lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 8 Jun 2018 16:35:27 +0300
From:   Nikolay Aleksandrov <nikolay@...ulusnetworks.com>
To:     Petr Machata <petrm@...lanox.com>,
        bridge@...ts.linux-foundation.org, netdev@...r.kernel.org
Cc:     stephen@...workplumber.org, davem@...emloft.net
Subject: Re: [PATCH net v2] net: bridge: Fix locking in br_fdb_find_port()

On 08/06/18 16:11, Petr Machata wrote:
> Callers of br_fdb_find() need to hold the hash lock, which
> br_fdb_find_port() doesn't do. However, since br_fdb_find_port() is not
> doing any actual FDB manipulation, the hash lock is not really needed at
> all. So convert to br_fdb_find_rcu(), surrounded by rcu_read_lock() /
> _unlock() pair.
> 
> The device pointer copied from inside the FDB entry is then kept alive
> by the RTNL lock, which br_fdb_find_port() asserts.
> 
> Fixes: 4d4fd36126d6 ("net: bridge: Publish bridge accessor functions")
> Signed-off-by: Petr Machata <petrm@...lanox.com>
> ---
> 
> Notes:
>     Changes from v1 to v2:
>     
>     - Instead of taking hash lock, take RCU lock and call br_fdb_find_rcu().
> 
>  net/bridge/br_fdb.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
> index b19e310..502f663 100644
> --- a/net/bridge/br_fdb.c
> +++ b/net/bridge/br_fdb.c
> @@ -135,9 +135,11 @@ struct net_device *br_fdb_find_port(const struct net_device *br_dev,
>  		return NULL;
>  
>  	br = netdev_priv(br_dev);
> -	f = br_fdb_find(br, addr, vid);
> +	rcu_read_lock();
> +	f = br_fdb_find_rcu(br, addr, vid);
>  	if (f && f->dst)
>  		dev = f->dst->dev;
> +	rcu_read_unlock();
>  
>  	return dev;
>  }
> 

Important note: the only reason this will not dereference a NULL pointer
when getting f->dst is because RTNL is held in all of its current
callers. I missed the comments on the previous version, but using RCU
here is dangerous if someone decides to use this without rtnl they will
get a false sense of security, that is why I acked the previous version.
I'd suggest to use READ_ONCE() for f->dst to avoid reading it again.

The way to reach a null dst is with fdbs pointing to the bridge which
currently can only be installed via user-space with RTNL held.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ