aaec7096f9
HSR node-list and node-status generic-netlink operations run under
rcu_read_lock(). They walk hsr->node_db through hsr_get_next_node() and
hsr_get_node_data(), but RTM_DELLINK teardown removes the same node table
with plain list_del() and frees each node immediately.
That lets a generic-netlink reader hold a struct hsr_node pointer across
hsr_dellink(). In a KASAN build, widening the reader window after
hsr_get_next_node() obtains the node reproduces a slab-use-after-free
when the reader copies node->macaddress_A; the freeing stack is
hsr_del_nodes() from hsr_dellink().
Use list_del_rcu() and defer the free through the existing
hsr_free_node_rcu() callback. This matches the lifetime rule used by the
HSR prune paths, which already delete nodes with list_del_rcu() and
call_rcu().
Fixes:
|
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| hsr_debugfs.c | ||
| hsr_device.c | ||
| hsr_device.h | ||
| hsr_forward.c | ||
| hsr_forward.h | ||
| hsr_framereg.c | ||
| hsr_framereg.h | ||
| hsr_main.c | ||
| hsr_main.h | ||
| hsr_netlink.c | ||
| hsr_netlink.h | ||
| hsr_slave.c | ||
| hsr_slave.h | ||
| prp_dup_discard_test.c | ||