summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDi Zhu <zhudi21@huawei.com>2021-04-19 21:56:41 +0800
committerDavid S. Miller <davem@davemloft.net>2021-04-19 16:08:03 -0700
commitc1102e9d49eb36c0be18cb3e16f6e46ffb717964 (patch)
treee481fbf34deb6cf8e86159fd373bc8314e0771f4
parent7ad18ff6449cbd6beb26b53128ddf56d2685aa93 (diff)
downloadlinux-c1102e9d49eb36c0be18cb3e16f6e46ffb717964.tar.gz
linux-c1102e9d49eb36c0be18cb3e16f6e46ffb717964.tar.bz2
linux-c1102e9d49eb36c0be18cb3e16f6e46ffb717964.zip
net: fix a data race when get vlan device
We encountered a crash: in the packet receiving process, we got an illegal VLAN device address, but the VLAN device address saved in vmcore is correct. After checking the code, we found a possible data competition: CPU 0: CPU 1: (RCU read lock) (RTNL lock) vlan_do_receive() register_vlan_dev() vlan_find_dev() ->__vlan_group_get_device() ->vlan_group_prealloc_vid() In vlan_group_prealloc_vid(), We need to make sure that memset() in kzalloc() is executed before assigning value to vlan devices array: ================================= kzalloc() ->memset(object, 0, size) smp_wmb() vg->vlan_devices_arrays[pidx][vidx] = array; ================================== Because __vlan_group_get_device() function depends on this order. otherwise we may get a wrong address from the hardware cache on another cpu. So fix it by adding memory barrier instruction to ensure the order of memory operations. Signed-off-by: Di Zhu <zhudi21@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/8021q/vlan.c3
-rw-r--r--net/8021q/vlan.h4
2 files changed, 7 insertions, 0 deletions
diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
index 8b644113715e..fb3d3262dc1a 100644
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -71,6 +71,9 @@ static int vlan_group_prealloc_vid(struct vlan_group *vg,
if (array == NULL)
return -ENOBUFS;
+ /* paired with smp_rmb() in __vlan_group_get_device() */
+ smp_wmb();
+
vg->vlan_devices_arrays[pidx][vidx] = array;
return 0;
}
diff --git a/net/8021q/vlan.h b/net/8021q/vlan.h
index 953405362795..fa3ad3d4d58c 100644
--- a/net/8021q/vlan.h
+++ b/net/8021q/vlan.h
@@ -57,6 +57,10 @@ static inline struct net_device *__vlan_group_get_device(struct vlan_group *vg,
array = vg->vlan_devices_arrays[pidx]
[vlan_id / VLAN_GROUP_ARRAY_PART_LEN];
+
+ /* paired with smp_wmb() in vlan_group_prealloc_vid() */
+ smp_rmb();
+
return array ? array[vlan_id % VLAN_GROUP_ARRAY_PART_LEN] : NULL;
}