summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorIdo Schimmel <idosch@mellanox.com>2015-10-30 17:46:19 +0100
committerDavid S. Miller <davem@davemloft.net>2015-11-02 21:40:10 +0100
commit07bc588fc1087929e8e6dfe95ffcee1cb69a240f (patch)
treeb07f5e0dc59c8e79d128eb5b6be5725cb610fedd
parenttcp/dccp: fix ireq->pktopts race (diff)
downloadlinux-07bc588fc1087929e8e6dfe95ffcee1cb69a240f.tar.xz
linux-07bc588fc1087929e8e6dfe95ffcee1cb69a240f.zip
bridge: vlan: Prevent possible use-after-free
When adding a port to a bridge we initialize VLAN filtering on it. We do not bail out in case an error occurred in nbp_vlan_init, as it can be used as a non VLAN filtering bridge. However, if VLAN filtering is required and an error occurred in nbp_vlan_init, we should set vlgrp to NULL, so that VLAN filtering functions (e.g. br_vlan_find, br_get_pvid) will know the struct is invalid and will not try to access it. Signed-off-by: Ido Schimmel <idosch@mellanox.com> Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/bridge/br_vlan.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
index 5f0d0cc4744f..1054696323d7 100644
--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c
@@ -914,6 +914,8 @@ out:
return ret;
err_vlan_add:
+ RCU_INIT_POINTER(p->vlgrp, NULL);
+ synchronize_rcu();
rhashtable_destroy(&vg->vlan_hash);
err_rhtbl:
kfree(vg);