| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aLAm8Fka8E19JOay@fedora>
Date: Thu, 28 Aug 2025 09:52:48 +0000
From: Hangbin Liu <liuhangbin@...il.com>
To: Paolo Abeni <pabeni@...hat.com>
Cc: netdev@...r.kernel.org, "David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Simon Horman <horms@...nel.org>,
MD Danish Anwar <danishanwar@...com>,
Alexander Lobakin <aleksander.lobakin@...el.com>,
Jaakko Karrenpalo <jkarrenpalo@...il.com>,
Fernando Fernandez Mancera <ffmancera@...eup.net>,
Murali Karicheri <m-karicheri2@...com>,
WingMan Kwok <w-kwok2@...com>, Stanislav Fomichev <sdf@...ichev.me>,
Xiao Liang <shaw.leon@...il.com>,
Kuniyuki Iwashima <kuniyu@...gle.com>,
Johannes Berg <johannes.berg@...el.com>
Subject: Re: [PATCHv2 net] hsr: use proper locking when iterating over ports
On Thu, Aug 28, 2025 at 11:19:11AM +0200, Paolo Abeni wrote:
> On 8/27/25 11:33 AM, Hangbin Liu wrote:
> > @@ -672,9 +672,13 @@ struct net_device *hsr_get_port_ndev(struct net_device *ndev,
> > struct hsr_priv *hsr = netdev_priv(ndev);
> > struct hsr_port *port;
> >
> > + rcu_read_lock();
> > hsr_for_each_port(hsr, port)
> > - if (port->type == pt)
> > + if (port->type == pt) {
> > + rcu_read_unlock();
> > return port->dev;
>
> This is not good enough. At this point accessing `port` could still
> cause UaF;
>
> The only callers, in icssg_prueth_hsr_{add,del}_mcast(), can be either
> under the RTNL lock or not. A safer option would be acquiring a
> reference on dev before releasing the rcu lock and let the caller drop
> such reference
OK, thanks for the suggestion.
>
> > + }
> > + rcu_read_unlock();
> > return NULL;
> > }
> > EXPORT_SYMBOL(hsr_get_port_ndev);
> > diff --git a/net/hsr/hsr_main.c b/net/hsr/hsr_main.c
> > index 192893c3f2ec..eec6e20a8494 100644
> > --- a/net/hsr/hsr_main.c
> > +++ b/net/hsr/hsr_main.c
> > @@ -22,9 +22,13 @@ static bool hsr_slave_empty(struct hsr_priv *hsr)
> > {
> > struct hsr_port *port;
> >
> > + rcu_read_lock();
> > hsr_for_each_port(hsr, port)
> > - if (port->type != HSR_PT_MASTER)
> > + if (port->type != HSR_PT_MASTER) {
> > + rcu_read_unlock();
> > return false;
> > + }
> > + rcu_read_unlock();
> > return true;
> > }
>
> AFAICS the only caller of this helper is under the RTNL lock
Thanks, sometimes I not very sure if the caller is under RTNL lock or not.
Is there a good way to check this?
>
> > @@ -134,9 +138,13 @@ struct hsr_port *hsr_port_get_hsr(struct hsr_priv *hsr, enum hsr_port_type pt)
> > {
> > struct hsr_port *port;
> >
> > + rcu_read_lock();
> > hsr_for_each_port(hsr, port)
> > - if (port->type == pt)
> > + if (port->type == pt) {
> > + rcu_read_unlock();
> > return port;
>
> The above is not enough.
>
> AFAICS some/most caller are already either under the RTNL lock or the
> rcu lock.
>
> I think it would be better rename the hsr_for_each_port_rtnl() helper to
> hsr_for_each_port_rcu(), retaining the current semantic, use it here,
> and fix the caller as needed.
Do you mean to modify like
#define hsr_for_each_port(hsr, port) \
list_for_each_entry_rcu((port), &(hsr)->ports, port_list)
+#define hsr_for_each_port_rcu(hsr, port) \
+ list_for_each_entry_rcu((port), &(hsr)->ports, port_list, lockdep_rtnl_is_held())
I'm not sure if the naming is clear. e.g. rcu_dereference_rtnl() also use rtnl
suffix to check if rtnl is held.
>
> It will be useful to somehow split the patch in a series, as it's
> already quite big and will increase even more.
OK.
Thanks
Hangbin
>
> /P
>
Powered by blists - more mailing lists