430103047.561802595@linuxfoundation.org> References: <20240430103047.561802595@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.1-stable review patch. If anyone has any objections, please let me know. ------------------ From: Hyunwoo Kim [ Upstream commit 5ea7b72d4fac2fdbc0425cd8f2ea33abe95235b2 ] Since kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal of ovs_ct_limit_exit, is not part of the RCU read critical section, it is possible that the RCU grace period will pass during the traversal and the key will be free. To prevent this, it should be changed to hlist_for_each_entry_safe. Fixes: 11efd5cb04a1 ("openvswitch: Support conntrack zone limit") Signed-off-by: Hyunwoo Kim Reviewed-by: Eric Dumazet Reviewed-by: Aaron Conole Link: https://lore.kernel.org/r/ZiYvzQN/Ry5oeFQW@v4bel-B760M-AORUS-ELITE-AX Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- net/openvswitch/conntrack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index e4ba86b84b9b1..2302bae1e0128 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -1920,9 +1920,9 @@ static void ovs_ct_limit_exit(struct net *net, struct ovs_net *ovs_net) for (i = 0; i < CT_LIMIT_HASH_BUCKETS; ++i) { struct hlist_head *head = &info->limits[i]; struct ovs_ct_limit *ct_limit; + struct hlist_node *next; - hlist_for_each_entry_rcu(ct_limit, head, hlist_node, - lockdep_ovsl_is_held()) + hlist_for_each_entry_safe(ct_limit, next, head, hlist_node) kfree_rcu(ct_limit, rcu); } kfree(info->limits); -- 2.43.0