1
linux/net
Michael Braun 7f7708f005 bridge: Fix br_forward crash in promiscuous mode
From: Michael Braun <michael-dev@fami-braun.de>

bridge: Fix br_forward crash in promiscuous mode

It's a linux-next kernel from 2010-03-12 on an x86 system and it
OOPs in the bridge module in br_pass_frame_up (called by
br_handle_frame_finish) because brdev cannot be dereferenced (its set to
a non-null value).

Adding some BUG_ON statements revealed that
 BR_INPUT_SKB_CB(skb)->brdev == br-dev
(as set in br_handle_frame_finish first)
only holds until br_forward is called.
The next call to br_pass_frame_up then fails.

Digging deeper it seems that br_forward either frees the skb or passes
it to NF_HOOK which will in turn take care of freeing the skb. The
same is holds for br_pass_frame_ip. So it seems as if two independent
skb allocations are required. As far as I can see, commit
b33084be19 ("bridge: Avoid unnecessary
clone on forward path") removed skb duplication and so likely causes
this crash. This crash does not happen on 2.6.33.

I've therefore modified br_forward the same way br_flood has been
modified so that the skb is not freed if skb0 is going to be used
and I can confirm that the attached patch resolves the issue for me.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-03-16 00:26:22 -07:00
..
9p 9p: Change the name of new protocol from 9p2010.L to 9p2000.L 2010-03-13 08:57:29 -06:00
802
8021q percpu: add __percpu sparse annotations to net 2010-02-16 23:05:38 -08:00
appletalk net: appletalk: use seq_hlist_foo() helpers 2010-02-10 11:12:09 -08:00
atm net: atm: use seq_list_foo() helpers 2010-02-10 12:31:10 -08:00
ax25 net: ax25: use seq_hlist_foo() helpers 2010-02-10 11:12:09 -08:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2010-03-13 14:50:18 -08:00
bridge bridge: Fix br_forward crash in promiscuous mode 2010-03-16 00:26:22 -07:00
can can: deny filterlist access on non-CAN interfaces 2010-02-02 07:21:34 -08:00
core net: Fix dev_mc_add() 2010-03-10 07:32:28 -08:00
dcb const: struct nla_policy 2010-02-18 14:30:18 -08:00
dccp net-2.6 [Bug-Fix][dccp]: fix oops caused after failed initialisation 2010-03-15 16:00:50 -07:00
decnet net: Add checking to rcu_dereference() primitives 2010-02-25 09:41:03 +01:00
dsa
econet
ethernet
ieee802154
ipv4 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2010-03-13 14:50:18 -08:00
ipv6 ipv6: Send netlink notification when DAD fails 2010-03-13 12:23:29 -08:00
ipx net: ipx: use seq_list_foo() helpers 2010-02-10 12:31:10 -08:00
irda const: struct nla_policy 2010-02-18 14:30:18 -08:00
iucv
key xfrm: SP lookups signature with mark 2010-02-22 16:21:12 -08:00
lapb
llc net: backlog functions rename 2010-03-05 13:34:03 -08:00
mac80211 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2010-03-13 14:50:18 -08:00
netfilter Merge branch 'for-next' into for-linus 2010-03-08 16:55:37 +01:00
netlabel net: remove INIT_RCU_HEAD() usage 2010-02-17 00:03:27 -08:00
netlink netlink: Adding inode field to /proc/net/netlink 2010-02-28 01:29:49 -08:00
netrom net: netrom: use seq_hlist_foo() helpers 2010-02-10 11:12:08 -08:00
packet af_packet: move strict addr_len check right before dev_[mc/unicast]_[add/del] 2010-03-03 01:04:38 -08:00
phonet phonet: use for_each_set_bit() 2010-03-15 16:00:47 -07:00
rds net/rds: remove uses of NIPQUAD, use %pI4 2010-02-03 20:16:48 -08:00
rfkill rfkill: Add support for KEY_RFKILL 2010-03-02 14:28:49 -05:00
rose net: rose: use seq_hlist_foo() helpers 2010-02-10 11:12:08 -08:00
rxrpc
sched Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-02-09 11:44:44 -08:00
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2010-03-13 14:50:18 -08:00
sunrpc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2010-03-13 14:50:18 -08:00
tipc tipc: filter out messages not intended for this host 2010-03-08 12:43:56 -08:00
unix AF_UNIX: update locking comment 2010-02-18 14:12:06 -08:00
wanrouter
wimax const: struct nla_policy 2010-02-18 14:30:18 -08:00
wireless Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 2010-02-25 23:26:21 -08:00
x25 net: backlog functions rename 2010-03-05 13:34:03 -08:00
xfrm ipsec: Fix bogus bundle flowi 2010-03-03 01:04:37 -08:00
compat.c
Kconfig
Makefile
nonet.c
socket.c
sysctl_net.c
TUNABLE