[PATCH openEuler-5.10 03/22] net: fix a data race when get vlan device

From: Di Zhu zhudi21@huawei.com

mainline inclusion from mainline-v5.13-rc1 commit c1102e9d49eb36c0be18cb3e16f6e46ffb717964 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I4RJ4X CVE: NA

----------------------------

We encountered a crash: in the packet receiving process, we got an illegal VLAN device address, but the VLAN device address saved in vmcore is correct. After checking the code, we found a possible data competition: CPU 0: CPU 1: (RCU read lock) (RTNL lock) vlan_do_receive() register_vlan_dev() vlan_find_dev()

->__vlan_group_get_device() ->vlan_group_prealloc_vid()

In vlan_group_prealloc_vid(), We need to make sure that memset() in kzalloc() is executed before assigning value to vlan devices array: ================================= kzalloc() ->memset(object, 0, size)

smp_wmb()

vg->vlan_devices_arrays[pidx][vidx] = array; ==================================

Because __vlan_group_get_device() function depends on this order. otherwise we may get a wrong address from the hardware cache on another cpu.

So fix it by adding memory barrier instruction to ensure the order of memory operations.

Signed-off-by: Di Zhu zhudi21@huawei.com Signed-off-by: David S. Miller davem@davemloft.net Reviewed-by: wuchangye wuchangye@huawei.com Reviewed-by: Wei Yongjun weiyongjun1@huawei.com

Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- net/8021q/vlan.c | 3 +++ net/8021q/vlan.h | 4 ++++ 2 files changed, 7 insertions(+)

diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c index 64a94c9812da..19c5212a4827 100644 --- a/net/8021q/vlan.c +++ b/net/8021q/vlan.c @@ -71,6 +71,9 @@ static int vlan_group_prealloc_vid(struct vlan_group *vg, if (array == NULL) return -ENOBUFS;

+ /* paired with smp_rmb() in __vlan_group_get_device() */ + smp_wmb(); + vg->vlan_devices_arrays[pidx][vidx] = array; return 0; } diff --git a/net/8021q/vlan.h b/net/8021q/vlan.h index 953405362795..fa3ad3d4d58c 100644 --- a/net/8021q/vlan.h +++ b/net/8021q/vlan.h @@ -57,6 +57,10 @@ static inline struct net_device *__vlan_group_get_device(struct vlan_group *vg,

array = vg->vlan_devices_arrays[pidx] [vlan_id / VLAN_GROUP_ARRAY_PART_LEN]; + + /* paired with smp_wmb() in vlan_group_prealloc_vid() */ + smp_rmb(); + return array ? array[vlan_id % VLAN_GROUP_ARRAY_PART_LEN] : NULL; }