• Nikolay Aleksandrov's avatar
    bridge: fix br_stp_set_bridge_priority race conditions · 9beee8b1
    Nikolay Aleksandrov authored
    commit 2dab80a8 upstream.
    
    After the ->set() spinlocks were removed br_stp_set_bridge_priority
    was left running without any protection when used via sysfs. It can
    race with port add/del and could result in use-after-free cases and
    corrupted lists. Tested by running port add/del in a loop with stp
    enabled while setting priority in a loop, crashes are easily
    reproducible.
    The spinlocks around sysfs ->set() were removed in commit:
    14f98f25 ("bridge: range check STP parameters")
    There's also a race condition in the netlink priority support that is
    fixed by this change, but it was introduced recently and the fixes tag
    covers it, just in case it's needed the commit is:
    af615762 ("bridge: add ageing_time, stp_state, priority over netlink")
    Signed-off-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
    Fixes: 14f98f25 ("bridge: range check STP parameters")
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
    9beee8b1
br_ioctl.c 8.6 KB