[kernel/f19] Fix host lockup in bridge code when starting from virt guest (rhbz 1025770)

Josh Boyer jwboyer at fedoraproject.org
Mon Dec 16 15:54:11 UTC 2013 

commit efa81d6b2a37ae6a272101c98ae18268b5f1fcbc
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Mon Dec 16 10:51:18 2013 -0500

    Fix host lockup in bridge code when starting from virt guest (rhbz 1025770)

 ...of-rx_handler_data-in-code-executed-on-no.patch |   83 ++++++++++++++++++++
 kernel.spec                                        |    9 ++
 2 files changed, 92 insertions(+), 0 deletions(-)
---
diff --git a/br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch b/br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch
new file mode 100644
index 0000000..21e7492
--- /dev/null
+++ b/br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch
@@ -0,0 +1,83 @@
+Bugzilla: 1025770
+Upstream-status: 3.13 (commit 859828c0ea476b42f3a)
+
+From 1a62121ead27a218d4b02b7130a6f5f6ca9c247e Mon Sep 17 00:00:00 2001
+From: Jiri Pirko <jiri at resnulli.us>
+Date: Thu, 5 Dec 2013 16:27:37 +0100
+Subject: [PATCH] br: fix use of ->rx_handler_data in code executed on
+ non-rx_handler path
+
+br_stp_rcv() is reached by non-rx_handler path. That means there is no
+guarantee that dev is bridge port and therefore simple NULL check of
+->rx_handler_data is not enough. There is need to check if dev is really
+bridge port and since only rcu read lock is held here, do it by checking
+->rx_handler pointer.
+
+Note that synchronize_net() in netdev_rx_handler_unregister() ensures
+this approach as valid.
+
+Introduced originally by:
+commit f350a0a87374418635689471606454abc7beaa3a
+  "bridge: use rx_handler_data pointer to store net_bridge_port pointer"
+
+Fixed but not in the best way by:
+commit b5ed54e94d324f17c97852296d61a143f01b227a
+  "bridge: fix RCU races with bridge port"
+
+Reintroduced by:
+commit 716ec052d2280d511e10e90ad54a86f5b5d4dcc2
+  "bridge: fix NULL pointer deref of br_port_get_rcu"
+
+Please apply to stable trees as well. Thanks.
+
+RH bugzilla reference: https://bugzilla.redhat.com/show_bug.cgi?id=1025770
+
+Reported-by: Laine Stump <laine at redhat.com>
+Debugged-by: Michael S. Tsirkin <mst at redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
+Signed-off-by: Jiri Pirko <jiri at resnulli.us>
+Acked-by: Michael S. Tsirkin <mst at redhat.com>
+Acked-by: Eric Dumazet <edumazet at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/bridge/br_private.h  | 10 ++++++++++
+ net/bridge/br_stp_bpdu.c |  2 +-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index e14c33b..9a63c42 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -442,6 +442,16 @@ extern netdev_features_t br_features_recompute(struct net_bridge *br,
+ extern int br_handle_frame_finish(struct sk_buff *skb);
+ extern rx_handler_result_t br_handle_frame(struct sk_buff **pskb);
+ 
++static inline bool br_rx_handler_check_rcu(const struct net_device *dev)
++{
++	return rcu_dereference(dev->rx_handler) == br_handle_frame;
++}
++
++static inline struct net_bridge_port *br_port_get_check_rcu(const struct net_device *dev)
++{
++	return br_rx_handler_check_rcu(dev) ? br_port_get_rcu(dev) : NULL;
++}
++
+ /* br_ioctl.c */
+ extern int br_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd);
+ extern int br_ioctl_deviceless_stub(struct net *net, unsigned int cmd, void __user *arg);
+diff --git a/net/bridge/br_stp_bpdu.c b/net/bridge/br_stp_bpdu.c
+index 8660ea3..bdb459d 100644
+--- a/net/bridge/br_stp_bpdu.c
++++ b/net/bridge/br_stp_bpdu.c
+@@ -153,7 +153,7 @@ void br_stp_rcv(const struct stp_proto *proto, struct sk_buff *skb,
+ 	if (buf[0] != 0 || buf[1] != 0 || buf[2] != 0)
+ 		goto err;
+ 
+-	p = br_port_get_rcu(dev);
++	p = br_port_get_check_rcu(dev);
+ 	if (!p)
+ 		goto err;
+ 
+-- 
+1.8.3.1
+
diff --git a/kernel.spec b/kernel.spec
index de61a15..1200ae1 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -835,6 +835,9 @@ Patch25174: KVM-x86-fix-guest-initiated-crash-with-x2apic.patch
 #CVE-2013-4587 rhbz 1030986 1042071
 Patch25175: KVM-Improve-create-VCPU-parameter.patch
 
+#rhbz 1025770
+Patch25176: br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1618,6 +1621,9 @@ ApplyPatch KVM-x86-fix-guest-initiated-crash-with-x2apic.patch
 #CVE-2013-4587 rhbz 1030986 1042071
 ApplyPatch KVM-Improve-create-VCPU-parameter.patch
 
+#rhbz 1025770
+ApplyPatch br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2430,6 +2436,9 @@ fi
 # and build.
 
 %changelog
+* Mon Dec 16 2013 Josh Boyer <jwboyer at fedoraproject.org>
+- Fix host lockup in bridge code when starting from virt guest (rhbz 1025770)
+
 * Thu Dec 12 2013 Josh Boyer <jwboyer at fedoraproject.org>
 - CVE-2013-4587 kvm: out-of-bounds access (rhbz 1030986 1042071)
 - CVE-2013-6376 kvm: BUG_ON in apic_cluster_id (rhbz 1033106 1042099)

More information about the scm-commits mailing list