bridge: fix br_stp_set_bridge_priority race conditions

NikAleksandrov · davem330 · commit 2dab80a8b486 · 2015-06-18T03:29:47.000-07:00
After the ->set() spinlocks were removed br_stp_set_bridge_priority was left running without any protection when used via sysfs. It can race with port add/del and could result in use-after-free cases and corrupted lists. Tested by running port add/del in a loop with stp enabled while setting priority in a loop, crashes are easily reproducible. The spinlocks around sysfs ->set() were removed in commit: 14f98f2 ("bridge: range check STP parameters") There's also a race condition in the netlink priority support that is fixed by this change, but it was introduced recently and the fixes tag covers it, just in case it's needed the commit is: af61576 ("bridge: add ageing_time, stp_state, priority over netlink") Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org> Fixes: 14f98f2 ("bridge: range check STP parameters") Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c
@@ -247,9 +247,7 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
 		if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
 			return -EPERM;
 
-		spin_lock_bh(&br->lock);
 		br_stp_set_bridge_priority(br, args[1]);
-		spin_unlock_bh(&br->lock);
 		return 0;
 
 	case BRCTL_SET_PORT_PRIORITY:
diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
@@ -243,12 +243,13 @@ bool br_stp_recalculate_bridge_id(struct net_bridge *br)
 	return true;
 }
 
-/* called under bridge lock */
+/* Acquires and releases bridge lock */
 void br_stp_set_bridge_priority(struct net_bridge *br, u16 newprio)
 {
 	struct net_bridge_port *p;
 	int wasroot;
 
+	spin_lock_bh(&br->lock);
 	wasroot = br_is_root_bridge(br);
 
 	list_for_each_entry(p, &br->port_list, list) {
@@ -266,6 +267,7 @@ void br_stp_set_bridge_priority(struct net_bridge *br, u16 newprio)
 	br_port_state_selection(br);
 	if (br_is_root_bridge(br) && !wasroot)
 		br_become_root_bridge(br);
+	spin_unlock_bh(&br->lock);
 }
 
 /* called under bridge lock */

Original file line number	Diff line number	Diff line change
`@@ -243,12 +243,13 @@ bool br_stp_recalculate_bridge_id(struct net_bridge *br)`
`243`	`243`	`return true;`
`244`	`244`	`}`
`245`	`245`
`246`		`-/* called under bridge lock */`
	`246`	`+/* Acquires and releases bridge lock */`
`247`	`247`	`void br_stp_set_bridge_priority(struct net_bridge *br, u16 newprio)`
`248`	`248`	`{`
`249`	`249`	`struct net_bridge_port *p;`
`250`	`250`	`int wasroot;`
`251`	`251`
	`252`	`+ spin_lock_bh(&br->lock);`
`252`	`253`	`wasroot = br_is_root_bridge(br);`
`253`	`254`
`254`	`255`	`list_for_each_entry(p, &br->port_list, list) {`
`@@ -266,6 +267,7 @@ void br_stp_set_bridge_priority(struct net_bridge *br, u16 newprio)`
`266`	`267`	`br_port_state_selection(br);`
`267`	`268`	`if (br_is_root_bridge(br) && !wasroot)`
`268`	`269`	`br_become_root_bridge(br);`
	`270`	`+ spin_unlock_bh(&br->lock);`
`269`	`271`	`}`
`270`	`272`
`271`	`273`	`/* called under bridge lock */`