• Nikolay Aleksandrov's avatar
    net: bridge: fix vlan stats use-after-free on destruction · 9d332e69
    Nikolay Aleksandrov authored
    Syzbot reported a use-after-free of the global vlan context on port vlan
    destruction. When I added per-port vlan stats I missed the fact that the
    global vlan context can be freed before the per-port vlan rcu callback.
    There're a few different ways to deal with this, I've chosen to add a
    new private flag that is set only when per-port stats are allocated so
    we can directly check it on destruction without dereferencing the global
    context at all. The new field in net_bridge_vlan uses a hole.
    
    v2: cosmetic change, move the check to br_process_vlan_info where the
        other checks are done
    v3: add change log in the patch, add private (in-kernel only) flags in a
        hole in net_bridge_vlan struct and use that instead of mixing
        user-space flags with private flags
    
    Fixes: 9163a0fc ("net: bridge: add support for per-port vlan stats")
    Reported-by: syzbot+04681da557a0e49a52e5@syzkaller.appspotmail.com
    Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    9d332e69
br_private.h 33.9 KB