github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-13 00:28:54 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
f0369fb136
linux/net/bridge
History
Hyunwoo Kim 3715a00855 bridge: cfm: Fix race condition in peer_mep deletion 
When a peer MEP is being deleted, cancel_delayed_work_sync() is called
on ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in
softirq context under rcu_read_lock (without RTNL) and can re-schedule
ccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync()
returning and kfree_rcu() being called.

The following is a simple race scenario:

           cpu0                                     cpu1

mep_delete_implementation()
  cancel_delayed_work_sync(ccm_rx_dwork);
                                           br_cfm_frame_rx()
                                             // peer_mep still in hlist
                                             if (peer_mep->ccm_defect)
                                               ccm_rx_timer_start()
                                                 queue_delayed_work(ccm_rx_dwork)
  hlist_del_rcu(&peer_mep->head);
  kfree_rcu(peer_mep, rcu);
                                           ccm_rx_work_expired()
                                             // on freed peer_mep

To prevent this, cancel_delayed_work_sync() is replaced with
disable_delayed_work_sync() in both peer MEP deletion paths, so
that subsequent queue_delayed_work() calls from br_cfm_frame_rx()
are silently rejected.

The cc_peer_disable() helper retains cancel_delayed_work_sync()
because it is also used for the CC enable/disable toggle path where
the work must remain re-schedulable.

Fixes: dc32cbb3db ("bridge: cfm: Kernel space implementation of CFM. CCM frame RX added.")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/abBgYT5K_FI9rD1a@v4bel
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-03-12 18:33:52 -07:00
..
netfilter Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
br_arp_nd_proxy.c net: bridge: Prevent unicast ARP/NS packets from being suppressed by bridge 2025-04-09 19:13:43 -07:00
br_cfm_netlink.c bridge: cfm: fix enum typo in br_cc_ccm_tx_parse 2023-12-26 22:38:13 +00:00
br_cfm.c bridge: cfm: Fix race condition in peer_mep deletion 2026-03-12 18:33:52 -07:00
br_device.c net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled 2026-03-05 07:52:56 -08:00
br_fdb.c net: bridge: annotate data-races around fdb->{updated,used} 2026-01-09 17:36:21 -08:00
br_forward.c net: bridge: fix use-after-free due to MST port state bypass 2025-11-06 07:32:17 -08:00
br_if.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
br_input.c net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled 2026-03-05 07:52:56 -08:00
br_ioctl.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
br_mdb.c Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses 2026-02-22 08:26:33 -08:00
br_mrp_netlink.c
br_mrp_switchdev.c
br_mrp.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
br_mst.c net: bridge: fix MST static key usage 2025-11-06 07:32:17 -08:00
br_multicast_eht.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
br_multicast.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
br_netfilter_hooks.c netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm 2025-08-27 11:53:37 +02:00
br_netfilter_ipv6.c net/ipv6: Introduce payload_len helpers 2026-02-06 20:50:03 -08:00
br_netlink_tunnel.c net: bridge: fix an inconsistent indentation 2024-06-05 10:04:47 +01:00
br_netlink.c net: bridge: correct debug message function name in br_fill_ifinfo 2025-10-14 12:13:36 -07:00
br_nf_core.c bridge: netfilter: Fix forwarding of fragmented packets 2025-05-16 16:02:06 -07:00
br_private_cfm.h
br_private_mcast_eht.h
br_private_mrp.h
br_private_stp.h
br_private_tunnel.h
br_private.h bridge: Check relevant per-VLAN options in VLAN range grouping 2026-02-26 19:24:29 -08:00
br_stp_bpdu.c move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
br_stp_if.c net: bridge: use sysfs_emit instead of sprintf 2026-02-03 19:19:42 -08:00
br_stp_timer.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
br_stp.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
br_switchdev.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
br_sysfs_br.c mm.git review status for linus..mm-nonmm-stable 2026-02-12 12:13:01 -08:00
br_sysfs_if.c net: bridge: use sysfs_emit instead of sprintf 2026-02-03 19:19:42 -08:00
br_vlan_options.c bridge: Check relevant per-VLAN options in VLAN range grouping 2026-02-26 19:24:29 -08:00
br_vlan_tunnel.c bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress 2026-01-04 09:45:35 -08:00
br_vlan.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
br.c net: bridge: Install FDB for bridge MAC on VLAN 0 2025-09-23 17:10:49 -07:00
Kconfig
Makefile