| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 21 Feb 2022 22:26:37 +0200
From: Vladimir Oltean <olteanv@...il.com>
To: Alvin Šipraga <alvin@...s.dk>
Cc: Andrew Lunn <andrew@...n.ch>,
Vivien Didelot <vivien.didelot@...il.com>,
Florian Fainelli <f.fainelli@...il.com>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Alvin Šipraga <alsi@...g-olufsen.dk>,
Vladimir Oltean <vladimir.oltean@....com>,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] net: dsa: fix panic when removing unoffloaded port
from bridge
On Mon, Feb 21, 2022 at 09:19:31PM +0100, Alvin Šipraga wrote:
> From: Alvin Šipraga <alsi@...g-olufsen.dk>
>
> If a bridged port is not offloaded to the hardware - either because the
> underlying driver does not implement the port_bridge_{join,leave} ops,
> or because the operation failed - then its dp->bridge pointer will be
> NULL when dsa_port_bridge_leave() is called. Avoid dereferncing NULL.
>
> This fixes the following splat when removing a port from a bridge:
>
> Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000
> Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP
> CPU: 3 PID: 1119 Comm: brctl Tainted: G O 5.17.0-rc4-rt4 #1
> Call trace:
> dsa_port_bridge_leave+0x8c/0x1e4
> dsa_slave_changeupper+0x40/0x170
> dsa_slave_netdevice_event+0x494/0x4d4
> notifier_call_chain+0x80/0xe0
> raw_notifier_call_chain+0x1c/0x24
> call_netdevice_notifiers_info+0x5c/0xac
> __netdev_upper_dev_unlink+0xa4/0x200
> netdev_upper_dev_unlink+0x38/0x60
> del_nbp+0x1b0/0x300
> br_del_if+0x38/0x114
> add_del_if+0x60/0xa0
> br_ioctl_stub+0x128/0x2dc
> br_ioctl_call+0x68/0xb0
> dev_ifsioc+0x390/0x554
> dev_ioctl+0x128/0x400
> sock_do_ioctl+0xb4/0xf4
> sock_ioctl+0x12c/0x4e0
> __arm64_sys_ioctl+0xa8/0xf0
> invoke_syscall+0x4c/0x110
> el0_svc_common.constprop.0+0x48/0xf0
> do_el0_svc+0x28/0x84
> el0_svc+0x1c/0x50
> el0t_64_sync_handler+0xa8/0xb0
> el0t_64_sync+0x17c/0x180
> Code: f9402f00 f0002261 f9401302 913cc021 (a9401404)
> ---[ end trace 0000000000000000 ]---
>
> Fixes: d3eed0e57d5d ("net: dsa: keep the bridge_dev and bridge_num as part of the same structure")
> Signed-off-by: Alvin Šipraga <alsi@...g-olufsen.dk>
> ---
Sorry, I thought that the caller of dsa_port_bridge_leave() would check
this, but clearly that is not the case.
I see that there's a similar NULL pointer dereference in some patches I
sent today, so I'd better fix that too before they get accepted.
> net/dsa/port.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/net/dsa/port.c b/net/dsa/port.c
> index eef4a98f2628..fc7a233653a0 100644
> --- a/net/dsa/port.c
> +++ b/net/dsa/port.c
> @@ -395,10 +395,17 @@ void dsa_port_bridge_leave(struct dsa_port *dp, struct net_device *br)
> .tree_index = dp->ds->dst->index,
> .sw_index = dp->ds->index,
> .port = dp->index,
> - .bridge = *dp->bridge,
> };
> int err;
>
> + /* If the port could not be offloaded to begin with, then
> + * there is nothing to do.
> + */
> + if (!dp->bridge)
> + return;
> +
> + info.bridge = *dp->bridge,
By the way, does this patch compile, with the comma and not the
semicolon, like that?
> +
> /* Here the port is already unbridged. Reflect the current configuration
> * so that drivers can program their chips accordingly.
> */
> --
> 2.35.1
>
Powered by blists - more mailing lists