[3.8.y.z extended stable] Patch "bridge: fix NULL pointer deref of br_port_get_rcu" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Mon Oct 28 21:59:30 UTC 2013 

This is a note to let you know that I have just added a patch titled

    bridge: fix NULL pointer deref of br_port_get_rcu

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue

This patch is scheduled to be released in version 3.8.13.12.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 583cd715eb84f297368a20946c7a789115dc75df Mon Sep 17 00:00:00 2001
From: Hong Zhiguo <zhiguohong at tencent.com>
Date: Sat, 14 Sep 2013 22:42:28 +0800
Subject: bridge: fix NULL pointer deref of br_port_get_rcu

[ Upstream commit 716ec052d2280d511e10e90ad54a86f5b5d4dcc2 ]

The NULL deref happens when br_handle_frame is called between these
2 lines of del_nbp:
	dev->priv_flags &= ~IFF_BRIDGE_PORT;
	/* --> br_handle_frame is called at this time */
	netdev_rx_handler_unregister(dev);

In br_handle_frame the return of br_port_get_rcu(dev) is dereferenced
without check but br_port_get_rcu(dev) returns NULL if:
	!(dev->priv_flags & IFF_BRIDGE_PORT)

Eric Dumazet pointed out the testing of IFF_BRIDGE_PORT is not necessary
here since we're in rcu_read_lock and we have synchronize_net() in
netdev_rx_handler_unregister. So remove the testing of IFF_BRIDGE_PORT
and by the previous patch, make sure br_port_get_rcu is called in
bridging code.

Signed-off-by: Hong Zhiguo <zhiguohong at tencent.com>
Acked-by: Eric Dumazet <edumazet at google.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 net/bridge/br_private.h | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 688fc44..f56cd47 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -162,10 +162,7 @@ struct net_bridge_port

 static inline struct net_bridge_port *br_port_get_rcu(const struct net_device *dev)
 {
-	struct net_bridge_port *port =
-			rcu_dereference_rtnl(dev->rx_handler_data);
-
-	return br_port_exists(dev) ? port : NULL;
+	return rcu_dereference(dev->rx_handler_data);
 }

 static inline struct net_bridge_port *br_port_get_rtnl(const struct net_device *dev)
--
1.8.1.2

More information about the kernel-team mailing list