github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-06 21:45:45 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
d4bad13828
linux/net/bridge
History
Harsh Modi 908180f633 netfilter: br_netfilter: Drop dst references before setting. 
[ Upstream commit d047283a70 ]

The IPv6 path already drops dst in the daddr changed case, but the IPv4
path does not. This change makes the two code paths consistent.

Further, it is possible that there is already a metadata_dst allocated from
ingress that might already be attached to skbuff->dst while following
the bridge path. If it is not released before setting a new
metadata_dst, it will be leaked. This is similar to what is done in
bpf_set_tunnel_key() or ip6_route_input().

It is important to note that the memory being leaked is not the dst
being set in the bridge code, but rather memory allocated from some
other code path that is not being freed correctly before the skb dst is
overwritten.

An example of the leakage fixed by this commit found using kmemleak:

unreferenced object 0xffff888010112b00 (size 256):
  comm "softirq", pid 0, jiffies 4294762496 (age 32.012s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 80 16 f1 83 ff ff ff ff  ................
    e1 4e f6 82 ff ff ff ff 00 00 00 00 00 00 00 00  .N..............
  backtrace:
    [<00000000d79567ea>] metadata_dst_alloc+0x1b/0xe0
    [<00000000be113e13>] udp_tun_rx_dst+0x174/0x1f0
    [<00000000a36848f4>] geneve_udp_encap_recv+0x350/0x7b0
    [<00000000d4afb476>] udp_queue_rcv_one_skb+0x380/0x560
    [<00000000ac064aea>] udp_unicast_rcv_skb+0x75/0x90
    [<000000009a8ee8c5>] ip_protocol_deliver_rcu+0xd8/0x230
    [<00000000ef4980bb>] ip_local_deliver_finish+0x7a/0xa0
    [<00000000d7533c8c>] __netif_receive_skb_one_core+0x89/0xa0
    [<00000000a879497d>] process_backlog+0x93/0x190
    [<00000000e41ade9f>] __napi_poll+0x28/0x170
    [<00000000b4c0906b>] net_rx_action+0x14f/0x2a0
    [<00000000b20dd5d4>] __do_softirq+0xf4/0x305
    [<000000003a7d7e15>] __irq_exit_rcu+0xc3/0x140
    [<00000000968d39a2>] sysvec_apic_timer_interrupt+0x9e/0xc0
    [<000000009e920794>] asm_sysvec_apic_timer_interrupt+0x16/0x20
    [<000000008942add0>] native_safe_halt+0x13/0x20

Florian Westphal says: "Original code was likely fine because nothing
ever did set a skb->dst entry earlier than bridge in those days."

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Harsh Modi <harshmodi@google.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-09-15 11:32:05 +02:00
..
netfilter netfilter: ebtables: reject blobs that don't provide all entry points 2022-08-31 17:15:17 +02:00
br_arp_nd_proxy.c net: bridge: when suppression is enabled exclude RARP packets 2021-05-19 10:12:53 +02:00
br_device.c bridge: Fix a deadlock when enabling multicast snooping 2020-12-07 17:14:43 -08:00
br_fdb.c net: bridge: fix flags interpretation for extern learn fdb entries 2021-08-18 08:59:13 +02:00
br_forward.c net: bridge: mcast: when forwarding handle filter mode and blocked flag 2020-09-23 13:24:35 -07:00
br_if.c net: bridge: fix memleak in br_add_if() 2021-08-18 08:59:13 +02:00
br_input.c net: bridge: Clear offload_fwd_mark when passing frame up bridge interface. 2022-05-25 09:17:59 +02:00
br_ioctl.c net: bridge: delete duplicated words 2020-09-18 14:12:43 -07:00
br_mdb.c net: bridge: mcast: add support for blocked port groups 2020-09-23 13:24:34 -07:00
br_mrp_netlink.c bridge: mrp: Extend br_mrp_fill_info 2020-07-14 13:46:43 -07:00
br_mrp_switchdev.c bridge: mrp: Fix the usage of br_mrp_port_switchdev_set_state 2021-02-17 11:02:29 +01:00
br_mrp.c net: bridge: mrp: Update ring transitions. 2021-07-19 09:44:46 +02:00
br_multicast.c net: bridge: multicast: fix MRD advertisement router port marking race 2021-07-20 16:05:37 +02:00
br_netfilter_hooks.c netfilter: br_netfilter: Drop dst references before setting. 2022-09-15 11:32:05 +02:00
br_netfilter_ipv6.c netfilter: br_netfilter: Drop dst references before setting. 2022-09-15 11:32:05 +02:00
br_netlink_tunnel.c net: bridge: notify on vlan tunnel changes done via the old api 2020-07-12 15:18:24 -07:00
br_netlink.c net: bridge: fix under estimation in br_get_linkxstats_size() 2021-10-13 10:04:27 +02:00
br_nf_core.c
br_private_mrp.h bridge: mrp: Fix the usage of br_mrp_port_switchdev_set_state 2021-02-17 11:02:29 +01:00
br_private_stp.h
br_private_tunnel.h
br_private.h net: bridge: mcast: use multicast_membership_interval for IGMPv3 2021-10-27 09:56:54 +02:00
br_stp_bpdu.c
br_stp_if.c net: remove newlines in NL_SET_ERR_MSG_MOD 2020-05-07 17:56:14 -07:00
br_stp_timer.c
br_stp.c
br_switchdev.c net: bridge: don't notify switchdev for local FDB addresses 2021-03-30 14:32:04 +02:00
br_sysfs_br.c
br_sysfs_if.c net: bridge: use switchdev for port flags set through sysfs too 2021-03-07 12:34:07 +01:00
br_vlan_options.c
br_vlan_tunnel.c net: bridge: fix vlan tunnel dst refcnt when egressing 2021-06-23 14:42:53 +02:00
br_vlan.c net: bridge: vlan: fix memory leak in __allowed_ingress 2022-02-01 17:25:48 +01:00
br.c net: bridge: fix flags interpretation for extern learn fdb entries 2021-08-18 08:59:13 +02:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile