Page MenuHomeFreeBSD

if_bridge: fix potential panic
ClosedPublic

Authored by kp on May 18 2023, 6:38 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Jan 19, 6:07 PM
Unknown Object (File)
Sat, Jan 11, 2:54 AM
Unknown Object (File)
Mon, Dec 30, 12:17 PM
Unknown Object (File)
Nov 28 2024, 5:30 PM
Unknown Object (File)
Nov 18 2024, 3:39 AM
Unknown Object (File)
Nov 6 2024, 4:21 PM
Unknown Object (File)
Nov 6 2024, 2:28 PM
Unknown Object (File)
Oct 21 2024, 10:11 AM

Details

Summary

When a new bridge_rtnode is added it is added with a NULL brt_dst. The
brt_dst is set after the entry is added. This means there's a small
window where another core could also attempt to add this node, leading
to the code attempting to log that the MAC addresses moved to a new
interface.
Aside from that being a spurious log entry it also panics, because
obif is NULL (and we attempt to dereference it).

Avoid this by settings brt_dst before we insert the bridge_rtnode.
Assert that obif is non-NULL, as an extra precaution.

Reported by: olivier@

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 51537
Build 48428: arc lint + arc unit

Event Timeline

kp requested review of this revision.May 18 2023, 6:38 PM

Generally looks good to me.

sys/net/if_bridge.c
2944

I think the increasing bif_addrcnt should be kept after bridge_rtnode_insert() succeed .

This revision is now accepted and ready to land.May 19 2023, 7:23 AM
sys/net/if_bridge.c
2946

A second thought, as an alternate we can place a decreasing if bridge_rtnode_insert() fails.

bif->bif_addrcnt--;

Both should be OK, as write operations on bif_addrcnt is protected by BRIDGE_RT_LOCK. Only one read operation may have a small inconsistency window.

static int
bridge_ioctl_gifflags(struct bridge_softc *sc, void *arg)
{
...
    req->ifbr_addrcnt = bif->bif_addrcnt;
...
}
sys/net/if_bridge.c
2944

That is a very good point. I think I like having the increment after the insert more than reducing it again, so I'll do that.

This revision was automatically updated to reflect the committed changes.