linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-29 13:53:33 +00:00

History

Nikolay Aleksandrov 8edc9ddadb net: bridge: deny dev_set_mac_address() when unregistering [ Upstream commit `c4b4c42185` ] We have an interesting memory leak in the bridge when it is being unregistered and is a slave to a master device which would change the mac of its slaves on unregister (e.g. bond, team). This is a very unusual setup but we do end up leaking 1 fdb entry because dev_set_mac_address() would cause the bridge to insert the new mac address into its table after all fdbs are flushed, i.e. after dellink() on the bridge has finished and we call NETDEV_UNREGISTER the bond/team would release it and will call dev_set_mac_address() to restore its original address and that in turn will add an fdb in the bridge. One fix is to check for the bridge dev's reg_state in its ndo_set_mac_address callback and return an error if the bridge is not in NETREG_REGISTERED. Easy steps to reproduce: 1. add bond in mode != A/B 2. add any slave to the bond 3. add bridge dev as a slave to the bond 4. destroy the bridge device Trace: unreferenced object 0xffff888035c4d080 (size 128): comm "ip", pid 4068, jiffies 4296209429 (age 1413.753s) hex dump (first 32 bytes): 41 1d c9 36 80 88 ff ff 00 00 00 00 00 00 00 00 A..6............ d2 19 c9 5e 3f d7 00 00 00 00 00 00 00 00 00 00 ...^?........... backtrace: [<00000000ddb525dc>] kmem_cache_alloc+0x155/0x26f [<00000000633ff1e0>] fdb_create+0x21/0x486 [bridge] [<0000000092b17e9c>] fdb_insert+0x91/0xdc [bridge] [<00000000f2a0f0ff>] br_fdb_change_mac_address+0xb3/0x175 [bridge] [<000000001de02dbd>] br_stp_change_bridge_id+0xf/0xff [bridge] [<00000000ac0e32b1>] br_set_mac_address+0x76/0x99 [bridge] [<000000006846a77f>] dev_set_mac_address+0x63/0x9b [<00000000d30738fc>] __bond_release_one+0x3f6/0x455 [bonding] [<00000000fc7ec01d>] bond_netdev_event+0x2f2/0x400 [bonding] [<00000000305d7795>] notifier_call_chain+0x38/0x56 [<0000000028885d4a>] call_netdevice_notifiers+0x1e/0x23 [<000000008279477b>] rollback_registered_many+0x353/0x6a4 [<0000000018ef753a>] unregister_netdevice_many+0x17/0x6f [<00000000ba854b7a>] rtnl_delete_link+0x3c/0x43 [<00000000adf8618d>] rtnl_dellink+0x1dc/0x20a [<000000009b6395fd>] rtnetlink_rcv_msg+0x23d/0x268 Fixes: `4359881338` ("bridge: add local MAC address to forwarding table (v2)") Reported-by: syzbot+2add91c08eb181fea1bf@syzkaller.appspotmail.com Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2019-12-21 10:47:30 +01:00
..
netfilter	bridge: ebtables: don't crash when using dnat target in output chains	2019-12-05 15:36:56 +01:00
br.c
br_device.c	net: bridge: deny dev_set_mac_address() when unregistering	2019-12-21 10:47:30 +01:00
br_fdb.c
br_forward.c	net: bridge: Fix ethernet header pointer before check skb forwardable	2019-01-31 08:13:41 +01:00
br_if.c	bridge: Fix error path for kobject_init_and_add()	2019-05-16 19:42:33 +02:00
br_input.c	net: bridge: fix per-port af_packet sockets	2019-04-27 09:35:33 +02:00
br_ioctl.c
br_mdb.c	bridge/mdb: remove wrong use of NLM_F_MULTI	2019-09-19 09:07:59 +02:00
br_multicast.c	net: bridge: mcast: don't delete permanent entries when fast leave is enabled	2019-08-09 17:53:34 +02:00
br_netfilter_hooks.c	netfilter: bridge: set skb transport_header before entering NF_INET_PRE_ROUTING	2019-05-04 09:15:18 +02:00
br_netfilter_ipv6.c	netfilter: bridge: set skb transport_header before entering NF_INET_PRE_ROUTING	2019-05-04 09:15:18 +02:00
br_netlink.c
br_netlink_tunnel.c
br_nf_core.c
br_private.h
br_private_stp.h
br_private_tunnel.h
br_stp.c
br_stp_bpdu.c	net: bridge: stp: don't cache eth dest pointer before skb pull	2019-07-31 07:28:46 +02:00
br_stp_if.c
br_stp_timer.c
br_switchdev.c
br_sysfs_br.c
br_sysfs_if.c
br_vlan.c	net: bridge: delete local fdb on device init failure	2019-08-09 17:53:34 +02:00
br_vlan_tunnel.c
Kconfig
Makefile