proxmox-mirrors/mirror_ubuntu-kernels
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_ubuntu-kernels.git synced 2026-01-25 22:20:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
7f7708f005
mirror_ubuntu-kernels/net/bridge
History
Michael Braun 7f7708f005 bridge: Fix br_forward crash in promiscuous mode 
From: Michael Braun <michael-dev@fami-braun.de>

bridge: Fix br_forward crash in promiscuous mode

It's a linux-next kernel from 2010-03-12 on an x86 system and it
OOPs in the bridge module in br_pass_frame_up (called by
br_handle_frame_finish) because brdev cannot be dereferenced (its set to
a non-null value).

Adding some BUG_ON statements revealed that
 BR_INPUT_SKB_CB(skb)->brdev == br-dev
(as set in br_handle_frame_finish first)
only holds until br_forward is called.
The next call to br_pass_frame_up then fails.

Digging deeper it seems that br_forward either frees the skb or passes
it to NF_HOOK which will in turn take care of freeing the skb. The
same is holds for br_pass_frame_ip. So it seems as if two independent
skb allocations are required. As far as I can see, commit
b33084be19 ("bridge: Avoid unnecessary
clone on forward path") removed skb duplication and so likely causes
this crash. This crash does not happen on 2.6.33.

I've therefore modified br_forward the same way br_flood has been
modified so that the skb is not freed if skb0 is going to be used
and I can confirm that the attached patch resolves the issue for me.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-03-16 00:26:22 -07:00
..
netfilter netfilter: ebtables: mark: add CONFIG_COMPAT support 2010-02-16 17:27:20 +01:00
br_device.c bridge: Add multicast data-path hooks 2010-02-28 00:49:45 -08:00
br_fdb.c net: Move && and || to end of previous line 2009-11-29 16:55:45 -08:00
br_forward.c bridge: Fix br_forward crash in promiscuous mode 2010-03-16 00:26:22 -07:00
br_if.c bridge: Add multicast start/stop hooks 2010-02-28 00:49:38 -08:00
br_input.c bridge: Fix br_forward crash in promiscuous mode 2010-03-16 00:26:22 -07:00
br_ioctl.c bridge: remove dev_put() in add_del_if() 2009-11-05 22:34:16 -08:00
br_multicast.c bridge: Move NULL mdb check into br_mdb_ip_get 2010-03-15 20:38:25 -07:00
br_netfilter.c sysctl net: Remove unused binary sysctl code 2009-11-12 02:05:06 -08:00
br_netlink.c netlink: change nlmsg_notify() return value logic 2009-02-24 23:18:28 -08:00
br_notify.c netns bridge: allow bridges in netns! 2008-09-08 16:19:58 -07:00
br_private_stp.h net: remove CVS keywords 2008-06-11 21:00:38 -07:00
br_private.h bridge: Fix br_forward crash in promiscuous mode 2010-03-16 00:26:22 -07:00
br_stp_bpdu.c netns bridge: allow bridges in netns! 2008-09-08 16:19:58 -07:00
br_stp_if.c bridge: Add multicast start/stop hooks 2010-02-28 00:49:38 -08:00
br_stp_timer.c net: remove CVS keywords 2008-06-11 21:00:38 -07:00
br_stp.c bridge: Add multicast start/stop hooks 2010-02-28 00:49:38 -08:00
br_sysfs_br.c bridge: Add multicast count/interval sysfs entries 2010-02-28 00:49:47 -08:00
br_sysfs_if.c Driver core: Constify struct sysfs_ops in struct kobj_type 2010-03-07 17:04:49 -08:00
br.c bridge: Use rcu_barrier() instead of syncronize_net() on unload. 2009-06-26 13:51:32 -07:00
Kconfig bridge: depends on INET 2010-03-03 01:23:22 -08:00
Makefile bridge: Add core IGMP snooping support 2010-02-28 00:48:45 -08:00