| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 21 Feb 2022 20:38:21 +0000
From: Alvin Šipraga <ALSI@...g-olufsen.dk>
To: Vladimir Oltean <olteanv@...il.com>
CC: Alvin Šipraga <alvin@...s.dk>,
Andrew Lunn <andrew@...n.ch>,
Vivien Didelot <vivien.didelot@...il.com>,
Florian Fainelli <f.fainelli@...il.com>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Vladimir Oltean <vladimir.oltean@....com>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH net] net: dsa: fix panic when removing unoffloaded port
from bridge
Vladimir Oltean <olteanv@...il.com> writes:
> On Mon, Feb 21, 2022 at 09:19:31PM +0100, Alvin Šipraga wrote:
>> From: Alvin Šipraga <alsi@...g-olufsen.dk>
>>
>> If a bridged port is not offloaded to the hardware - either because the
>> underlying driver does not implement the port_bridge_{join,leave} ops,
>> or because the operation failed - then its dp->bridge pointer will be
>> NULL when dsa_port_bridge_leave() is called. Avoid dereferncing NULL.
>>
>> This fixes the following splat when removing a port from a bridge:
>>
>> Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000
>> Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP
>> CPU: 3 PID: 1119 Comm: brctl Tainted: G O 5.17.0-rc4-rt4 #1
>> Call trace:
>> dsa_port_bridge_leave+0x8c/0x1e4
>> dsa_slave_changeupper+0x40/0x170
>> dsa_slave_netdevice_event+0x494/0x4d4
>> notifier_call_chain+0x80/0xe0
>> raw_notifier_call_chain+0x1c/0x24
>> call_netdevice_notifiers_info+0x5c/0xac
>> __netdev_upper_dev_unlink+0xa4/0x200
>> netdev_upper_dev_unlink+0x38/0x60
>> del_nbp+0x1b0/0x300
>> br_del_if+0x38/0x114
>> add_del_if+0x60/0xa0
>> br_ioctl_stub+0x128/0x2dc
>> br_ioctl_call+0x68/0xb0
>> dev_ifsioc+0x390/0x554
>> dev_ioctl+0x128/0x400
>> sock_do_ioctl+0xb4/0xf4
>> sock_ioctl+0x12c/0x4e0
>> __arm64_sys_ioctl+0xa8/0xf0
>> invoke_syscall+0x4c/0x110
>> el0_svc_common.constprop.0+0x48/0xf0
>> do_el0_svc+0x28/0x84
>> el0_svc+0x1c/0x50
>> el0t_64_sync_handler+0xa8/0xb0
>> el0t_64_sync+0x17c/0x180
>> Code: f9402f00 f0002261 f9401302 913cc021 (a9401404)
>> ---[ end trace 0000000000000000 ]---
>>
>> Fixes: d3eed0e57d5d ("net: dsa: keep the bridge_dev and bridge_num as part of the same structure")
>> Signed-off-by: Alvin Šipraga <alsi@...g-olufsen.dk>
>> ---
>
> Sorry, I thought that the caller of dsa_port_bridge_leave() would check
> this, but clearly that is not the case.
>
> I see that there's a similar NULL pointer dereference in some patches I
> sent today, so I'd better fix that too before they get accepted.
>
>> net/dsa/port.c | 9 ++++++++-
>> 1 file changed, 8 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/dsa/port.c b/net/dsa/port.c
>> index eef4a98f2628..fc7a233653a0 100644
>> --- a/net/dsa/port.c
>> +++ b/net/dsa/port.c
>> @@ -395,10 +395,17 @@ void dsa_port_bridge_leave(struct dsa_port *dp, struct net_device *br)
>> .tree_index = dp->ds->dst->index,
>> .sw_index = dp->ds->index,
>> .port = dp->index,
>> - .bridge = *dp->bridge,
>> };
>> int err;
>>
>> + /* If the port could not be offloaded to begin with, then
>> + * there is nothing to do.
>> + */
>> + if (!dp->bridge)
>> + return;
>> +
>> + info.bridge = *dp->bridge,
>
> By the way, does this patch compile, with the comma and not the
> semicolon, like that?
Yikes, sorry about that. Sent a corrected v2 now.
It does actually compile though.
Kind regards,
Alvin
Powered by blists - more mailing lists