From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
To: netdev@vger.kernel.org
Cc: roopa@cumulusnetworks.com, dsahern@gmail.com,
Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Subject: [PATCH net 1/2] net: nexthop: dereference nh only once in nexthop_select_path
Date: Tue, 19 May 2020 14:04:23 +0300 [thread overview]
Message-ID: <20200519110424.2397623-2-nikolay@cumulusnetworks.com> (raw)
In-Reply-To: <20200519110424.2397623-1-nikolay@cumulusnetworks.com>
the ->nh pointer might become suddenly null while we're selecting the
path and we may dereference it. Dereference it only once in the
beginning and use that if it's not null, we rely on the refcounting and
rcu to protect against use-after-free.
Fixes: 430a049190de ("nexthop: Add support for nexthop groups")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
---
net/ipv4/nexthop.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
index 2a31c4af845e..a6ffdb067253 100644
--- a/net/ipv4/nexthop.c
+++ b/net/ipv4/nexthop.c
@@ -490,28 +490,33 @@ struct nexthop *nexthop_select_path(struct nexthop *nh, int hash)
nhg = rcu_dereference(nh->nh_grp);
for (i = 0; i < nhg->num_nh; ++i) {
struct nh_grp_entry *nhge = &nhg->nh_entries[i];
+ struct nexthop *nhge_nh;
struct nh_info *nhi;
if (hash > atomic_read(&nhge->upper_bound))
continue;
+ nhge_nh = READ_ONCE(nhge->nh);
+ if (unlikely(!nhge_nh))
+ continue;
+
/* nexthops always check if it is good and does
* not rely on a sysctl for this behavior
*/
- nhi = rcu_dereference(nhge->nh->nh_info);
+ nhi = rcu_dereference(nhge_nh->nh_info);
switch (nhi->family) {
case AF_INET:
if (ipv4_good_nh(&nhi->fib_nh))
- return nhge->nh;
+ return nhge_nh;
break;
case AF_INET6:
if (ipv6_good_nh(&nhi->fib6_nh))
- return nhge->nh;
+ return nhge_nh;
break;
}
if (!rc)
- rc = nhge->nh;
+ rc = nhge_nh;
}
return rc;
--
2.25.2
next prev parent reply other threads:[~2020-05-19 11:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-19 11:04 [PATCH net 0/2] net: nexthop: multipath null ptr deref fixes Nikolay Aleksandrov
2020-05-19 11:04 ` Nikolay Aleksandrov [this message]
2020-05-19 15:51 ` [PATCH net 1/2] net: nexthop: dereference nh only once in nexthop_select_path David Ahern
2020-05-19 11:04 ` [PATCH net 2/2] net: nexthop: check for null return by nexthop_select_path() Nikolay Aleksandrov
2020-05-19 16:11 ` [PATCH net 0/2] net: nexthop: multipath null ptr deref fixes David Ahern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200519110424.2397623-2-nikolay@cumulusnetworks.com \
--to=nikolay@cumulusnetworks.com \
--cc=dsahern@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=roopa@cumulusnetworks.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.