Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp389194ybi; Fri, 26 Jul 2019 11:27:23 -0700 (PDT) X-Google-Smtp-Source: APXvYqxzDnM/ZXW70O90IKNOPi/35hQRxhmGZqil4NBZlcsOcbg4wlYwvhfN+NQkzQQMgAYtjVae X-Received: by 2002:a63:2252:: with SMTP id t18mr92895416pgm.5.1564165643037; Fri, 26 Jul 2019 11:27:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564165643; cv=none; d=google.com; s=arc-20160816; b=Pjl93RlQgjzD12AEL7QSX1/1JD3h/kKlZvBBjHkRMcZc53JX1dAq7rsmHDxChhZx43 oQTHwD0l5tWiuTMTc9GPp5rB69bzBRCqEA4eQQiGuILJnvVa3IorOiFrkvRRU+nrRusW ZpxumSnKoEDYtZU5+RMV70m7FgsBuaKGI1YzDkauhTfS3sRP0MXamHE/lyr1uGR34wcm 8hRX5hnODBs58CiVjruceqUIuswblRRbEMEXqgsyulUy7HyCyuZAv71AE2L0Efsj+J9h lYqW7JeGNOyRnyZQpCu/E2JHRc89EuBCmUdQXGncmVHAHwUVzpUL/dEZkbyZZkExHYeU C15A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=KYtuGgvV1j5MUzw+6NNSngJzJ30FWF6KK3OBfTAr5fU=; b=XrM8bOMH3Bo8KJFYQJ5ccaP8SQcEU/l+lA31JngYjKxvTdBn7sXqqXiwkZxDSHrcMN 0K/U0Fq7/A4iugdr53Dw8UPQnwh/0n1fuoUz8CeOXeNoDV1hMvxn1AgCmMxAVksnu17S OmYh9BnXd+jmmQOqIHGQylnltrFlhvQLwYEkwE9Tif3RaS7SzxpcleJJWFhmMjW4Ztwo 1Cw5/Oqv2ZjoFlCxQAuAGC39kSJUHF+JZTnHHb+Gq0BwAatyd8KaTM3i0KcLyQTYnBU3 DaDQpla3UUeBG7U00XI1tTeoiWprE6bvHez0WuScj/xf3HD44qGag4e7y7o28WUlleBc 8K0g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nrlcN7DT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i3si9296017pgm.163.2019.07.26.11.27.07; Fri, 26 Jul 2019 11:27:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nrlcN7DT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388958AbfGZP3z (ORCPT + 99 others); Fri, 26 Jul 2019 11:29:55 -0400 Received: from mail.kernel.org ([198.145.29.99]:44642 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388942AbfGZP3x (ORCPT ); Fri, 26 Jul 2019 11:29:53 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F288722CBD; Fri, 26 Jul 2019 15:29:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564154992; bh=pFI+FnKdtCt9/zK/Th1ZUog+lfDJKx/bq8CxistJ1P8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nrlcN7DT5zCpUVOjvHR8RMEOk0oS7uEEVhaQy/4vukBNTZohWjlFAI0UjlwOpJ8NN 22/vjABa+jRpWsee2PFKuiXwTOUQU/N5eHhoHpVIv5UJoLn5jKRN6qKkJdSzXXVROc amC5/x7PaAJ2xQ3yyXYb3XRY3xf8ZpeceTGgECi4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nikolay Aleksandrov , Martin Weinelt , "David S. Miller" Subject: [PATCH 5.1 29/62] net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query Date: Fri, 26 Jul 2019 17:24:41 +0200 Message-Id: <20190726152304.774946256@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190726152301.720139286@linuxfoundation.org> References: <20190726152301.720139286@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nikolay Aleksandrov [ Upstream commit 3b26a5d03d35d8f732d75951218983c0f7f68dff ] We get a pointer to the ipv6 hdr in br_ip6_multicast_query but we may call pskb_may_pull afterwards and end up using a stale pointer. So use the header directly, it's just 1 place where it's needed. Fixes: 08b202b67264 ("bridge br_multicast: IPv6 MLD support.") Signed-off-by: Nikolay Aleksandrov Tested-by: Martin Weinelt Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/bridge/br_multicast.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/net/bridge/br_multicast.c +++ b/net/bridge/br_multicast.c @@ -1302,7 +1302,6 @@ static int br_ip6_multicast_query(struct u16 vid) { unsigned int transport_len = ipv6_transport_len(skb); - const struct ipv6hdr *ip6h = ipv6_hdr(skb); struct mld_msg *mld; struct net_bridge_mdb_entry *mp; struct mld2_query *mld2q; @@ -1346,7 +1345,7 @@ static int br_ip6_multicast_query(struct if (is_general_query) { saddr.proto = htons(ETH_P_IPV6); - saddr.u.ip6 = ip6h->saddr; + saddr.u.ip6 = ipv6_hdr(skb)->saddr; br_multicast_query_received(br, port, &br->ip6_other_query, &saddr, max_delay);