net: fix a data race when get vlan device

mainline inclusion from mainline-v5.13-rc1 commit c1102e9d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I4RJ4X CVE: NA ---------------------------- We encountered a crash: in the packet receiving process, we got an illegal VLAN device address, but the VLAN device address saved in vmcore is correct. After checking the code, we found a possible data competition: CPU 0: CPU 1: (RCU read lock) (RTNL lock) vlan_do_receive() register_vlan_dev() vlan_find_dev() ->__vlan_group_get_device() ->vlan_group_prealloc_vid() In vlan_group_prealloc_vid(), We need to make sure that memset() in kzalloc() is executed before assigning value to vlan devices array: ================================= kzalloc() ->memset(object, 0, size) smp_wmb() vg->vlan_devices_arrays[pidx][vidx] = array; ================================== Because __vlan_group_get_device() function depends on this order. otherwise we may get a wrong address from the hardware cache on another cpu. So fix it by adding memory barrier instruction to ensure the order of memory operations. Signed-off-by: N Di Zhu <zhudi21@huawei.com> Signed-off-by: N David S. Miller <davem@davemloft.net> Reviewed-by: N wuchangye <wuchangye@huawei.com> Reviewed-by: N Wei Yongjun <weiyongjun1@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

net: fix a data race when get vlan device
mainline inclusion from mainline-v5.13-rc1 commit c1102e9d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I4RJ4X CVE: NA ---------------------------- We encountered a crash: in the packet receiving process, we got an illegal VLAN device address, but the VLAN device address saved in vmcore is correct. After checking the code, we found a possible data competition: CPU 0: CPU 1: (RCU read lock) (RTNL lock) vlan_do_receive() register_vlan_dev() vlan_find_dev() ->__vlan_group_get_device() ->vlan_group_prealloc_vid() In vlan_group_prealloc_vid(), We need to make sure that memset() in kzalloc() is executed before assigning value to vlan devices array: ================================= kzalloc() ->memset(object, 0, size) smp_wmb() vg->vlan_devices_arrays[pidx][vidx] = array; ================================== Because __vlan_group_get_device() function depends on this order. otherwise we may get a wrong address from the hardware cache on another cpu. So fix it by adding memory barrier instruction to ensure the order of memory operations. Signed-off-by: N Di Zhu <zhudi21@huawei.com> Signed-off-by: N David S. Miller <davem@davemloft.net> Reviewed-by: N wuchangye <wuchangye@huawei.com> Reviewed-by: N Wei Yongjun <weiyongjun1@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
5a60fc9d · Di Zhu · Zheng Zengkai · b6461fe5 · 5a60fc9d · 5a60fc9d
隐藏空白更改
内联并排

Showing with 7 addition and 0 deletion

net/8021q/vlan.c net/8021q/vlan.c +3 -0

net/8021q/vlan.h net/8021q/vlan.h +4 -0

未找到文件。
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -71,6 +71,9 @@ static int vlan_group_prealloc_vid(struct vlan_group *vg,
 	if (array == NULL)
 		return -ENOBUFS;

+	/* paired with smp_rmb() in __vlan_group_get_device() */
+	smp_wmb();
+
 	vg->vlan_devices_arrays[pidx][vidx] = array;
 	return 0;
 }

--- a/net/8021q/vlan.h
+++ b/net/8021q/vlan.h
@@ -57,6 +57,10 @@ static inline struct net_device *__vlan_group_get_device(struct vlan_group *vg,

 	array = vg->vlan_devices_arrays[pidx]
 				       [vlan_id / VLAN_GROUP_ARRAY_PART_LEN];
+
+	/* paired with smp_wmb() in vlan_group_prealloc_vid() */
+	smp_rmb();
+
 	return array ? array[vlan_id % VLAN_GROUP_ARRAY_PART_LEN] : NULL;
 }