LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
	Zwane Mwaikambo <zwane@arm.linux.org.uk>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Randy Dunlap <rdunlap@xenotime.net>,
	Dave Jones <davej@redhat.com>,
	Chuck Wolber <chuckw@quantumlinux.com>,
	Chris Wedgwood <reviews@ml.cw.f00f.org>,
	Michael Krufky <mkrufky@linuxtv.org>,
	Chuck Ebbert <cebbert@redhat.com>,
	Domenico Andreoli <cavokz@gmail.com>,
	torvalds@linux-foundation.org, akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk,
	Netfilter Development Mailinglist 
	<netfilter-devel@vger.kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	Patrick McHardy <kaber@trash.net>
Subject: [patch 68/73] Netfilter: bridge-netfilter: fix net_device refcnt leaks
Date: Wed, 6 Feb 2008 15:54:30 -0800	[thread overview]
Message-ID: <20080206235430.GQ13121@suse.de> (raw)
In-Reply-To: <20080206235015.GA13121@suse.de>

[-- Attachment #1: netfilter-bridge-netfilter-fix-net_device-refcnt-leaks.patch --]
[-- Type: text/plain, Size: 2566 bytes --]


2.6.23-stable review patch.  If anyone has any objections, please let us know.
------------------
From: Patrick McHardy <kaber@trash.net>

[NETFILTER]: bridge-netfilter: fix net_device refcnt leaks

Upstream commit 2dc2f207fb251666d2396fe1a69272b307ecc333

When packets are flood-forwarded to multiple output devices, the
bridge-netfilter code reuses skb->nf_bridge for each clone to store
the bridge port. When queueing packets using NFQUEUE netfilter takes
a reference to skb->nf_bridge->physoutdev, which is overwritten
when the packet is forwarded to the second port. This causes
refcount unterflows for the first device and refcount leaks for all
others. Additionally this provides incorrect data to the iptables
physdev match.

Unshare skb->nf_bridge by copying it if it is shared before assigning
the physoutdev device.

Reported, tested and based on initial patch by
Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 net/bridge/br_netfilter.c |   27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -142,6 +142,23 @@ static inline struct nf_bridge_info *nf_
 	return skb->nf_bridge;
 }
 
+static inline struct nf_bridge_info *nf_bridge_unshare(struct sk_buff *skb)
+{
+	struct nf_bridge_info *nf_bridge = skb->nf_bridge;
+
+	if (atomic_read(&nf_bridge->use) > 1) {
+		struct nf_bridge_info *tmp = nf_bridge_alloc(skb);
+
+		if (tmp) {
+			memcpy(tmp, nf_bridge, sizeof(struct nf_bridge_info));
+			atomic_set(&tmp->use, 1);
+			nf_bridge_put(nf_bridge);
+		}
+		nf_bridge = tmp;
+	}
+	return nf_bridge;
+}
+
 static inline void nf_bridge_push_encap_header(struct sk_buff *skb)
 {
 	unsigned int len = nf_bridge_encap_header_len(skb);
@@ -644,6 +661,11 @@ static unsigned int br_nf_forward_ip(uns
 	if (!skb->nf_bridge)
 		return NF_ACCEPT;
 
+	/* Need exclusive nf_bridge_info since we might have multiple
+	 * different physoutdevs. */
+	if (!nf_bridge_unshare(skb))
+		return NF_DROP;
+
 	parent = bridge_parent(out);
 	if (!parent)
 		return NF_DROP;
@@ -727,6 +749,11 @@ static unsigned int br_nf_local_out(unsi
 	if (!skb->nf_bridge)
 		return NF_ACCEPT;
 
+	/* Need exclusive nf_bridge_info since we might have multiple
+	 * different physoutdevs. */
+	if (!nf_bridge_unshare(skb))
+		return NF_DROP;
+
 	nf_bridge = skb->nf_bridge;
 	if (!(nf_bridge->mask & BRNF_BRIDGED_DNAT))
 		return NF_ACCEPT;

-- 

  parent reply	other threads:[~2008-02-07  0:29 UTC|newest]

Thread overview: 75+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20080206234302.769849277@mini.kroah.org>
2008-02-06 23:50 ` [patch 00/73] 2.6.23-stable review Greg KH
2008-02-06 23:50   ` [patch 01/73] SPARC64: Fix sparc64 cpu cross call hangs Greg KH
2008-02-06 23:50   ` [patch 02/73] dm: table detect io beyond device Greg KH
2008-02-06 23:50   ` [patch 03/73] dm crypt: fix write endio Greg KH
2008-02-06 23:50   ` [patch 04/73] dm crypt: use bio_add_page Greg KH
2008-02-06 23:51   ` [patch 05/73] ACPI: video_device_list corruption Greg KH
2008-02-06 23:51   ` [patch 06/73] ACPI: thinkpad-acpi: fix lenovo keymap for brightness Greg KH
2008-02-06 23:51   ` [patch 07/73] SPARC64: Fix memory controller register access when non-SMP Greg KH
2008-02-06 23:51   ` [patch 08/73] SPARC64: Fix two kernel linear mapping setup bugs Greg KH
2008-02-06 23:51   ` [patch 09/73] IPSEC: Fix potential dst leak in xfrm_lookup Greg KH
2008-02-06 23:51   ` [patch 10/73] VLAN: Lost rtnl_unlock() in vlan_ioctl() Greg KH
2008-02-06 23:51   ` [patch 11/73] tty: fix logic change introduced by wait_event_interruptible_timeout() Greg KH
2008-02-06 23:51   ` [patch 12/73] IPV4 raw: Strengthen check on validity of iph->ihl Greg KH
2008-02-06 23:51   ` [patch 13/73] sky2: disable rx checksum on Yukon XL Greg KH
2008-02-06 23:51   ` [patch 14/73] sky2: RX lockup fix Greg KH
2008-02-06 23:51   ` [patch 15/73] POWERPC: Change fallocate to match unistd.h on powerpc Greg KH
2008-02-06 23:51   ` [patch 16/73] X25: Add missing x25_neigh_put Greg KH
2008-02-06 23:51   ` [patch 17/73] NET: mcs7830 passes msecs instead of jiffies to usb_control_msg Greg KH
2008-02-06 23:51   ` [patch 18/73] NET: kaweth was forgotten in msec switchover of usb_start_wait_urb Greg KH
2008-02-06 23:51   ` [patch 19/73] IRDA: irda_create() nuke user triggable printk Greg KH
2008-02-06 23:51   ` [patch 20/73] INET: Fix netdev renaming and inet address labels Greg KH
2008-02-06 23:52   ` [patch 21/73] CONNECTOR: Dont touch queue dev after decrement of ref count Greg KH
2008-02-06 23:52   ` [patch 22/73] ATM: Check IP header validity in mpc_send_packet Greg KH
2008-02-06 23:52   ` [patch 23/73] IPV4 ROUTE: ip_rt_dump() is unecessary slow Greg KH
2008-02-06 23:52   ` [patch 24/73] ATM: delay irq setup until card is configured Greg KH
2008-02-06 23:52   ` [patch 25/73] IPSEC: Avoid undefined shift operation when testing algorithm ID Greg KH
2008-02-06 23:52   ` [patch 26/73] NET: Correct two mistaken skb_reset_mac_header() conversions Greg KH
2008-02-06 23:52   ` [patch 27/73] IPV4: ip_gre: set mac_header correctly in receive path Greg KH
2008-02-06 23:52   ` [patch 28/73] CASSINI: Fix endianness bug Greg KH
2008-02-06 23:52   ` [patch 29/73] CASSINI: Revert dont touch page_count Greg KH
2008-02-06 23:52   ` [patch 30/73] CASSINI: Set skb->truesize properly on receive packets Greg KH
2008-02-06 23:52   ` [patch 31/73] SPARC64: Fix OOPS in dma_sync_*_for_device() Greg KH
2008-02-06 23:52   ` [patch 32/73] SPARC64: Implement pci_resource_to_user() Greg KH
2008-02-06 23:52   ` [patch 33/73] ACPICA: fix acpi-cpufreq boot crash due to _PSD return-by-reference Greg KH
2008-02-06 23:52   ` [patch 34/73] ACPI: Not register gsi for PCI IDE controller in legacy mode Greg KH
2008-02-06 23:52   ` [patch 35/73] ACPICA: fix acpi_serialize hang regression Greg KH
2008-02-06 23:53   ` [patch 36/73] ACPI: apply quirk_ich6_lpc_acpi to more ICH8 and ICH9 Greg KH
2008-02-06 23:53   ` [patch 37/73] PM: ACPI and APM must not be enabled at the same time Greg KH
2008-02-06 23:53   ` [patch 38/73] CRYPTO: padlock: Fix spurious ECB page fault Greg KH
2008-02-06 23:53   ` [patch 39/73] USB: update sierra.c with latest device ids that are in 2.6.24-rc7 Greg KH
2008-02-06 23:53   ` [patch 40/73] clockevents: fix reprogramming decision in oneshot broadcast Greg KH
2008-02-06 23:53   ` [patch 41/73] Freezer: Fix APM emulation breakage Greg KH
2008-02-06 23:53   ` [patch 42/73] vfs: coredumping fix (CVE-2007-6206) Greg KH
2008-02-06 23:53   ` [patch 43/73] quicklists: do not release off node pages early Greg KH
2008-02-06 23:53   ` [patch 44/73] quicklists: Only consider memory that can be used with GFP_KERNEL Greg KH
2008-02-06 23:53   ` [patch 45/73] chelsio: Fix skb->dev setting Greg KH
2008-02-06 23:53   ` [patch 46/73] cxgb: fix T2 GSO Greg KH
2008-02-06 23:53   ` [patch 47/73] cxgb: fix stats Greg KH
2008-02-06 23:53   ` [patch 48/73] Input: implement proper locking in input core Greg KH
2008-02-06 23:53   ` [patch 49/73] Input: evdev - implement proper locking Greg KH
2008-02-06 23:53   ` [patch 50/73] Input: mousedev " Greg KH
2008-02-06 23:53   ` [patch 51/73] Input: joydev " Greg KH
2008-02-06 23:53   ` [patch 52/73] Input: tsdev " Greg KH
2008-02-06 23:53   ` [patch 53/73] Input: fix open count handling in input interfaces Greg KH
2008-02-06 23:53   ` [patch 54/73] CIFS: Respect umask when using POSIX mkdir Greg KH
2008-02-06 23:53   ` [patch 55/73] m68k: Export cachectl.h Greg KH
2008-02-06 23:53   ` [patch 56/73] VM/Security: add security hook to do_brk (CVE-2007-6434) Greg KH
2008-02-06 23:54   ` [patch 57/73] security: protect from stack expantion into low vm addresses Greg KH
2008-02-06 23:54   ` [patch 58/73] md: fix data corruption when a degraded raid5 array is reshaped Greg KH
2008-02-06 23:54   ` [patch 59/73] knfsd: Allow NFSv2/3 WRITE calls to succeed when krb5i etc is used Greg KH
2008-02-06 23:54   ` [patch 60/73] vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-2008-0007) Greg KH
2008-02-06 23:54   ` [patch 61/73] sata_promise: ASIC PRD table bug workaround Greg KH
2008-02-06 23:54   ` [patch 62/73] ia64: Fix unaligned handler for floating point instructions with base update Greg KH
2008-02-06 23:54   ` [patch 63/73] Fix unbalanced helper_lock in kernel/kmod.c Greg KH
2008-02-06 23:54   ` [patch 64/73] spi: omap2_mcspi PIO RX fix Greg KH
2008-02-06 23:54   ` [patch 65/73] libata: port and host should be stopped before hardware resources are released Greg KH
2008-02-06 23:54   ` [patch 66/73] fix oops on rmmod capidrv Greg KH
2008-02-06 23:54   ` [patch 67/73] Netfilter: bridge: fix double POST_ROUTING invocation Greg KH
2008-02-06 23:54   ` Greg KH [this message]
2008-02-06 23:54   ` [patch 69/73] Fix dirty page accounting leak with ext3 data=journal Greg KH
2008-02-06 23:54   ` [patch 70/73] forcedeth: mac address mcp77/79 Greg KH
2008-02-06 23:54   ` [patch 71/73] atl1: fix frame length bug Greg KH
2008-02-06 23:54   ` [patch 72/73] ACPI: sync blacklist w/ latest Greg KH
2008-02-06 23:54   ` [patch 73/73] PCI: Fix fakephp deadlock Greg KH
2008-02-08  5:31   ` [stable] [patch 00/73] 2.6.23-stable review Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080206235430.GQ13121@suse.de \
    --to=gregkh@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=cavokz@gmail.com \
    --cc=cebbert@redhat.com \
    --cc=chuckw@quantumlinux.com \
    --cc=davej@redhat.com \
    --cc=davem@davemloft.net \
    --cc=jmforbes@linuxtx.org \
    --cc=kaber@trash.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mkrufky@linuxtv.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=rdunlap@xenotime.net \
    --cc=reviews@ml.cw.f00f.org \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    --cc=zwane@arm.linux.org.uk \
    --subject='Re: [patch 68/73] Netfilter: bridge-netfilter: fix net_device refcnt leaks' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).