From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 13/31] vxlan: test dev->flags & IFF_UP before calling gro_cells_receive()
Date: Mon, 18 Mar 2019 10:25:48 +0100 [thread overview]
Message-ID: <20190318084210.932034496@linuxfoundation.org> (raw)
In-Reply-To: <20190318084210.397476003@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 59cbf56fcd98ba2a715b6e97c4e43f773f956393 ]
Same reasons than the ones explained in commit 4179cb5a4c92
("vxlan: test dev->flags & IFF_UP before calling netif_rx()")
netif_rx() or gro_cells_receive() must be called under a strict contract.
At device dismantle phase, core networking clears IFF_UP
and flush_all_backlogs() is called after rcu grace period
to make sure no incoming packet might be in a cpu backlog
and still referencing the device.
A similar protocol is used for gro_cells infrastructure, as
gro_cells_destroy() will be called only after a full rcu
grace period is observed after IFF_UP has been cleared.
Most drivers call netif_rx() from their interrupt handler,
and since the interrupts are disabled at device dismantle,
netif_rx() does not have to check dev->flags & IFF_UP
Virtual drivers do not have this guarantee, and must
therefore make the check themselves.
Otherwise we risk use-after-free and/or crashes.
Fixes: d342894c5d2f ("vxlan: virtual extensible lan")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/vxlan.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -1380,6 +1380,14 @@ static int vxlan_rcv(struct sock *sk, st
goto drop;
}
+ rcu_read_lock();
+
+ if (unlikely(!(vxlan->dev->flags & IFF_UP))) {
+ rcu_read_unlock();
+ atomic_long_inc(&vxlan->dev->rx_dropped);
+ goto drop;
+ }
+
stats = this_cpu_ptr(vxlan->dev->tstats);
u64_stats_update_begin(&stats->syncp);
stats->rx_packets++;
@@ -1387,6 +1395,9 @@ static int vxlan_rcv(struct sock *sk, st
u64_stats_update_end(&stats->syncp);
gro_cells_receive(&vxlan->gro_cells, skb);
+
+ rcu_read_unlock();
+
return 0;
drop:
next prev parent reply other threads:[~2019-03-18 9:36 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-18 9:25 [PATCH 4.9 00/31] 4.9.164-stable review Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 01/31] ACPICA: Reference Counts: increase max to 0x4000 for large servers Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 02/31] KEYS: restrict /proc/keys by credentials at open time Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 03/31] l2tp: fix infoleak in l2tp_ip6_recvmsg() Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 04/31] net: hsr: fix memory leak in hsr_dev_finalize() Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 05/31] net/hsr: fix possible crash in add_timer() Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 06/31] net: sit: fix UBSAN Undefined behaviour in check_6rd Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 07/31] net/x25: fix use-after-free in x25_device_event() Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 08/31] net/x25: reset state in x25_connect() Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 09/31] pptp: dst_release sk_dst_cache in pptp_sock_destruct Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 10/31] ravb: Decrease TxFIFO depth of Q3 and Q2 to one Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 11/31] route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 12/31] tcp: handle inet_csk_reqsk_queue_add() failures Greg Kroah-Hartman
2019-03-18 9:25 ` Greg Kroah-Hartman [this message]
2019-03-18 9:25 ` [PATCH 4.9 14/31] net/mlx4_core: Fix reset flow when in command polling mode Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 15/31] net/mlx4_core: Fix locking in SRIOV mode when switching between events and polling Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 16/31] net/mlx4_core: Fix qp mtt size calculation Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 17/31] net/x25: fix a race in x25_bind() Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 18/31] mdio_bus: Fix use-after-free on device_register fails Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 19/31] net: Set rtm_table to RT_TABLE_COMPAT for ipv6 for tables > 255 Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 20/31] missing barriers in some of unix_sock ->addr and ->path accesses Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 21/31] ipvlan: disallow userns cap_net_admin to change global mode/flags Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 22/31] vxlan: Fix GRO cells race condition between receive and link delete Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 23/31] rxrpc: Fix client call queueing, waiting for channel Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.9 24/31] gro_cells: make sure device is up in gro_cells_receive() Greg Kroah-Hartman
2019-03-18 9:26 ` [PATCH 4.9 25/31] tcp/dccp: remove reqsk_put() from inet_child_forget() Greg Kroah-Hartman
2019-03-18 9:26 ` [PATCH 4.9 26/31] perf/x86: Fixup typo in stub functions Greg Kroah-Hartman
2019-03-18 9:26 ` [PATCH 4.9 27/31] ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56 Greg Kroah-Hartman
2019-03-18 9:26 ` [PATCH 4.9 28/31] Its wrong to add len to sector_nr in raid10 reshape twice Greg Kroah-Hartman
2019-03-18 9:26 ` [PATCH 4.9 29/31] mmc: tmio_mmc_core: dont claim spurious interrupts Greg Kroah-Hartman
2019-03-18 9:26 ` [PATCH 4.9 30/31] of: Support const and non-const use for to_of_node() Greg Kroah-Hartman
2019-03-18 9:26 ` [PATCH 4.9 31/31] vhost/vsock: fix vhost vsock cid hashing inconsistent Greg Kroah-Hartman
2019-03-18 14:02 ` [PATCH 4.9 00/31] 4.9.164-stable review kernelci.org bot
2019-03-18 16:23 ` Naresh Kamboju
2019-03-19 2:24 ` Guenter Roeck
2019-03-19 10:33 ` Jon Hunter
2019-03-19 10:33 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190318084210.932034496@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.