Patch "net: openvswitch: Fix Use-After-Free in ovs_ct_exit" has been added to the 5.15-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    net: openvswitch: Fix Use-After-Free in ovs_ct_exit

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-openvswitch-fix-use-after-free-in-ovs_ct_exit.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 22e785ec2459c44f26bab754cfef7c1cbb25761d
Author: Hyunwoo Kim <v4bel@xxxxxxxxx>
Date:   Mon Apr 22 05:37:17 2024 -0400

    net: openvswitch: Fix Use-After-Free in ovs_ct_exit
    
    [ Upstream commit 5ea7b72d4fac2fdbc0425cd8f2ea33abe95235b2 ]
    
    Since kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal
    of ovs_ct_limit_exit, is not part of the RCU read critical section, it
    is possible that the RCU grace period will pass during the traversal and
    the key will be free.
    
    To prevent this, it should be changed to hlist_for_each_entry_safe.
    
    Fixes: 11efd5cb04a1 ("openvswitch: Support conntrack zone limit")
    Signed-off-by: Hyunwoo Kim <v4bel@xxxxxxxxx>
    Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx>
    Reviewed-by: Aaron Conole <aconole@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/ZiYvzQN/Ry5oeFQW@v4bel-B760M-AORUS-ELITE-AX
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index 60dd6f32d520e..85a338b681780 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -1913,9 +1913,9 @@ static void ovs_ct_limit_exit(struct net *net, struct ovs_net *ovs_net)
 	for (i = 0; i < CT_LIMIT_HASH_BUCKETS; ++i) {
 		struct hlist_head *head = &info->limits[i];
 		struct ovs_ct_limit *ct_limit;
+		struct hlist_node *next;
 
-		hlist_for_each_entry_rcu(ct_limit, head, hlist_node,
-					 lockdep_ovsl_is_held())
+		hlist_for_each_entry_safe(ct_limit, next, head, hlist_node)
 			kfree_rcu(ct_limit, rcu);
 	}
 	kfree(info->limits);




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux