From: Greg Kroah-Hartman Date: Sat, 12 Feb 2022 10:44:48 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.9.302~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9568a84e16e70776e4489c8d6a82aa99aba3b45f;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: net-bridge-fix-stale-eth-hdr-pointer-in-br_dev_xmit.patch --- diff --git a/queue-5.4/net-bridge-fix-stale-eth-hdr-pointer-in-br_dev_xmit.patch b/queue-5.4/net-bridge-fix-stale-eth-hdr-pointer-in-br_dev_xmit.patch new file mode 100644 index 00000000000..7fb9c7d7e1e --- /dev/null +++ b/queue-5.4/net-bridge-fix-stale-eth-hdr-pointer-in-br_dev_xmit.patch @@ -0,0 +1,55 @@ +From 823d81b0fa2cd83a640734e74caee338b5d3c093 Mon Sep 17 00:00:00 2001 +From: Nikolay Aleksandrov +Date: Mon, 24 Feb 2020 18:46:22 +0200 +Subject: net: bridge: fix stale eth hdr pointer in br_dev_xmit + +From: Nikolay Aleksandrov + +commit 823d81b0fa2cd83a640734e74caee338b5d3c093 upstream. + +In br_dev_xmit() we perform vlan filtering in br_allowed_ingress() but +if the packet has the vlan header inside (e.g. bridge with disabled +tx-vlan-offload) then the vlan filtering code will use skb_vlan_untag() +to extract the vid before filtering which in turn calls pskb_may_pull() +and we may end up with a stale eth pointer. Moreover the cached eth header +pointer will generally be wrong after that operation. Remove the eth header +caching and just use eth_hdr() directly, the compiler does the right thing +and calculates it only once so we don't lose anything. + +Fixes: 057658cb33fb ("bridge: suppress arp pkts on BR_NEIGH_SUPPRESS ports") +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Cc: Eduardo Vela +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_device.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/net/bridge/br_device.c ++++ b/net/bridge/br_device.c +@@ -33,7 +33,6 @@ netdev_tx_t br_dev_xmit(struct sk_buff * + struct pcpu_sw_netstats *brstats = this_cpu_ptr(br->stats); + const struct nf_br_ops *nf_ops; + const unsigned char *dest; +- struct ethhdr *eth; + u16 vid = 0; + + rcu_read_lock(); +@@ -53,15 +52,14 @@ netdev_tx_t br_dev_xmit(struct sk_buff * + BR_INPUT_SKB_CB(skb)->frag_max_size = 0; + + skb_reset_mac_header(skb); +- eth = eth_hdr(skb); + skb_pull(skb, ETH_HLEN); + + if (!br_allowed_ingress(br, br_vlan_group_rcu(br), skb, &vid)) + goto out; + + if (IS_ENABLED(CONFIG_INET) && +- (eth->h_proto == htons(ETH_P_ARP) || +- eth->h_proto == htons(ETH_P_RARP)) && ++ (eth_hdr(skb)->h_proto == htons(ETH_P_ARP) || ++ eth_hdr(skb)->h_proto == htons(ETH_P_RARP)) && + br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED)) { + br_do_proxy_suppress_arp(skb, br, vid, NULL); + } else if (IS_ENABLED(CONFIG_IPV6) && diff --git a/queue-5.4/series b/queue-5.4/series index 56fd2984747..66874fd72b9 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -30,3 +30,4 @@ arm-socfpga-fix-missing-reset_controller.patch nvme-tcp-fix-bogus-request-completion-when-failing-to-send-aer.patch acpi-iort-check-node-revision-for-pmcg-resources.patch pm-s2idle-acpi-fix-wakeup-interrupts-handling.patch +net-bridge-fix-stale-eth-hdr-pointer-in-br_dev_xmit.patch