From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Nikolay Aleksandrov <nikolay@nvidia.com>,
"David S . Miller" <davem@davemloft.net>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: [PATCH 4.19 071/109] net: bridge: fix vlan tunnel dst null pointer dereference
Date: Mon, 28 Jun 2021 10:32:27 -0400 [thread overview]
Message-ID: <20210628143305.32978-72-sashal@kernel.org> (raw)
In-Reply-To: <20210628143305.32978-1-sashal@kernel.org>
From: Nikolay Aleksandrov <nikolay@nvidia.com>
commit 58e2071742e38f29f051b709a5cca014ba51166f upstream.
This patch fixes a tunnel_dst null pointer dereference due to lockless
access in the tunnel egress path. When deleting a vlan tunnel the
tunnel_dst pointer is set to NULL without waiting a grace period (i.e.
while it's still usable) and packets egressing are dereferencing it
without checking. Use READ/WRITE_ONCE to annotate the lockless use of
tunnel_id, use RCU for accessing tunnel_dst and make sure it is read
only once and checked in the egress path. The dst is already properly RCU
protected so we don't need to do anything fancy than to make sure
tunnel_id and tunnel_dst are read only once and checked in the egress path.
Cc: stable@vger.kernel.org
Fixes: 11538d039ac6 ("bridge: vlan dst_metadata hooks in ingress and egress paths")
Signed-off-by: Nikolay Aleksandrov <nikolay@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bridge/br_private.h | 4 ++--
net/bridge/br_vlan_tunnel.c | 38 +++++++++++++++++++++++--------------
2 files changed, 26 insertions(+), 16 deletions(-)
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 33b8222db75c..7ca3b469242e 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -100,8 +100,8 @@ struct br_vlan_stats {
};
struct br_tunnel_info {
- __be64 tunnel_id;
- struct metadata_dst *tunnel_dst;
+ __be64 tunnel_id;
+ struct metadata_dst __rcu *tunnel_dst;
};
/**
diff --git a/net/bridge/br_vlan_tunnel.c b/net/bridge/br_vlan_tunnel.c
index 6d2c4eed2dc8..4d5100677c68 100644
--- a/net/bridge/br_vlan_tunnel.c
+++ b/net/bridge/br_vlan_tunnel.c
@@ -46,26 +46,33 @@ static struct net_bridge_vlan *br_vlan_tunnel_lookup(struct rhashtable *tbl,
br_vlan_tunnel_rht_params);
}
+static void vlan_tunnel_info_release(struct net_bridge_vlan *vlan)
+{
+ struct metadata_dst *tdst = rtnl_dereference(vlan->tinfo.tunnel_dst);
+
+ WRITE_ONCE(vlan->tinfo.tunnel_id, 0);
+ RCU_INIT_POINTER(vlan->tinfo.tunnel_dst, NULL);
+ dst_release(&tdst->dst);
+}
+
void vlan_tunnel_info_del(struct net_bridge_vlan_group *vg,
struct net_bridge_vlan *vlan)
{
- if (!vlan->tinfo.tunnel_dst)
+ if (!rcu_access_pointer(vlan->tinfo.tunnel_dst))
return;
rhashtable_remove_fast(&vg->tunnel_hash, &vlan->tnode,
br_vlan_tunnel_rht_params);
- vlan->tinfo.tunnel_id = 0;
- dst_release(&vlan->tinfo.tunnel_dst->dst);
- vlan->tinfo.tunnel_dst = NULL;
+ vlan_tunnel_info_release(vlan);
}
static int __vlan_tunnel_info_add(struct net_bridge_vlan_group *vg,
struct net_bridge_vlan *vlan, u32 tun_id)
{
- struct metadata_dst *metadata = NULL;
+ struct metadata_dst *metadata = rtnl_dereference(vlan->tinfo.tunnel_dst);
__be64 key = key32_to_tunnel_id(cpu_to_be32(tun_id));
int err;
- if (vlan->tinfo.tunnel_dst)
+ if (metadata)
return -EEXIST;
metadata = __ip_tun_set_dst(0, 0, 0, 0, 0, TUNNEL_KEY,
@@ -74,8 +81,8 @@ static int __vlan_tunnel_info_add(struct net_bridge_vlan_group *vg,
return -EINVAL;
metadata->u.tun_info.mode |= IP_TUNNEL_INFO_TX | IP_TUNNEL_INFO_BRIDGE;
- vlan->tinfo.tunnel_dst = metadata;
- vlan->tinfo.tunnel_id = key;
+ rcu_assign_pointer(vlan->tinfo.tunnel_dst, metadata);
+ WRITE_ONCE(vlan->tinfo.tunnel_id, key);
err = rhashtable_lookup_insert_fast(&vg->tunnel_hash, &vlan->tnode,
br_vlan_tunnel_rht_params);
@@ -84,9 +91,7 @@ static int __vlan_tunnel_info_add(struct net_bridge_vlan_group *vg,
return 0;
out:
- dst_release(&vlan->tinfo.tunnel_dst->dst);
- vlan->tinfo.tunnel_dst = NULL;
- vlan->tinfo.tunnel_id = 0;
+ vlan_tunnel_info_release(vlan);
return err;
}
@@ -186,12 +191,15 @@ int br_handle_ingress_vlan_tunnel(struct sk_buff *skb,
int br_handle_egress_vlan_tunnel(struct sk_buff *skb,
struct net_bridge_vlan *vlan)
{
+ struct metadata_dst *tunnel_dst;
+ __be64 tunnel_id;
int err;
- if (!vlan || !vlan->tinfo.tunnel_id)
+ if (!vlan)
return 0;
- if (unlikely(!skb_vlan_tag_present(skb)))
+ tunnel_id = READ_ONCE(vlan->tinfo.tunnel_id);
+ if (!tunnel_id || unlikely(!skb_vlan_tag_present(skb)))
return 0;
skb_dst_drop(skb);
@@ -199,7 +207,9 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb,
if (err)
return err;
- skb_dst_set(skb, dst_clone(&vlan->tinfo.tunnel_dst->dst));
+ tunnel_dst = rcu_dereference(vlan->tinfo.tunnel_dst);
+ if (tunnel_dst)
+ skb_dst_set(skb, dst_clone(&tunnel_dst->dst));
return 0;
}
--
2.30.2
next prev parent reply other threads:[~2021-06-28 14:59 UTC|newest]
Thread overview: 116+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-28 14:31 [PATCH 4.19 000/109] 4.19.196-rc1 review Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 001/109] net: ieee802154: fix null deref in parse dev addr Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 002/109] HID: quirks: Set INCREMENT_USAGE_ON_DUPLICATE for Saitek X65 Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 003/109] HID: hid-sensor-hub: Return error for hid_set_field() failure Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 004/109] HID: Add BUS_VIRTUAL to hid_connect logging Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 005/109] HID: usbhid: fix info leak in hid_submit_ctrl Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 006/109] ARM: OMAP2+: Fix build warning when mmc_omap is not built Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 007/109] gfs2: Prevent direct-I/O write fallback errors from getting lost Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 008/109] HID: gt683r: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 009/109] gfs2: Fix use-after-free in gfs2_glock_shrink_scan Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 010/109] scsi: target: core: Fix warning on realtime kernels Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 011/109] ethernet: myri10ge: Fix missing error code in myri10ge_probe() Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 012/109] scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 013/109] nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues() Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 014/109] nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue() fails Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 015/109] nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue() Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 016/109] net: ipconfig: Don't override command-line hostnames or domains Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 017/109] rtnetlink: Fix missing error code in rtnl_bridge_notify() Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 018/109] net/x25: Return the correct errno code Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 019/109] net: " Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 020/109] fib: " Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 021/109] dmaengine: ALTERA_MSGDMA depends on HAS_IOMEM Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 022/109] dmaengine: QCOM_HIDMA_MGMT " Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 023/109] dmaengine: stedma40: add missing iounmap() on error in d40_probe() Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 024/109] afs: Fix an IS_ERR() vs NULL check Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 025/109] mm/memory-failure: make sure wait for page writeback in memory_failure Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 026/109] batman-adv: Avoid WARN_ON timing related checks Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 027/109] net: ipv4: fix memory leak in netlbl_cipsov4_add_std Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 028/109] net: rds: fix memory leak in rds_recvmsg Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 029/109] udp: fix race between close() and udp_abort() Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 030/109] rtnetlink: Fix regression in bridge VLAN configuration Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 031/109] net/mlx5e: Remove dependency in IPsec initialization flows Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 032/109] net/mlx5e: Block offload of outer header csum for UDP tunnels Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 033/109] netfilter: synproxy: Fix out of bounds when parsing TCP options Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 034/109] sch_cake: Fix out of bounds when parsing TCP options and header Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 035/109] alx: Fix an error handling path in 'alx_probe()' Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 036/109] net: stmmac: dwmac1000: Fix extended MAC address registers definition Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 037/109] net: add documentation to socket.c Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 038/109] net: make get_net_ns return error if NET_NS is disabled Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 039/109] qlcnic: Fix an error handling path in 'qlcnic_probe()' Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 040/109] netxen_nic: Fix an error handling path in 'netxen_nic_probe()' Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 041/109] net: qrtr: fix OOB Read in qrtr_endpoint_post Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 042/109] ptp: ptp_clock: Publish scaled_ppm_to_ppb Sasha Levin
2021-06-28 14:31 ` [PATCH 4.19 043/109] ptp: improve max_adj check against unreasonable values Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 044/109] net: cdc_ncm: switch to eth%d interface naming Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 045/109] net: usb: fix possible use-after-free in smsc75xx_bind Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 046/109] net: fec_ptp: fix issue caused by refactor the fec_devtype Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 047/109] net: ipv4: fix memory leak in ip_mc_add1_src Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 048/109] net/af_unix: fix a data-race in unix_dgram_sendmsg / unix_release_sock Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 049/109] be2net: Fix an error handling path in 'be_probe()' Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 050/109] net: hamradio: fix memory leak in mkiss_close Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 051/109] net: cdc_eem: fix tx fixup skb leak Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 052/109] icmp: don't send out ICMP messages with a source address of 0.0.0.0 Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 053/109] net: ethernet: fix potential use-after-free in ec_bhf_remove Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 054/109] ASoC: rt5659: Fix the lost powers for the HDA header Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 055/109] pinctrl: ralink: rt2880: avoid to error in calls is pin is already enabled Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 056/109] radeon: use memcpy_to/fromio for UVD fw upload Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 057/109] hwmon: (scpi-hwmon) shows the negative temperature properly Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 058/109] can: bcm: fix infoleak in struct bcm_msg_head Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 059/109] can: mcba_usb: fix memory leak in mcba_usb Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 060/109] usb: core: hub: Disable autosuspend for Cypress CY7C65632 Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 061/109] tracing: Do not stop recording cmdlines when tracing is off Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 062/109] tracing: Do not stop recording comms if the trace file is being read Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 063/109] tracing: Do no increment trace_clock_global() by one Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 064/109] PCI: Mark TI C667X to avoid bus reset Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 065/109] PCI: Mark some NVIDIA GPUs " Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 066/109] PCI: Add ACS quirk for Broadcom BCM57414 NIC Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 067/109] PCI: Work around Huawei Intelligent NIC VF FLR erratum Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 068/109] ARCv2: save ABI registers across signal handling Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 069/109] dmaengine: pl330: fix wrong usage of spinlock flags in dma_cyclc Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 070/109] cfg80211: make certificate generation more robust Sasha Levin
2021-06-28 14:32 ` Sasha Levin [this message]
2021-06-28 14:32 ` [PATCH 4.19 072/109] net: bridge: fix vlan tunnel dst refcnt when egressing Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 073/109] mm/slub: clarify verification reporting Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 074/109] mm/slub.c: include swab.h Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 075/109] net: fec_ptp: add clock rate zero check Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 076/109] tools headers UAPI: Sync linux/in.h copy with the kernel sources Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 077/109] KVM: arm/arm64: Fix KVM_VGIC_V3_ADDR_TYPE_REDIST read Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 078/109] can: bcm/raw/isotp: use per module netdevice notifier Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 079/109] inet: use bigger hash table for IP ID generation Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 080/109] usb: dwc3: debugfs: Add and remove endpoint dirs dynamically Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 081/109] usb: dwc3: core: fix kernel panic when do reboot Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 082/109] x86/fpu: Reset state for all signal restore failures Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 083/109] module: limit enabling module.sig_enforce Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 084/109] drm/nouveau: wait for moving fence after pinning v2 Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 085/109] drm/radeon: wait for moving fence after pinning Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 086/109] ARM: 9081/1: fix gcc-10 thumb2-kernel regression Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 087/109] Makefile: Move -Wno-unused-but-set-variable out of GCC only block Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 088/109] MIPS: generic: Update node names to avoid unit addresses Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 089/109] Revert "PCI: PM: Do not read power state in pci_enable_device_flags()" Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 090/109] mac80211: remove warning in ieee80211_get_sband() Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 091/109] cfg80211: call cfg80211_leave_ocb when switching away from OCB Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 092/109] mac80211: drop multicast fragments Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 093/109] net: ethtool: clear heap allocations for ethtool function Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 094/109] ping: Check return value of function 'ping_queue_rcv_skb' Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 095/109] inet: annotate date races around sk->sk_txhash Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 096/109] net: caif: fix memory leak in ldisc_open Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 097/109] net/packet: annotate accesses to po->bind Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 098/109] net/packet: annotate accesses to po->ifindex Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 099/109] r8152: Avoid memcpy() over-reading of ETH_SS_STATS Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 100/109] sh_eth: " Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 101/109] r8169: " Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 102/109] KVM: selftests: Fix kvm_check_cap() assertion Sasha Levin
2021-06-28 14:32 ` [PATCH 4.19 103/109] net: qed: Fix memcpy() overflow of qed_dcbx_params() Sasha Levin
2021-06-28 14:33 ` [PATCH 4.19 104/109] PCI: Add AMD RS690 quirk to enable 64-bit DMA Sasha Levin
2021-06-28 14:33 ` [PATCH 4.19 105/109] net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY Sasha Levin
2021-06-28 14:33 ` [PATCH 4.19 106/109] pinctrl: stm32: fix the reported number of GPIO lines per bank Sasha Levin
2021-06-28 14:33 ` [PATCH 4.19 107/109] nilfs2: fix memory leak in nilfs_sysfs_delete_device_group Sasha Levin
2021-06-28 14:33 ` [PATCH 4.19 108/109] i2c: robotfuzz-osif: fix control-request directions Sasha Levin
2021-06-28 14:33 ` [PATCH 4.19 109/109] Linux 4.19.196-rc1 Sasha Levin
2021-06-29 10:08 ` [PATCH 4.19 000/109] 4.19.196-rc1 review Naresh Kamboju
2021-06-29 10:09 ` Jon Hunter
2021-06-29 12:11 ` Sudip Mukherjee
2021-06-29 18:19 ` Guenter Roeck
2021-06-30 1:00 ` Samuel Zou
2021-07-01 10:21 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210628143305.32978-72-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nikolay@nvidia.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.