lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87ilt8hs5e.fsf@bang-olufsen.dk>
Date:   Mon, 21 Feb 2022 20:38:21 +0000
From:   Alvin Šipraga <ALSI@...g-olufsen.dk>
To:     Vladimir Oltean <olteanv@...il.com>
CC:     Alvin Šipraga <alvin@...s.dk>,
        Andrew Lunn <andrew@...n.ch>,
        Vivien Didelot <vivien.didelot@...il.com>,
        Florian Fainelli <f.fainelli@...il.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Vladimir Oltean <vladimir.oltean@....com>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH net] net: dsa: fix panic when removing unoffloaded port
 from bridge

Vladimir Oltean <olteanv@...il.com> writes:

> On Mon, Feb 21, 2022 at 09:19:31PM +0100, Alvin Šipraga wrote:
>> From: Alvin Šipraga <alsi@...g-olufsen.dk>
>> 
>> If a bridged port is not offloaded to the hardware - either because the
>> underlying driver does not implement the port_bridge_{join,leave} ops,
>> or because the operation failed - then its dp->bridge pointer will be
>> NULL when dsa_port_bridge_leave() is called. Avoid dereferncing NULL.
>> 
>> This fixes the following splat when removing a port from a bridge:
>> 
>>  Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000
>>  Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP
>>  CPU: 3 PID: 1119 Comm: brctl Tainted: G           O      5.17.0-rc4-rt4 #1
>>  Call trace:
>>   dsa_port_bridge_leave+0x8c/0x1e4
>>   dsa_slave_changeupper+0x40/0x170
>>   dsa_slave_netdevice_event+0x494/0x4d4
>>   notifier_call_chain+0x80/0xe0
>>   raw_notifier_call_chain+0x1c/0x24
>>   call_netdevice_notifiers_info+0x5c/0xac
>>   __netdev_upper_dev_unlink+0xa4/0x200
>>   netdev_upper_dev_unlink+0x38/0x60
>>   del_nbp+0x1b0/0x300
>>   br_del_if+0x38/0x114
>>   add_del_if+0x60/0xa0
>>   br_ioctl_stub+0x128/0x2dc
>>   br_ioctl_call+0x68/0xb0
>>   dev_ifsioc+0x390/0x554
>>   dev_ioctl+0x128/0x400
>>   sock_do_ioctl+0xb4/0xf4
>>   sock_ioctl+0x12c/0x4e0
>>   __arm64_sys_ioctl+0xa8/0xf0
>>   invoke_syscall+0x4c/0x110
>>   el0_svc_common.constprop.0+0x48/0xf0
>>   do_el0_svc+0x28/0x84
>>   el0_svc+0x1c/0x50
>>   el0t_64_sync_handler+0xa8/0xb0
>>   el0t_64_sync+0x17c/0x180
>>  Code: f9402f00 f0002261 f9401302 913cc021 (a9401404)
>>  ---[ end trace 0000000000000000 ]---
>> 
>> Fixes: d3eed0e57d5d ("net: dsa: keep the bridge_dev and bridge_num as part of the same structure")
>> Signed-off-by: Alvin Šipraga <alsi@...g-olufsen.dk>
>> ---
>
> Sorry, I thought that the caller of dsa_port_bridge_leave() would check
> this, but clearly that is not the case.
>
> I see that there's a similar NULL pointer dereference in some patches I
> sent today, so I'd better fix that too before they get accepted.
>
>>  net/dsa/port.c | 9 ++++++++-
>>  1 file changed, 8 insertions(+), 1 deletion(-)
>> 
>> diff --git a/net/dsa/port.c b/net/dsa/port.c
>> index eef4a98f2628..fc7a233653a0 100644
>> --- a/net/dsa/port.c
>> +++ b/net/dsa/port.c
>> @@ -395,10 +395,17 @@ void dsa_port_bridge_leave(struct dsa_port *dp, struct net_device *br)
>>  		.tree_index = dp->ds->dst->index,
>>  		.sw_index = dp->ds->index,
>>  		.port = dp->index,
>> -		.bridge = *dp->bridge,
>>  	};
>>  	int err;
>>  
>> +	/* If the port could not be offloaded to begin with, then
>> +	 * there is nothing to do.
>> +	 */
>> +	if (!dp->bridge)
>> +		return;
>> +
>> +	info.bridge = *dp->bridge,
>
> By the way, does this patch compile, with the comma and not the
> semicolon, like that?

Yikes, sorry about that. Sent a corrected v2 now.

It does actually compile though.

Kind regards,
Alvin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ