Message ID | ZiYvzQN/Ry5oeFQW@v4bel-B760M-AORUS-ELITE-AX (mailing list archive) |
---|---|
State | Accepted |
Commit | 5ea7b72d4fac2fdbc0425cd8f2ea33abe95235b2 |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | net: openvswitch: Fix Use-After-Free in ovs_ct_exit | expand |
On Mon, Apr 22, 2024 at 11:37 AM Hyunwoo Kim <v4bel@theori.io> wrote: > > Since kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal > of ovs_ct_limit_exit, is not part of the RCU read critical section, it > is possible that the RCU grace period will pass during the traversal and > the key will be free. > > To prevent this, it should be changed to hlist_for_each_entry_safe. > > Fixes: 11efd5cb04a1 ("openvswitch: Support conntrack zone limit") > Signed-off-by: Hyunwoo Kim <v4bel@theori.io> Reviewed-by: Eric Dumazet <edumazet@google.com> Thanks !
Hyunwoo Kim <v4bel@theori.io> writes: > Since kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal > of ovs_ct_limit_exit, is not part of the RCU read critical section, it > is possible that the RCU grace period will pass during the traversal and > the key will be free. > > To prevent this, it should be changed to hlist_for_each_entry_safe. > > Fixes: 11efd5cb04a1 ("openvswitch: Support conntrack zone limit") > Signed-off-by: Hyunwoo Kim <v4bel@theori.io> > --- Reviewed-by: Aaron Conole <aconole@redhat.com>
Hello: This patch was applied to netdev/net.git (main) by Jakub Kicinski <kuba@kernel.org>: On Mon, 22 Apr 2024 05:37:17 -0400 you wrote: > Since kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal > of ovs_ct_limit_exit, is not part of the RCU read critical section, it > is possible that the RCU grace period will pass during the traversal and > the key will be free. > > To prevent this, it should be changed to hlist_for_each_entry_safe. > > [...] Here is the summary with links: - net: openvswitch: Fix Use-After-Free in ovs_ct_exit https://git.kernel.org/netdev/net/c/5ea7b72d4fac You are awesome, thank you!
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 74b63cdb5992..2928c142a2dd 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -1593,9 +1593,9 @@ static void ovs_ct_limit_exit(struct net *net, struct ovs_net *ovs_net) for (i = 0; i < CT_LIMIT_HASH_BUCKETS; ++i) { struct hlist_head *head = &info->limits[i]; struct ovs_ct_limit *ct_limit; + struct hlist_node *next; - hlist_for_each_entry_rcu(ct_limit, head, hlist_node, - lockdep_ovsl_is_held()) + hlist_for_each_entry_safe(ct_limit, next, head, hlist_node) kfree_rcu(ct_limit, rcu); } kfree(info->limits);
Since kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal of ovs_ct_limit_exit, is not part of the RCU read critical section, it is possible that the RCU grace period will pass during the traversal and the key will be free. To prevent this, it should be changed to hlist_for_each_entry_safe. Fixes: 11efd5cb04a1 ("openvswitch: Support conntrack zone limit") Signed-off-by: Hyunwoo Kim <v4bel@theori.io> --- net/openvswitch/conntrack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)