lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220221202637.he5hm6fbqhuayisv@skbuf>
Date:   Mon, 21 Feb 2022 22:26:37 +0200
From:   Vladimir Oltean <olteanv@...il.com>
To:     Alvin Šipraga <alvin@...s.dk>
Cc:     Andrew Lunn <andrew@...n.ch>,
        Vivien Didelot <vivien.didelot@...il.com>,
        Florian Fainelli <f.fainelli@...il.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Alvin Šipraga <alsi@...g-olufsen.dk>,
        Vladimir Oltean <vladimir.oltean@....com>,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] net: dsa: fix panic when removing unoffloaded port
 from bridge

On Mon, Feb 21, 2022 at 09:19:31PM +0100, Alvin Šipraga wrote:
> From: Alvin Šipraga <alsi@...g-olufsen.dk>
> 
> If a bridged port is not offloaded to the hardware - either because the
> underlying driver does not implement the port_bridge_{join,leave} ops,
> or because the operation failed - then its dp->bridge pointer will be
> NULL when dsa_port_bridge_leave() is called. Avoid dereferncing NULL.
> 
> This fixes the following splat when removing a port from a bridge:
> 
>  Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000
>  Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP
>  CPU: 3 PID: 1119 Comm: brctl Tainted: G           O      5.17.0-rc4-rt4 #1
>  Call trace:
>   dsa_port_bridge_leave+0x8c/0x1e4
>   dsa_slave_changeupper+0x40/0x170
>   dsa_slave_netdevice_event+0x494/0x4d4
>   notifier_call_chain+0x80/0xe0
>   raw_notifier_call_chain+0x1c/0x24
>   call_netdevice_notifiers_info+0x5c/0xac
>   __netdev_upper_dev_unlink+0xa4/0x200
>   netdev_upper_dev_unlink+0x38/0x60
>   del_nbp+0x1b0/0x300
>   br_del_if+0x38/0x114
>   add_del_if+0x60/0xa0
>   br_ioctl_stub+0x128/0x2dc
>   br_ioctl_call+0x68/0xb0
>   dev_ifsioc+0x390/0x554
>   dev_ioctl+0x128/0x400
>   sock_do_ioctl+0xb4/0xf4
>   sock_ioctl+0x12c/0x4e0
>   __arm64_sys_ioctl+0xa8/0xf0
>   invoke_syscall+0x4c/0x110
>   el0_svc_common.constprop.0+0x48/0xf0
>   do_el0_svc+0x28/0x84
>   el0_svc+0x1c/0x50
>   el0t_64_sync_handler+0xa8/0xb0
>   el0t_64_sync+0x17c/0x180
>  Code: f9402f00 f0002261 f9401302 913cc021 (a9401404)
>  ---[ end trace 0000000000000000 ]---
> 
> Fixes: d3eed0e57d5d ("net: dsa: keep the bridge_dev and bridge_num as part of the same structure")
> Signed-off-by: Alvin Šipraga <alsi@...g-olufsen.dk>
> ---

Sorry, I thought that the caller of dsa_port_bridge_leave() would check
this, but clearly that is not the case.

I see that there's a similar NULL pointer dereference in some patches I
sent today, so I'd better fix that too before they get accepted.

>  net/dsa/port.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/net/dsa/port.c b/net/dsa/port.c
> index eef4a98f2628..fc7a233653a0 100644
> --- a/net/dsa/port.c
> +++ b/net/dsa/port.c
> @@ -395,10 +395,17 @@ void dsa_port_bridge_leave(struct dsa_port *dp, struct net_device *br)
>  		.tree_index = dp->ds->dst->index,
>  		.sw_index = dp->ds->index,
>  		.port = dp->index,
> -		.bridge = *dp->bridge,
>  	};
>  	int err;
>  
> +	/* If the port could not be offloaded to begin with, then
> +	 * there is nothing to do.
> +	 */
> +	if (!dp->bridge)
> +		return;
> +
> +	info.bridge = *dp->bridge,

By the way, does this patch compile, with the comma and not the
semicolon, like that?

> +
>  	/* Here the port is already unbridged. Reflect the current configuration
>  	 * so that drivers can program their chips accordingly.
>  	 */
> -- 
> 2.35.1
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ