提交 263344e6 编写于 作者: N Nikolay Aleksandrov 提交者: David S. Miller

bridge: vlan: fix possible null ptr derefs on port init and deinit

When a new port is being added we need to make vlgrp available after
rhashtable has been initialized and when removing a port we need to
flush the vlans and free the resources after we're sure noone can use
the port, i.e. after it's removed from the port list and synchronize_rcu
is executed.
Signed-off-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 77751ee8
...@@ -248,7 +248,6 @@ static void del_nbp(struct net_bridge_port *p) ...@@ -248,7 +248,6 @@ static void del_nbp(struct net_bridge_port *p)
list_del_rcu(&p->list); list_del_rcu(&p->list);
nbp_vlan_flush(p);
br_fdb_delete_by_port(br, p, 0, 1); br_fdb_delete_by_port(br, p, 0, 1);
nbp_update_port_count(br); nbp_update_port_count(br);
...@@ -257,6 +256,8 @@ static void del_nbp(struct net_bridge_port *p) ...@@ -257,6 +256,8 @@ static void del_nbp(struct net_bridge_port *p)
dev->priv_flags &= ~IFF_BRIDGE_PORT; dev->priv_flags &= ~IFF_BRIDGE_PORT;
netdev_rx_handler_unregister(dev); netdev_rx_handler_unregister(dev);
/* use the synchronize_rcu done by netdev_rx_handler_unregister */
nbp_vlan_flush(p);
br_multicast_del_port(p); br_multicast_del_port(p);
......
...@@ -854,16 +854,20 @@ int br_vlan_init(struct net_bridge *br) ...@@ -854,16 +854,20 @@ int br_vlan_init(struct net_bridge *br)
int nbp_vlan_init(struct net_bridge_port *p) int nbp_vlan_init(struct net_bridge_port *p)
{ {
struct net_bridge_vlan_group *vg;
int ret = -ENOMEM; int ret = -ENOMEM;
p->vlgrp = kzalloc(sizeof(struct net_bridge_vlan_group), GFP_KERNEL); vg = kzalloc(sizeof(struct net_bridge_vlan_group), GFP_KERNEL);
if (!p->vlgrp) if (!vg)
goto out; goto out;
ret = rhashtable_init(&p->vlgrp->vlan_hash, &br_vlan_rht_params); ret = rhashtable_init(&vg->vlan_hash, &br_vlan_rht_params);
if (ret) if (ret)
goto err_rhtbl; goto err_rhtbl;
INIT_LIST_HEAD(&p->vlgrp->vlan_list); INIT_LIST_HEAD(&vg->vlan_list);
/* Make sure everything's committed before publishing vg */
smp_wmb();
p->vlgrp = vg;
if (p->br->default_pvid) { if (p->br->default_pvid) {
ret = nbp_vlan_add(p, p->br->default_pvid, ret = nbp_vlan_add(p, p->br->default_pvid,
BRIDGE_VLAN_INFO_PVID | BRIDGE_VLAN_INFO_PVID |
...@@ -875,9 +879,9 @@ int nbp_vlan_init(struct net_bridge_port *p) ...@@ -875,9 +879,9 @@ int nbp_vlan_init(struct net_bridge_port *p)
return ret; return ret;
err_vlan_add: err_vlan_add:
rhashtable_destroy(&p->vlgrp->vlan_hash); rhashtable_destroy(&vg->vlan_hash);
err_rhtbl: err_rhtbl:
kfree(p->vlgrp); kfree(vg);
goto out; goto out;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册