LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Stephen Hemminger <shemminger@linux-foundation.org>
To: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Jarek Poplawski <jarkao2@o2.pl>,
"David S. Miller" <davem@davemloft.net>,
David Howells <dhowells@redhat.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] net/bridge/br_if.c: fix possible use-after-free in port_carrier_check()
Date: Tue, 20 Feb 2007 16:24:34 -0800 [thread overview]
Message-ID: <20070220162434.72d3ad7b@freekitty> (raw)
In-Reply-To: <20070220221941.GA707@tv-sign.ru>
On Wed, 21 Feb 2007 01:19:41 +0300
Oleg Nesterov <oleg@tv-sign.ru> wrote:
> If del_nbp()->cancel_delayed_work(carrier_check) fails, port_carrier_check()
> may run later and access an already freed container (struct net_bridge_port).
>
> With this patch, carrier_check owns a reference to "struct net_bridge_port",
> not net_device, so it is always safe to acces the container.
>
> port_carrier_check() uses p->dev->br_port == NULL as indication that net_bridge_port
> is under destruction. Otherwise it assumes that p->dev->br_port == p.
>
> Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
> Acked-By: David Howells <dhowells@redhat.com>
>
> --- WQ/net/bridge/br_if.c~5_bridge_uaf 2007-02-18 23:06:15.000000000 +0300
> +++ WQ/net/bridge/br_if.c 2007-02-20 00:59:54.000000000 +0300
> @@ -83,14 +83,14 @@ static void port_carrier_check(struct wo
> struct net_device *dev;
> struct net_bridge *br;
>
> - dev = container_of(work, struct net_bridge_port,
> - carrier_check.work)->dev;
> + p = container_of(work, struct net_bridge_port, carrier_check.work);
>
> rtnl_lock();
> - p = dev->br_port;
> - if (!p)
> - goto done;
> br = p->br;
> + dev = p->dev;
> +
> + if (!dev->br_port)
> + goto done;
>
> if (netif_carrier_ok(dev))
> p->path_cost = port_cost(dev);
> @@ -107,14 +107,16 @@ static void port_carrier_check(struct wo
> spin_unlock_bh(&br->lock);
> }
> done:
> - dev_put(dev);
> rtnl_unlock();
> + kobject_put(&p->kobj);
> }
>
> static void release_nbp(struct kobject *kobj)
> {
> struct net_bridge_port *p
> = container_of(kobj, struct net_bridge_port, kobj);
> +
> + dev_put(p->dev);
> kfree(p);
> }
>
> @@ -127,12 +129,6 @@ static struct kobj_type brport_ktype = {
>
> static void destroy_nbp(struct net_bridge_port *p)
> {
> - struct net_device *dev = p->dev;
> -
> - p->br = NULL;
> - p->dev = NULL;
> - dev_put(dev);
> -
> kobject_put(&p->kobj);
> }
Moving this around is problematic.
The ordering here was chosen to be RCU friendly so that
p->dev indicates the port is in process of being deleted but traffic
may still be using old reference, but new traffic should not use it.
Probably the best thing to do is pull the whole delayed work queue
and auto port speed stuff. When STP is moved to user space then
it can do the ethtool op there.
--
Stephen Hemminger <shemminger@linux-foundation.org>
next prev parent reply other threads:[~2007-02-21 0:25 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-20 22:19 Oleg Nesterov
2007-02-21 0:24 ` Stephen Hemminger [this message]
2007-02-21 8:23 ` Jarek Poplawski
2007-02-21 9:29 ` Jarek Poplawski
2007-02-21 14:23 ` Oleg Nesterov
2007-02-21 18:55 ` [RFT] bridge: eliminate port_check workqueue Stephen Hemminger
2007-02-21 20:09 ` Oleg Nesterov
2007-02-21 21:19 ` Stephen Hemminger
2007-02-21 21:58 ` Oleg Nesterov
2007-02-22 8:46 ` Jarek Poplawski
2007-02-21 14:22 ` [PATCH] net/bridge/br_if.c: fix possible use-after-free in port_carrier_check() Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070220162434.72d3ad7b@freekitty \
--to=shemminger@linux-foundation.org \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=jarkao2@o2.pl \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=oleg@tv-sign.ru \
--subject='Re: [PATCH] net/bridge/br_if.c: fix possible use-after-free in port_carrier_check()' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).