From: Greg Kroah-Hartman Date: Sat, 12 Feb 2022 10:44:28 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.9.302~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=48ed4b1731ff0c5c8460222f3de8e16b22c1305d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: net-bridge-fix-stale-eth-hdr-pointer-in-br_dev_xmit.patch --- diff --git a/queue-4.19/net-bridge-fix-stale-eth-hdr-pointer-in-br_dev_xmit.patch b/queue-4.19/net-bridge-fix-stale-eth-hdr-pointer-in-br_dev_xmit.patch new file mode 100644 index 00000000000..c15148ae5c2 --- /dev/null +++ b/queue-4.19/net-bridge-fix-stale-eth-hdr-pointer-in-br_dev_xmit.patch @@ -0,0 +1,55 @@ +From 823d81b0fa2cd83a640734e74caee338b5d3c093 Mon Sep 17 00:00:00 2001 +From: Nikolay Aleksandrov +Date: Mon, 24 Feb 2020 18:46:22 +0200 +Subject: net: bridge: fix stale eth hdr pointer in br_dev_xmit + +From: Nikolay Aleksandrov + +commit 823d81b0fa2cd83a640734e74caee338b5d3c093 upstream. + +In br_dev_xmit() we perform vlan filtering in br_allowed_ingress() but +if the packet has the vlan header inside (e.g. bridge with disabled +tx-vlan-offload) then the vlan filtering code will use skb_vlan_untag() +to extract the vid before filtering which in turn calls pskb_may_pull() +and we may end up with a stale eth pointer. Moreover the cached eth header +pointer will generally be wrong after that operation. Remove the eth header +caching and just use eth_hdr() directly, the compiler does the right thing +and calculates it only once so we don't lose anything. + +Fixes: 057658cb33fb ("bridge: suppress arp pkts on BR_NEIGH_SUPPRESS ports") +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Cc: Eduardo Vela +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_device.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/net/bridge/br_device.c ++++ b/net/bridge/br_device.c +@@ -39,7 +39,6 @@ netdev_tx_t br_dev_xmit(struct sk_buff * + struct pcpu_sw_netstats *brstats = this_cpu_ptr(br->stats); + const struct nf_br_ops *nf_ops; + const unsigned char *dest; +- struct ethhdr *eth; + u16 vid = 0; + + memset(skb->cb, 0, sizeof(struct br_input_skb_cb)); +@@ -60,15 +59,14 @@ netdev_tx_t br_dev_xmit(struct sk_buff * + BR_INPUT_SKB_CB(skb)->brdev = dev; + + skb_reset_mac_header(skb); +- eth = eth_hdr(skb); + skb_pull(skb, ETH_HLEN); + + if (!br_allowed_ingress(br, br_vlan_group_rcu(br), skb, &vid)) + goto out; + + if (IS_ENABLED(CONFIG_INET) && +- (eth->h_proto == htons(ETH_P_ARP) || +- eth->h_proto == htons(ETH_P_RARP)) && ++ (eth_hdr(skb)->h_proto == htons(ETH_P_ARP) || ++ eth_hdr(skb)->h_proto == htons(ETH_P_RARP)) && + br->neigh_suppress_enabled) { + br_do_proxy_suppress_arp(skb, br, vid, NULL); + } else if (IS_ENABLED(CONFIG_IPV6) && diff --git a/queue-4.19/series b/queue-4.19/series index 9117eb42775..8c2b84332ae 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -17,3 +17,4 @@ usb-dwc2-gadget-don-t-try-to-disable-ep0-in-dwc2_hso.patch net-stmmac-dwmac-sun8i-use-return-val-of-readl_poll_.patch bpf-add-kconfig-knob-for-disabling-unpriv-bpf-by-default.patch arm-dts-imx23-evk-remove-mx23_pad_ssp1_detect-from-hog-group.patch +net-bridge-fix-stale-eth-hdr-pointer-in-br_dev_xmit.patch