if_bridge: fix potential panic
ClosedPublic
Actions

Authored by kp on May 18 2023, 6:38 PM.

Details

Reviewers

zlei

Group Reviewers

network

Commits

rG9835aa0d7dea: if_bridge: fix potential panic
rGa1784b7d8c21: if_bridge: fix potential panic
rGf3546eacf0da: if_bridge: fix potential panic

Summary

When a new bridge_rtnode is added it is added with a NULL brt_dst. The
brt_dst is set after the entry is added. This means there's a small
window where another core could also attempt to add this node, leading
to the code attempting to log that the MAC addresses moved to a new
interface.
Aside from that being a spurious log entry it also panics, because
obif is NULL (and we attempt to dereference it).

Avoid this by settings brt_dst before we insert the bridge_rtnode.
Assert that obif is non-NULL, as an extra precaution.

Reported by: olivier@

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kp created this revision.May 18 2023, 6:38 PM

Herald added subscribers: glebius, melifaro, ae, imp. · View Herald TranscriptMay 18 2023, 6:38 PM

kp requested review of this revision.May 18 2023, 6:38 PM

Harbormaster completed remote builds in B51537: Diff 122083.May 18 2023, 6:38 PM

Generally looks good to me.

sys/net/if_bridge.c
2944	I think the increasing `bif_addrcnt` should be kept after `bridge_rtnode_insert()` succeed .

This revision is now accepted and ready to land.May 19 2023, 7:23 AM

zlei added inline comments.May 19 2023, 7:42 AM

sys/net/if_bridge.c
2945	A second thought, as an alternate we can place a decreasing if `bridge_rtnode_insert()` fails. bif->bif_addrcnt--; Both should be OK, as write operations on `bif_addrcnt` is protected by `BRIDGE_RT_LOCK`. Only one read operation may have a small inconsistency window. static int bridge_ioctl_gifflags(struct bridge_softc sc, void arg) { ... req->ifbr_addrcnt = bif->bif_addrcnt; ... }