From patchwork Fri Feb 11 22:36:55 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Herbert Xu X-Patchwork-Id: 82842 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id A08D8B71A8 for ; Sat, 12 Feb 2011 09:37:04 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758328Ab1BKWg7 (ORCPT ); Fri, 11 Feb 2011 17:36:59 -0500 Received: from helcar.apana.org.au ([209.40.204.226]:41265 "EHLO fornost.hengli.com.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758264Ab1BKWg7 (ORCPT ); Fri, 11 Feb 2011 17:36:59 -0500 Received: from gondolin.me.apana.org.au ([192.168.0.6]) by fornost.hengli.com.au with esmtp (Exim 4.69 #1 (Debian)) id 1Po1bl-0000ex-Et; Sat, 12 Feb 2011 09:36:57 +1100 Received: from herbert by gondolin.me.apana.org.au with local (Exim 4.69) (envelope-from ) id 1Po1bj-0001Tc-Nn; Sat, 12 Feb 2011 09:36:55 +1100 Date: Sat, 12 Feb 2011 09:36:55 +1100 From: Herbert Xu To: "David S. Miller" , netdev@vger.kernel.org Cc: ihands@redhat.com, jbacik@redhat.com Subject: bridge: Fix mglist corruption that leads to memory corruption Message-ID: <20110211223655.GA5585@gondor.apana.org.au> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Hi: This patch fixes a nasty memory corruption issue. bridge: Fix mglist corruption that leads to memory corruption The list mp->mglist is used to indicate whether a multicast group is active on the bridge interface itself as opposed to one of the constituent interfaces in the bridge. Unfortunately the operation that adds the mp->mglist node to the list neglected to check whether it has already been added. This leads to list corruption in the form of nodes pointing to itself. Normally this would be quite obvious as it would cause an infinite loop when walking the list. However, as this list is never actually walked (which means that we don't really need it, I'll get rid of it in a subsequent patch), this instead is hidden until we perform a delete operation on the affected nodes. As the same node may now be pointed to by more than one node, the delete operations can then cause modification of freed memory. This was observed in practice to cause corruption in 512-byte slabs, most commonly leading to crashes in jbd2. Thanks to Josef Bacik for pointing me in the right direction. Reported-by: Ian Page Hands Signed-off-by: Herbert Xu Cheers, diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c index f701a21..802d3f8 100644 --- a/net/bridge/br_multicast.c +++ b/net/bridge/br_multicast.c @@ -719,7 +719,8 @@ static int br_multicast_add_group(struct net_bridge *br, goto err; if (!port) { - hlist_add_head(&mp->mglist, &br->mglist); + if (hlist_unhashed(&mp->mglist)) + hlist_add_head(&mp->mglist, &br->mglist); mod_timer(&mp->timer, now + br->multicast_membership_interval); goto out; }