lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20211117171054.cupmcwwi2ruxjxuh@skbuf>
Date:   Wed, 17 Nov 2021 17:10:55 +0000
From:   Vladimir Oltean <vladimir.oltean@....com>
To:     Volodymyr Mytnyk <volodymyr.mytnyk@...ision.eu>
CC:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "mickeyr@...vell.com" <mickeyr@...vell.com>,
        "serhiy.pshyk@...ision.eu" <serhiy.pshyk@...ision.eu>,
        "taras.chornyi@...ision.eu" <taras.chornyi@...ision.eu>,
        Volodymyr Mytnyk <vmytnyk@...vell.com>,
        Taras Chornyi <tchornyi@...vell.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Ioana Ciornei <ioana.ciornei@....com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH net] net: marvell: prestera: fix brige port operation

On Wed, Nov 17, 2021 at 11:43:51AM +0200, Volodymyr Mytnyk wrote:
> From: Volodymyr Mytnyk <vmytnyk@...vell.com>
> 
> - handle SWITCHDEV_BRPORT_[UN]OFFLOADED events for
>   switchdev_bridge_port_offload to avoid fail return.
> - fix error path handling in prestera_bridge_port_join to
>   fix double free issue (see below).
> 
> Trace:
>   Internal error: Oops: 96000044 [#1] SMP
>   Modules linked in: prestera_pci prestera uio_pdrv_genirq
>   CPU: 1 PID: 881 Comm: ip Not tainted 5.15.0 #1
>   pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
>   pc : prestera_bridge_destroy+0x2c/0xb0 [prestera]
>   lr : prestera_bridge_port_join+0x2cc/0x350 [prestera]
>   sp : ffff800011a1b0f0
>   ...
>   x2 : ffff000109ca6c80 x1 : dead000000000100 x0 : dead000000000122
>    Call trace:
>   prestera_bridge_destroy+0x2c/0xb0 [prestera]
>   prestera_bridge_port_join+0x2cc/0x350 [prestera]
>   prestera_netdev_port_event.constprop.0+0x3c4/0x450 [prestera]
>   prestera_netdev_event_handler+0xf4/0x110 [prestera]
>   raw_notifier_call_chain+0x54/0x80
>   call_netdevice_notifiers_info+0x54/0xa0
>   __netdev_upper_dev_link+0x19c/0x380
> 
> Fixes: 2f5dc00f7a3e ("net: bridge: switchdev: let drivers inform which bridge ports are offloaded")
> Signed-off-by: Volodymyr Mytnyk <vmytnyk@...vell.com>
> ---
>  drivers/net/ethernet/marvell/prestera/prestera_switchdev.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/net/ethernet/marvell/prestera/prestera_switchdev.c b/drivers/net/ethernet/marvell/prestera/prestera_switchdev.c
> index 3ce6ccd0f539..f1bc6699ec8b 100644
> --- a/drivers/net/ethernet/marvell/prestera/prestera_switchdev.c
> +++ b/drivers/net/ethernet/marvell/prestera/prestera_switchdev.c
> @@ -497,8 +497,8 @@ int prestera_bridge_port_join(struct net_device *br_dev,
>  
>  	br_port = prestera_bridge_port_add(bridge, port->dev);
>  	if (IS_ERR(br_port)) {
> -		err = PTR_ERR(br_port);
> -		goto err_brport_create;
> +		prestera_bridge_put(bridge);
> +		return PTR_ERR(br_port);
>  	}

Here is how the function looked _before_ my patch:

int prestera_bridge_port_join(struct net_device *br_dev,
			      struct prestera_port *port)
{
	struct prestera_switchdev *swdev = port->sw->swdev;
	struct prestera_bridge_port *br_port;
	struct prestera_bridge *bridge;
	int err;

	bridge = prestera_bridge_by_dev(swdev, br_dev);
	if (!bridge) {
		bridge = prestera_bridge_create(swdev, br_dev);
		if (IS_ERR(bridge))
			return PTR_ERR(bridge);
	}

	br_port = prestera_bridge_port_add(bridge, port->dev);
	if (IS_ERR(br_port)) {
		err = PTR_ERR(br_port);
		goto err_brport_create;
	}

	if (bridge->vlan_enabled)
		return 0;

	err = prestera_bridge_1d_port_join(br_port);
	if (err)
		goto err_port_join;

	return 0;

err_port_join:
	prestera_bridge_port_put(br_port);
err_brport_create:
	prestera_bridge_put(bridge);
	return err;
}

The double free is due to the fact that prestera_bridge_port_put() calls
prestera_bridge_put() by itself too.

But the code was already buggy, for example the error path of
prestera_bridge_1d_port_join() would trigger this double free as well.
The change itself is ok (but is very poorly explained), if
prestera_bridge_port_add() fails, you want to undo just
prestera_bridge_create(), otherwise, prestera_bridge_port_put() will
undo both prestera_bridge_port_add() and prestera_bridge_create().

So the honest Fixes: tag should be:

Fixes: e1189d9a5fbe ("net: marvell: prestera: Add Switchdev driver implementation")

because you want this change to be backported even to stable kernels
where commit 2f5dc00f7a3e ("net: bridge: switchdev: let drivers inform
which bridge ports are offloaded") is not present.

>  
>  	err = switchdev_bridge_port_offload(br_port->dev, port->dev, NULL,
> @@ -519,8 +519,6 @@ int prestera_bridge_port_join(struct net_device *br_dev,
>  	switchdev_bridge_port_unoffload(br_port->dev, NULL, NULL, NULL);
>  err_switchdev_offload:
>  	prestera_bridge_port_put(br_port);
> -err_brport_create:
> -	prestera_bridge_put(bridge);
>  	return err;
>  }
>  
> @@ -1123,6 +1121,9 @@ static int prestera_switchdev_blk_event(struct notifier_block *unused,
>  						     prestera_netdev_check,
>  						     prestera_port_obj_attr_set);
>  		break;
> +	case SWITCHDEV_BRPORT_OFFLOADED:
> +	case SWITCHDEV_BRPORT_UNOFFLOADED:
> +		return NOTIFY_DONE;
>  	default:
>  		err = -EOPNOTSUPP;

May I suggest that the root cause of the problem is that you're
returning -EOPNOTSUPP here? The switchdev events may just as well not be
destined for your prestera switch. You should return NOTIFY_DONE ("don't
care") for event types you don't know how to handle.

And technically, this part of the patch should have:
Fixes: 957e2235e526 ("net: make switchdev_bridge_port_{,unoffload} loosely coupled with the bridge")

>  	}
> -- 
> 2.7.4
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ