| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aOTkw72FGwaOZcz7@calendula>
Date: Tue, 7 Oct 2025 12:00:35 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Eric Woudstra <ericwouds@...il.com>
Cc: Nikolay Aleksandrov <razor@...ckwall.org>,
Ido Schimmel <idosch@...dia.com>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
Simon Horman <horms@...nel.org>, Felix Fietkau <nbd@....name>,
bridge@...ts.linux.dev, netdev@...r.kernel.org,
netfilter-devel@...r.kernel.org
Subject: Re: [PATCH v1 nf] bridge: br_vlan_fill_forward_path_pvid: use
br_vlan_group_rcu()
On Tue, Oct 07, 2025 at 10:15:01AM +0200, Eric Woudstra wrote:
> Bug: br_vlan_fill_forward_path_pvid uses br_vlan_group() instead of
> br_vlan_group_rcu(). Correct this bug.
>
> Fixes: bcf2766b1377 ("net: bridge: resolve forwarding path for VLAN tag actions in bridge devices")
> Signed-off-by: Eric Woudstra <ericwouds@...il.com>
Patch looks good.
dev_fill_forward_path() is assumed to run under RCU.
> ---
>
> Also see the debugging info send by Florian in mailing:
> "[RFC PATCH v3 nf-next] selftests: netfilter: Add bridge_fastpath.sh"
>
> net/bridge/br_private.h:1627 suspicious rcu_dereference_protected() usage!
>
> other info that might help us debug this:
>
> rcu_scheduler_active = 2, debug_locks = 1
> 7 locks held by socat/410:
> #0: ffff88800d7a9c90 (sk_lock-AF_INET){+.+.}-{0:0}, at: inet_stream_connect+0x43/0xa0
> #1: ffffffff9a779900 (rcu_read_lock){....}-{1:3}, at: __ip_queue_xmit+0x62/0x1830
> #2: ffffffff9a779900 (rcu_read_lock){....}-{1:3}, at: ip_output+0x57/0x3c0
> #3: ffffffff9a779900 (rcu_read_lock){....}-{1:3}, at: ip_finish_output2+0x263/0x17d0
> #4: ffffffff9a779900 (rcu_read_lock){....}-{1:3}, at: process_backlog+0x38a/0x14b0
> #5: ffffffff9a779900 (rcu_read_lock){....}-{1:3}, at: netif_receive_skb_internal+0x83/0x330
> #6: ffffffff9a779900 (rcu_read_lock){....}-{1:3}, at: nf_hook.constprop.0+0x8a/0x440
>
> stack backtrace:
> CPU: 0 UID: 0 PID: 410 Comm: socat Not tainted 6.17.0-rc7-virtme #1 PREEMPT(full)
> Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
> Call Trace:
> <IRQ>
> dump_stack_lvl+0x6f/0xb0
> lockdep_rcu_suspicious.cold+0x4f/0xb1
> br_vlan_fill_forward_path_pvid+0x32c/0x410 [bridge]
> br_fill_forward_path+0x7a/0x4d0 [bridge]
> ...
>
> net/bridge/br_vlan.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
> index 939a3aa78d5c..54993a05037c 100644
> --- a/net/bridge/br_vlan.c
> +++ b/net/bridge/br_vlan.c
> @@ -1455,7 +1455,7 @@ void br_vlan_fill_forward_path_pvid(struct net_bridge *br,
> if (!br_opt_get(br, BROPT_VLAN_ENABLED))
> return;
>
> - vg = br_vlan_group(br);
> + vg = br_vlan_group_rcu(br);
>
> if (idx >= 0 &&
> ctx->vlan[idx].proto == br->vlan_proto) {
> --
> 2.50.0
>
Powered by blists - more mailing lists