Commit 90b02077 authored Jul 23, 2024 by Nikolay Aleksandrov Committed by Yuan Can Jul 23, 2024

net: bridge: mst: fix suspicious rcu usage in br_mst_set_state

mainline inclusion
from mainline-v6.10-rc4
commit 546ceb1dfdac866648ec959cbc71d9525bd73462
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S78
CVE: CVE-2024-36979

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=546ceb1dfdac866648ec959cbc71d9525bd73462



--------------------------------

I converted br_mst_set_state to RCU to avoid a vlan use-after-free
but forgot to change the vlan group dereference helper. Switch to vlan
group RCU deref helper to fix the suspicious rcu usage warning.

Fixes: 3a7c1661ae13 ("net: bridge: mst: fix vlan use-after-free")
Reported-by:  <syzbot+9bbe2de1bc9d470eb5fe@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=9bbe2de1bc9d470eb5fe


Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://lore.kernel.org/r/20240609103654.914987-3-razor@blackwall.org


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Yuan Can <yuancan@huawei.com>

parent ef2a0197

net/bridge/br_mst.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -103,7 +103,7 @@ int br_mst_set_state(struct net_bridge_port *p, u16 msti, u8 state,
		int err = 0;

		rcu_read_lock();
		vg = nbp_vlan_group(p);
		vg = nbp_vlan_group_rcu(p);
		if (!vg)
		goto out;