Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp1034679ybi; Fri, 2 Aug 2019 08:17:05 -0700 (PDT) X-Google-Smtp-Source: APXvYqyDq3g7OypUWrqQr16zkZWJx3tPLfeMn53TTIshaaP1AnpmdRsDSKXAqMS1iPsMMhDZ5Pmc X-Received: by 2002:a17:90a:cb15:: with SMTP id z21mr4877365pjt.87.1564759025228; Fri, 02 Aug 2019 08:17:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564759025; cv=none; d=google.com; s=arc-20160816; b=I5ny4IzGcY1mlAlLsIJz6l+cC3QLUhISjYZP3l7u61rOXAmjAK1opCAmc2EdicnamU B0UrIHVVJTj+PBHGvPwbrpfIzsbLXYb/PXtCa8pZuRtU3KlrHocUQH9FRw/++WrgjCCp 5KBc75E15o1oj4gp5rBbnP/D5Ply385g8GY8Z5ydT/PYoApWjJK4w8CtuFactGpqdOh2 wFoPZQ5YnJvbd7nyoH7yM+UHW5dzxLyCG9A5RFLII7Z9D3ChtwcalNspV5HD1WYjEygc FKhHcYcw3HKb6xLud3Ecd8I3u1d4QAt641A/7vLmh0hR2O1GT7SgE12Cyt1pcanms96+ 4ujQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=1o5F0gpzEazOwqRz145GBeNArMH5Nx+4MhvVFJbyYVw=; b=a2JXSoRJ/W4+UpgW7L/exQSliGdSoiXnwQ3d5zz9VoZghVJJiNuOnxxE3eqM3RR0ci +VsZoGjJKqjOuEfNvirm5anbNEWEwLlFwKV0PlkRIZVk5BYuDO80WzPKqXBn+oDQdbfq 4jd+fZw+zGFDbgxikxOIDT/Fpxdl+GU7GHowxfVpxQdFOsrij/qmtsOlFix6Yl7wDDKU srh9pwxdq4BQUsvk9fdxwlpv4yCcpfLMDd8rfYCVPHFfkHUf9f3jIUvM/TYgkeFv8zlP PzhDHhX3Jyz3lK7chFhvtGbydcvRZT3mXDtpbKHbqH65A9VwV/2mB51+wzqekT/SpFgd wchA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pIh+mWj7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 80si41006764pgf.5.2019.08.02.08.16.49; Fri, 02 Aug 2019 08:17:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pIh+mWj7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391421AbfHBJdr (ORCPT + 99 others); Fri, 2 Aug 2019 05:33:47 -0400 Received: from mail.kernel.org ([198.145.29.99]:33234 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391357AbfHBJdo (ORCPT ); Fri, 2 Aug 2019 05:33:44 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9D8B021773; Fri, 2 Aug 2019 09:33:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564738423; bh=CgIgFHDYz6zIHzQ/UwoEnU/Tz4EZCTJAvD/U70fGDO8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pIh+mWj7/p8J2FYLW45Zwb7fEjkjWJlOiyDuMo4vy2vXODiBGOyRl7P5ibsbRaDyA vmzjPXf8C6Xi2hAtSQGTxh/3XOScNoDogTiOqsqHwJYjc6BqNx/YFao8SXml6oxtoZ 8Y3scFmqVtdz5IccGR23jMEbHRZYG8JhbFKaUfyY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nikolay Aleksandrov , Martin Weinelt , "David S. Miller" Subject: [PATCH 4.4 098/158] net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query Date: Fri, 2 Aug 2019 11:28:39 +0200 Message-Id: <20190802092224.392849397@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190802092203.671944552@linuxfoundation.org> References: <20190802092203.671944552@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nikolay Aleksandrov [ Upstream commit 3b26a5d03d35d8f732d75951218983c0f7f68dff ] We get a pointer to the ipv6 hdr in br_ip6_multicast_query but we may call pskb_may_pull afterwards and end up using a stale pointer. So use the header directly, it's just 1 place where it's needed. Fixes: 08b202b67264 ("bridge br_multicast: IPv6 MLD support.") Signed-off-by: Nikolay Aleksandrov Tested-by: Martin Weinelt Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/bridge/br_multicast.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/net/bridge/br_multicast.c +++ b/net/bridge/br_multicast.c @@ -1353,7 +1353,6 @@ static int br_ip6_multicast_query(struct struct sk_buff *skb, u16 vid) { - const struct ipv6hdr *ip6h = ipv6_hdr(skb); struct mld_msg *mld; struct net_bridge_mdb_entry *mp; struct mld2_query *mld2q; @@ -1397,7 +1396,7 @@ static int br_ip6_multicast_query(struct if (is_general_query) { saddr.proto = htons(ETH_P_IPV6); - saddr.u.ip6 = ip6h->saddr; + saddr.u.ip6 = ipv6_hdr(skb)->saddr; br_multicast_query_received(br, port, &br->ip6_other_query, &saddr, max_delay);