From patchwork Mon Apr 22 09:33:19 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ido Schimmel <idosch@mellanox.com>
X-Patchwork-Id: 1088619
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none)
	header.from=mellanox.com
Authentication-Results: ozlabs.org; dkim=pass (1024-bit key;
	unprotected) header.d=Mellanox.com header.i=@Mellanox.com
	header.b="Yw64hMZg"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 44nhGH0QGcz9s4Y
	for <patchwork-incoming-netdev@ozlabs.org>;
	Mon, 22 Apr 2019 19:33:27 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1726650AbfDVJdZ (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Mon, 22 Apr 2019 05:33:25 -0400
Received: from mail-eopbgr00084.outbound.protection.outlook.com
	([40.107.0.84]:31523
	"EHLO EUR02-AM5-obe.outbound.protection.outlook.com"
	rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
	id S1725817AbfDVJdZ (ORCPT <rfc822;netdev@vger.kernel.org>);
	Mon, 22 Apr 2019 05:33:25 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Mellanox.com;
	s=selector1;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
	bh=FOYNTia1nIGWQFw9x47Mzla5PhW8NgsI43hvkBduaVM=;
	b=Yw64hMZg2z7Wt/xTNKvvJ1RVVIZFAz9/i8HDMD+3+NC0Sc6jCNbb3C3K99aQ8e7QSiW36ae1g3KEmELEoRdRy7r+EIvznlTqx6UXSyG+Q+8/SyP+r5HchXpwCvopo7fWuu0tnK9uWyNQhu9TGvO3lyq71JBLlgX+MrIFp/x0RDY=
Received: from VI1PR05MB5934.eurprd05.prod.outlook.com (20.178.126.87) by
	VI1PR05MB5648.eurprd05.prod.outlook.com (20.178.120.154) with
	Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
	15.20.1813.18; Mon, 22 Apr 2019 09:33:20 +0000
Received: from VI1PR05MB5934.eurprd05.prod.outlook.com
	([fe80::681f:c11e:af41:6300]) by
	VI1PR05MB5934.eurprd05.prod.outlook.com
	([fe80::681f:c11e:af41:6300%5]) with mapi id 15.20.1813.017;
	Mon, 22 Apr 2019 09:33:20 +0000
From: Ido Schimmel <idosch@mellanox.com>
To: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
	"bridge@lists.linux-foundation.org" <bridge@lists.linux-foundation.org>
CC: "davem@davemloft.net" <davem@davemloft.net>,
	"nikolay@cumulusnetworks.com" <nikolay@cumulusnetworks.com>,
	"roopa@cumulusnetworks.com" <roopa@cumulusnetworks.com>,
	mlxsw <mlxsw@mellanox.com>, Ido Schimmel <idosch@mellanox.com>,
	Mike Manning <mmanning@vyatta.att-mail.com>
Subject: [PATCH net-next] bridge: Fix possible use-after-free when deleting
	bridge port
Thread-Topic: [PATCH net-next] bridge: Fix possible use-after-free when
	deleting bridge port
Thread-Index: AQHU+O5s+UnuhLHA2Uy7qsvW2TwS8A==
Date: Mon, 22 Apr 2019 09:33:19 +0000
Message-ID: <20190422093307.10206-1-idosch@mellanox.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-clientproxiedby: AM5PR0701CA0062.eurprd07.prod.outlook.com
	(2603:10a6:203:2::24) To VI1PR05MB5934.eurprd05.prod.outlook.com
	(2603:10a6:803:e1::23)
authentication-results: spf=none (sender IP is )
	smtp.mailfrom=idosch@mellanox.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 2.20.1
x-originating-ip: [193.47.165.251]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 08821ffd-fff7-4792-d813-08d6c7058e48
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0;
	RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(4618075)(2017052603328)(7193020);
	SRVR:VI1PR05MB5648;
x-ms-traffictypediagnostic: VI1PR05MB5648:
x-microsoft-antispam-prvs: 
 <VI1PR05MB56488F0455A6C899AF2DFB81BF220@VI1PR05MB5648.eurprd05.prod.outlook.com>
x-forefront-prvs: 00159D1518
x-forefront-antispam-report: SFV:NSPM;
	SFS:(10009020)(396003)(39860400002)(366004)(136003)(346002)(376002)(199004)(189003)(54906003)(4326008)(110136005)(478600001)(316002)(2501003)(14454004)(2906002)(36756003)(99286004)(8936002)(50226002)(6512007)(3846002)(6116002)(25786009)(52116002)(53936002)(81156014)(81166006)(8676002)(2616005)(476003)(97736004)(486006)(305945005)(186003)(14444005)(256004)(66946007)(64756008)(66446008)(5660300002)(86362001)(66066001)(7736002)(71190400001)(71200400001)(1076003)(6436002)(68736007)(6486002)(6506007)(386003)(102836004)(66556008)(73956011)(66476007)(26005);
	DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR05MB5648;
	H:VI1PR05MB5934.eurprd05.prod.outlook.com; FPR:; SPF:None;
	LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: mellanox.com does not designate
	permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 
 +KixG5sod5CGzMhMwWa0HWmhemkHN/f0hkt+9yHKtsPExC1dkN+9633pUEKV0g6RNny9vNMWTKobYyuLFfxmMo7kE969Keq84gTNKMTSNJUyFYSR+6ZW2EjagNcIOTSF/qOsrJfOcraEIacH4JTjmMqsfYRlhfJz8120iZHhKfzRkttMt2yQWSZkQBlJfzDiTZ3jLLbEYFbqV3LQJRyYGUlAuQhxZNLWnkQmTetFE2pHchXyyXct62qurxNE642OX1nx9L+/GS/qzgDBuzY20UK8ePtfFOwdgiZnyXeigpREmvHStfIgdxRD9jMvTcu/KFUpsEsmijH/QFA0lHxKclrOa6DbNRdVJYuzIXWwQ6Jyra71ultP5Mq3n4G+BOdwAolWi+lVqmyGtac1KOU4WyeJob2A/zuCtFQQE8xyVwM=
MIME-Version: 1.0
X-OriginatorOrg: Mellanox.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 08821ffd-fff7-4792-d813-08d6c7058e48
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Apr 2019 09:33:19.9729
	(UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a652971c-7d2e-4d9b-a6a4-d149256f461b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR05MB5648
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

When a bridge port is being deleted, do not dereference it later in
br_vlan_port_event() as it can result in a use-after-free [1] if the RCU
callback was executed before invoking the function.

[1]
[  129.638551] ==================================================================
[  129.646904] BUG: KASAN: use-after-free in br_vlan_port_event+0x53c/0x5fd
[  129.654406] Read of size 8 at addr ffff8881e4aa1ae8 by task ip/483
[  129.663008] CPU: 0 PID: 483 Comm: ip Not tainted 5.1.0-rc5-custom-02265-ga946bd73daac #1383
[  129.672359] Hardware name: Mellanox Technologies Ltd. MSN2100-CB2FO/SA001017, BIOS 5.6.5 06/07/2016
[  129.682484] Call Trace:
[  129.685242]  dump_stack+0xa9/0x10e
[  129.689068]  print_address_description.cold.2+0x9/0x25e
[  129.694930]  kasan_report.cold.3+0x78/0x9d
[  129.704420]  br_vlan_port_event+0x53c/0x5fd
[  129.728300]  br_device_event+0x2c7/0x7a0
[  129.741505]  notifier_call_chain+0xb5/0x1c0
[  129.746202]  rollback_registered_many+0x895/0xe90
[  129.793119]  unregister_netdevice_many+0x48/0x210
[  129.803384]  rtnl_delete_link+0xe1/0x140
[  129.815906]  rtnl_dellink+0x2a3/0x820
[  129.844166]  rtnetlink_rcv_msg+0x397/0x910
[  129.868517]  netlink_rcv_skb+0x137/0x3a0
[  129.882013]  netlink_unicast+0x49b/0x660
[  129.900019]  netlink_sendmsg+0x755/0xc90
[  129.915758]  ___sys_sendmsg+0x761/0x8e0
[  129.966315]  __sys_sendmsg+0xf0/0x1c0
[  129.988918]  do_syscall_64+0xa4/0x470
[  129.993032]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  129.998696] RIP: 0033:0x7ff578104b58
...
[  130.073811] Allocated by task 479:
[  130.077633]  __kasan_kmalloc.constprop.5+0xc1/0xd0
[  130.083008]  kmem_cache_alloc_trace+0x152/0x320
[  130.088090]  br_add_if+0x39c/0x1580
[  130.092005]  do_set_master+0x1aa/0x210
[  130.096211]  do_setlink+0x985/0x3100
[  130.100224]  __rtnl_newlink+0xc52/0x1380
[  130.104625]  rtnl_newlink+0x6b/0xa0
[  130.108541]  rtnetlink_rcv_msg+0x397/0x910
[  130.113136]  netlink_rcv_skb+0x137/0x3a0
[  130.117538]  netlink_unicast+0x49b/0x660
[  130.121939]  netlink_sendmsg+0x755/0xc90
[  130.126340]  ___sys_sendmsg+0x761/0x8e0
[  130.130645]  __sys_sendmsg+0xf0/0x1c0
[  130.134753]  do_syscall_64+0xa4/0x470
[  130.138864]  entry_SYSCALL_64_after_hwframe+0x49/0xbe

[  130.146195] Freed by task 0:
[  130.149421]  __kasan_slab_free+0x125/0x170
[  130.154016]  kfree+0xf3/0x310
[  130.157349]  kobject_put+0x1a8/0x4c0
[  130.161363]  rcu_core+0x859/0x19b0
[  130.165175]  __do_softirq+0x250/0xa26
[  130.170956] The buggy address belongs to the object at ffff8881e4aa1ae8
                which belongs to the cache kmalloc-1k of size 1024
[  130.184972] The buggy address is located 0 bytes inside of
                1024-byte region [ffff8881e4aa1ae8, ffff8881e4aa1ee8)

Fixes: 9c0ec2e7182a ("bridge: support binding vlan dev link state to vlan member bridge ports")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Cc: Mike Manning <mmanning@vyatta.att-mail.com>
Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Acked-by: Mike Manning <mmanning@vyatta.att-mail.com>
---
 net/bridge/br.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/bridge/br.c b/net/bridge/br.c
index e69fc87a13e0..3c8e4b38f054 100644
--- a/net/bridge/br.c
+++ b/net/bridge/br.c
@@ -129,7 +129,8 @@ static int br_device_event(struct notifier_block *unused, unsigned long event, v
 		break;
 	}
 
-	br_vlan_port_event(p, event);
+	if (event != NETDEV_UNREGISTER)
+		br_vlan_port_event(p, event);
 
 	/* Events that may cause spanning tree to refresh */
 	if (!notified && (event == NETDEV_CHANGEADDR || event == NETDEV_UP ||