From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Petr Machata <petrm@mellanox.com>,
Ido Schimmel <idosch@mellanox.com>,
Roopa Prabhu <roopa@cumulusnetworks.com>,
Stefano Brivio <sbrivio@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.18 05/13] vxlan: test dev->flags & IFF_UP before calling netif_rx()
Date: Thu, 21 Feb 2019 15:35:36 +0100 [thread overview]
Message-ID: <20190221125240.564054848@linuxfoundation.org> (raw)
In-Reply-To: <20190221125240.091472334@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 4179cb5a4c924cd233eaadd081882425bc98f44e ]
netif_rx() must be called under a strict contract.
At device dismantle phase, core networking clears IFF_UP
and flush_all_backlogs() is called after rcu grace period
to make sure no incoming packet might be in a cpu backlog
and still referencing the device.
Most drivers call netif_rx() from their interrupt handler,
and since the interrupts are disabled at device dismantle,
netif_rx() does not have to check dev->flags & IFF_UP
Virtual drivers do not have this guarantee, and must
therefore make the check themselves.
Otherwise we risk use-after-free and/or crashes.
Note this patch also fixes a small issue that came
with commit ce6502a8f957 ("vxlan: fix a use after free
in vxlan_encap_bypass"), since the dev->stats.rx_dropped
change was done on the wrong device.
Fixes: d342894c5d2f ("vxlan: virtual extensible lan")
Fixes: ce6502a8f957 ("vxlan: fix a use after free in vxlan_encap_bypass")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Petr Machata <petrm@mellanox.com>
Cc: Ido Schimmel <idosch@mellanox.com>
Cc: Roopa Prabhu <roopa@cumulusnetworks.com>
Cc: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/vxlan.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -1665,7 +1665,7 @@ static void vxlan_encap_bypass(struct sk
struct pcpu_sw_netstats *tx_stats, *rx_stats;
union vxlan_addr loopback;
union vxlan_addr *remote_ip = &dst_vxlan->default_dst.remote_ip;
- struct net_device *dev = skb->dev;
+ struct net_device *dev;
int len = skb->len;
tx_stats = this_cpu_ptr(src_vxlan->dev->tstats);
@@ -1685,8 +1685,15 @@ static void vxlan_encap_bypass(struct sk
#endif
}
+ rcu_read_lock();
+ dev = skb->dev;
+ if (unlikely(!(dev->flags & IFF_UP))) {
+ kfree_skb(skb);
+ goto drop;
+ }
+
if (dst_vxlan->flags & VXLAN_F_LEARN)
- vxlan_snoop(skb->dev, &loopback, eth_hdr(skb)->h_source);
+ vxlan_snoop(dev, &loopback, eth_hdr(skb)->h_source);
u64_stats_update_begin(&tx_stats->syncp);
tx_stats->tx_packets++;
@@ -1699,8 +1706,10 @@ static void vxlan_encap_bypass(struct sk
rx_stats->rx_bytes += len;
u64_stats_update_end(&rx_stats->syncp);
} else {
+drop:
dev->stats.rx_dropped++;
}
+ rcu_read_unlock();
}
static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
next prev parent reply other threads:[~2019-02-21 14:37 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-21 14:35 [PATCH 3.18 00/13] 3.18.136-stable review Greg Kroah-Hartman
2019-02-21 14:35 ` [PATCH 3.18 01/13] net: fix IPv6 prefix route residue Greg Kroah-Hartman
2019-02-21 14:35 ` [PATCH 3.18 02/13] sky2: Increase D3 delay again Greg Kroah-Hartman
2019-02-21 14:35 ` [PATCH 3.18 03/13] tcp: tcp_v4_err() should be more careful Greg Kroah-Hartman
2019-02-21 14:35 ` [PATCH 3.18 04/13] tcp: clear icsk_backoff in tcp_write_queue_purge() Greg Kroah-Hartman
2019-02-21 14:35 ` Greg Kroah-Hartman [this message]
2019-02-21 14:35 ` [PATCH 3.18 06/13] vsock: cope with memory allocation failure at socket creation time Greg Kroah-Hartman
2019-02-21 14:35 ` [PATCH 3.18 07/13] net: stmmac: Fix a race in EEE enable callback Greg Kroah-Hartman
2019-02-21 14:35 ` [PATCH 3.18 08/13] net: ipv4: use a dedicated counter for icmp_v4 redirect packets Greg Kroah-Hartman
2019-02-21 14:35 ` [PATCH 3.18 09/13] hwmon: (lm80) Fix missing unlock on error in set_fan_div() Greg Kroah-Hartman
2019-02-21 14:35 ` [PATCH 3.18 10/13] kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974) Greg Kroah-Hartman
2019-02-21 14:35 ` [PATCH 3.18 11/13] net/x25: do not hold the cpu too long in x25_new_lci() Greg Kroah-Hartman
2019-02-21 14:35 ` [PATCH 3.18 12/13] mISDN: fix a race in dev_expire_timer() Greg Kroah-Hartman
2019-02-21 14:35 ` [PATCH 3.18 13/13] ax25: fix possible use-after-free Greg Kroah-Hartman
2019-02-21 18:19 ` [PATCH 3.18 00/13] 3.18.136-stable review kernelci.org bot
2019-02-22 22:55 ` shuah
2019-02-22 23:30 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190221125240.564054848@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=idosch@mellanox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=petrm@mellanox.com \
--cc=roopa@cumulusnetworks.com \
--cc=sbrivio@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.