lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <147f016f-bf5e-4cb6-80a7-192db0ff62c4@redhat.com>
Date: Thu, 28 Aug 2025 11:19:11 +0200
From: Paolo Abeni <pabeni@...hat.com>
To: Hangbin Liu <liuhangbin@...il.com>, netdev@...r.kernel.org
Cc: "David S. Miller" <davem@...emloft.net>,
 Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>,
 Simon Horman <horms@...nel.org>, MD Danish Anwar <danishanwar@...com>,
 Alexander Lobakin <aleksander.lobakin@...el.com>,
 Jaakko Karrenpalo <jkarrenpalo@...il.com>,
 Fernando Fernandez Mancera <ffmancera@...eup.net>,
 Murali Karicheri <m-karicheri2@...com>, WingMan Kwok <w-kwok2@...com>,
 Stanislav Fomichev <sdf@...ichev.me>, Xiao Liang <shaw.leon@...il.com>,
 Kuniyuki Iwashima <kuniyu@...gle.com>,
 Johannes Berg <johannes.berg@...el.com>
Subject: Re: [PATCHv2 net] hsr: use proper locking when iterating over ports

On 8/27/25 11:33 AM, Hangbin Liu wrote:
> @@ -672,9 +672,13 @@ struct net_device *hsr_get_port_ndev(struct net_device *ndev,
>  	struct hsr_priv *hsr = netdev_priv(ndev);
>  	struct hsr_port *port;
>  
> +	rcu_read_lock();
>  	hsr_for_each_port(hsr, port)
> -		if (port->type == pt)
> +		if (port->type == pt) {
> +			rcu_read_unlock();
>  			return port->dev;

This is not good enough. At this point accessing `port` could still
cause UaF;

The only callers, in icssg_prueth_hsr_{add,del}_mcast(), can be either
under the RTNL lock or not. A safer option would be acquiring a
reference on dev before releasing the rcu lock and let the caller drop
such reference

> +		}
> +	rcu_read_unlock();
>  	return NULL;
>  }
>  EXPORT_SYMBOL(hsr_get_port_ndev);
> diff --git a/net/hsr/hsr_main.c b/net/hsr/hsr_main.c
> index 192893c3f2ec..eec6e20a8494 100644
> --- a/net/hsr/hsr_main.c
> +++ b/net/hsr/hsr_main.c
> @@ -22,9 +22,13 @@ static bool hsr_slave_empty(struct hsr_priv *hsr)
>  {
>  	struct hsr_port *port;
>  
> +	rcu_read_lock();
>  	hsr_for_each_port(hsr, port)
> -		if (port->type != HSR_PT_MASTER)
> +		if (port->type != HSR_PT_MASTER) {
> +			rcu_read_unlock();
>  			return false;
> +		}
> +	rcu_read_unlock();
>  	return true;
>  }

AFAICS the only caller of this helper is under the RTNL lock

> @@ -134,9 +138,13 @@ struct hsr_port *hsr_port_get_hsr(struct hsr_priv *hsr, enum hsr_port_type pt)
>  {
>  	struct hsr_port *port;
>  
> +	rcu_read_lock();
>  	hsr_for_each_port(hsr, port)
> -		if (port->type == pt)
> +		if (port->type == pt) {
> +			rcu_read_unlock();
>  			return port;

The above is not enough.

AFAICS some/most caller are already either under the RTNL lock or the
rcu lock.

I think it would be better rename the hsr_for_each_port_rtnl() helper to
hsr_for_each_port_rcu(), retaining the current semantic, use it here,
and fix the caller as needed.

It will be useful to somehow split the patch in a series, as it's
already quite big and will increase even more.

/P

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ