[PATCH net-next 1/2] bridge: vlan: Prevent possible use-after-free

[PATCH net-next 0/2] bridge: vlan: failure path and comment fixes · Nikolay Aleksandrov <razor@blackwall.org> · 2015-10-30
[PATCH net-next 1/2] bridge: vlan: Prevent possible use-after-free · Nikolay Aleksandrov <razor@blackwall.org> · 2015-10-30
[PATCH net-next 2/2] bridge: vlan: Use correct flag name in comment · Nikolay Aleksandrov <razor@blackwall.org> · 2015-10-30
Re: [PATCH net-next 0/2] bridge: vlan: failure path and comment fixes · David Miller <davem@davemloft.net> · 2015-11-02

STALE3873d

From: Nikolay Aleksandrov <razor@blackwall.org>
Date: 2015-10-30 16:46:24
Subsystem: ethernet bridge, networking [general], the rest · Maintainers: Nikolay Aleksandrov, Ido Schimmel, "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Linus Torvalds

From: Ido Schimmel <redacted>

When adding a port to a bridge we initialize VLAN filtering on it. We do
not bail out in case an error occurred in nbp_vlan_init, as it can be
used as a non VLAN filtering bridge.

However, if VLAN filtering is required and an error occurred in
nbp_vlan_init, we should set vlgrp to NULL, so that VLAN filtering
functions (e.g. br_vlan_find, br_get_pvid) will know the struct is
invalid and will not try to access it.

Signed-off-by: Ido Schimmel <redacted>
Signed-off-by: Nikolay Aleksandrov <redacted>
---
 net/bridge/br_vlan.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
index 5f0d0cc4744f..1054696323d7 100644
--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c

@@ -914,6 +914,8 @@ out:
 	return ret;
 
 err_vlan_add:
+	RCU_INIT_POINTER(p->vlgrp, NULL);
+	synchronize_rcu();
 	rhashtable_destroy(&vg->vlan_hash);
 err_rhtbl:
 	kfree(vg);

-- 
2.4.3

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help