redonkable/remarkable-linux
redonkable/remarkable-linux
1
0
Fork 0
Code Releases Activity
remarkable-linux/net/mpls/internal.h
Robert Shearman 25cc8f0763 mpls: fix possible use after free of device 
The mpls device is used in an RCU read context without a lock being
held. As the memory is freed without waiting for the RCU grace period
to elapse, the freed memory could still be in use.

Address this by using kfree_rcu to free the memory for the mpls device
after the RCU grace period has elapsed.

Fixes: 03c57747a7 ("mpls: Per-device MPLS state")
Signed-off-by: Robert Shearman <rshearma@brocade.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-06-07 19:37:27 -07:00

57 lines
1.4 KiB
C
Raw Blame History

#ifndef MPLS_INTERNAL_H
#define MPLS_INTERNAL_H
struct mpls_shim_hdr {
__be32 label_stack_entry;
};
struct mpls_entry_decoded {
u32 label;
u8 ttl;
u8 tc;
u8 bos;
};
struct mpls_dev {
int input_enabled;
struct ctl_table_header *sysctl;
struct rcu_head rcu;
};
struct sk_buff;
static inline struct mpls_shim_hdr *mpls_hdr(const struct sk_buff *skb)
{
return (struct mpls_shim_hdr *)skb_network_header(skb);
}
static inline struct mpls_shim_hdr mpls_entry_encode(u32 label, unsigned ttl, unsigned tc, bool bos)
{
struct mpls_shim_hdr result;
result.label_stack_entry =
cpu_to_be32((label << MPLS_LS_LABEL_SHIFT) |
(tc << MPLS_LS_TC_SHIFT) |
(bos ? (1 << MPLS_LS_S_SHIFT) : 0) |
(ttl << MPLS_LS_TTL_SHIFT));
return result;
}
static inline struct mpls_entry_decoded mpls_entry_decode(struct mpls_shim_hdr *hdr)
{
struct mpls_entry_decoded result;
unsigned entry = be32_to_cpu(hdr->label_stack_entry);
result.label = (entry & MPLS_LS_LABEL_MASK) >> MPLS_LS_LABEL_SHIFT;
result.ttl = (entry & MPLS_LS_TTL_MASK) >> MPLS_LS_TTL_SHIFT;
result.tc = (entry & MPLS_LS_TC_MASK) >> MPLS_LS_TC_SHIFT;
result.bos = (entry & MPLS_LS_S_MASK) >> MPLS_LS_S_SHIFT;
return result;
}
int nla_put_labels(struct sk_buff *skb, int attrtype, u8 labels, const u32 label[]);
int nla_get_labels(const struct nlattr *nla, u32 max_labels, u32 *labels, u32 label[]);
#endif /* MPLS_INTERNAL_H */
View git blame Copy permalink