lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <202409110000.E9IVjdB7-lkp@intel.com>
Date: Wed, 11 Sep 2024 00:42:48 +0800
From: kernel test robot <lkp@...el.com>
To: Jeongjun Park <aha310510@...il.com>, davem@...emloft.net,
	dsahern@...nel.org
Cc: llvm@...ts.linux.dev, oe-kbuild-all@...ts.linux.dev,
	edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
	kafai@...com, weiwan@...gle.com, netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org, Jeongjun Park <aha310510@...il.com>
Subject: Re: [PATCH net] net: prevent NULL pointer dereference in
 rt_fibinfo_free() and rt_fibinfo_free_cpus()

Hi Jeongjun,

kernel test robot noticed the following build warnings:

[auto build test WARNING on net/main]

url:    https://github.com/intel-lab-lkp/linux/commits/Jeongjun-Park/net-prevent-NULL-pointer-dereference-in-rt_fibinfo_free-and-rt_fibinfo_free_cpus/20240910-025008
base:   net/main
patch link:    https://lore.kernel.org/r/20240909184827.123071-1-aha310510%40gmail.com
patch subject: [PATCH net] net: prevent NULL pointer dereference in rt_fibinfo_free() and rt_fibinfo_free_cpus()
config: arm-randconfig-001-20240910 (https://download.01.org/0day-ci/archive/20240911/202409110000.E9IVjdB7-lkp@intel.com/config)
compiler: clang version 20.0.0git (https://github.com/llvm/llvm-project 05f5a91d00b02f4369f46d076411c700755ae041)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240911/202409110000.E9IVjdB7-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@...el.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202409110000.E9IVjdB7-lkp@intel.com/

All warnings (new ones prefixed by >>):

   In file included from net/ipv4/fib_semantics.c:17:
   In file included from include/linux/mm.h:2232:
   include/linux/vmstat.h:517:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
     517 |         return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_"
         |                               ~~~~~~~~~~~ ^ ~~~
>> net/ipv4/fib_semantics.c:156:12: warning: address of 'rt->dst' will always evaluate to 'true' [-Wpointer-bool-conversion]
     156 |         if (!&rt->dst)
         |             ~ ~~~~^~~
   net/ipv4/fib_semantics.c:209:13: warning: address of 'rt->dst' will always evaluate to 'true' [-Wpointer-bool-conversion]
     209 |                 if (!&rt->dst)
         |                     ~ ~~~~^~~
   3 warnings generated.


vim +156 net/ipv4/fib_semantics.c

  > 17	#include <linux/mm.h>
    18	#include <linux/string.h>
    19	#include <linux/socket.h>
    20	#include <linux/sockios.h>
    21	#include <linux/errno.h>
    22	#include <linux/in.h>
    23	#include <linux/inet.h>
    24	#include <linux/inetdevice.h>
    25	#include <linux/netdevice.h>
    26	#include <linux/if_arp.h>
    27	#include <linux/proc_fs.h>
    28	#include <linux/skbuff.h>
    29	#include <linux/init.h>
    30	#include <linux/slab.h>
    31	#include <linux/netlink.h>
    32	#include <linux/hash.h>
    33	#include <linux/nospec.h>
    34	
    35	#include <net/arp.h>
    36	#include <net/inet_dscp.h>
    37	#include <net/ip.h>
    38	#include <net/protocol.h>
    39	#include <net/route.h>
    40	#include <net/tcp.h>
    41	#include <net/sock.h>
    42	#include <net/ip_fib.h>
    43	#include <net/ip6_fib.h>
    44	#include <net/nexthop.h>
    45	#include <net/netlink.h>
    46	#include <net/rtnh.h>
    47	#include <net/lwtunnel.h>
    48	#include <net/fib_notifier.h>
    49	#include <net/addrconf.h>
    50	
    51	#include "fib_lookup.h"
    52	
    53	static DEFINE_SPINLOCK(fib_info_lock);
    54	static struct hlist_head *fib_info_hash;
    55	static struct hlist_head *fib_info_laddrhash;
    56	static unsigned int fib_info_hash_size;
    57	static unsigned int fib_info_hash_bits;
    58	static unsigned int fib_info_cnt;
    59	
    60	#define DEVINDEX_HASHBITS 8
    61	#define DEVINDEX_HASHSIZE (1U << DEVINDEX_HASHBITS)
    62	static struct hlist_head fib_info_devhash[DEVINDEX_HASHSIZE];
    63	
    64	/* for_nexthops and change_nexthops only used when nexthop object
    65	 * is not set in a fib_info. The logic within can reference fib_nh.
    66	 */
    67	#ifdef CONFIG_IP_ROUTE_MULTIPATH
    68	
    69	#define for_nexthops(fi) {						\
    70		int nhsel; const struct fib_nh *nh;				\
    71		for (nhsel = 0, nh = (fi)->fib_nh;				\
    72		     nhsel < fib_info_num_path((fi));				\
    73		     nh++, nhsel++)
    74	
    75	#define change_nexthops(fi) {						\
    76		int nhsel; struct fib_nh *nexthop_nh;				\
    77		for (nhsel = 0,	nexthop_nh = (struct fib_nh *)((fi)->fib_nh);	\
    78		     nhsel < fib_info_num_path((fi));				\
    79		     nexthop_nh++, nhsel++)
    80	
    81	#else /* CONFIG_IP_ROUTE_MULTIPATH */
    82	
    83	/* Hope, that gcc will optimize it to get rid of dummy loop */
    84	
    85	#define for_nexthops(fi) {						\
    86		int nhsel; const struct fib_nh *nh = (fi)->fib_nh;		\
    87		for (nhsel = 0; nhsel < 1; nhsel++)
    88	
    89	#define change_nexthops(fi) {						\
    90		int nhsel;							\
    91		struct fib_nh *nexthop_nh = (struct fib_nh *)((fi)->fib_nh);	\
    92		for (nhsel = 0; nhsel < 1; nhsel++)
    93	
    94	#endif /* CONFIG_IP_ROUTE_MULTIPATH */
    95	
    96	#define endfor_nexthops(fi) }
    97	
    98	
    99	const struct fib_prop fib_props[RTN_MAX + 1] = {
   100		[RTN_UNSPEC] = {
   101			.error	= 0,
   102			.scope	= RT_SCOPE_NOWHERE,
   103		},
   104		[RTN_UNICAST] = {
   105			.error	= 0,
   106			.scope	= RT_SCOPE_UNIVERSE,
   107		},
   108		[RTN_LOCAL] = {
   109			.error	= 0,
   110			.scope	= RT_SCOPE_HOST,
   111		},
   112		[RTN_BROADCAST] = {
   113			.error	= 0,
   114			.scope	= RT_SCOPE_LINK,
   115		},
   116		[RTN_ANYCAST] = {
   117			.error	= 0,
   118			.scope	= RT_SCOPE_LINK,
   119		},
   120		[RTN_MULTICAST] = {
   121			.error	= 0,
   122			.scope	= RT_SCOPE_UNIVERSE,
   123		},
   124		[RTN_BLACKHOLE] = {
   125			.error	= -EINVAL,
   126			.scope	= RT_SCOPE_UNIVERSE,
   127		},
   128		[RTN_UNREACHABLE] = {
   129			.error	= -EHOSTUNREACH,
   130			.scope	= RT_SCOPE_UNIVERSE,
   131		},
   132		[RTN_PROHIBIT] = {
   133			.error	= -EACCES,
   134			.scope	= RT_SCOPE_UNIVERSE,
   135		},
   136		[RTN_THROW] = {
   137			.error	= -EAGAIN,
   138			.scope	= RT_SCOPE_UNIVERSE,
   139		},
   140		[RTN_NAT] = {
   141			.error	= -EINVAL,
   142			.scope	= RT_SCOPE_NOWHERE,
   143		},
   144		[RTN_XRESOLVE] = {
   145			.error	= -EINVAL,
   146			.scope	= RT_SCOPE_NOWHERE,
   147		},
   148	};
   149	
   150	static void rt_fibinfo_free(struct rtable __rcu **rtp)
   151	{
   152		struct rtable *rt = rcu_dereference_protected(*rtp, 1);
   153	
   154		if (!rt)
   155			return;
 > 156		if (!&rt->dst)
   157			return;
   158	
   159		/* Not even needed : RCU_INIT_POINTER(*rtp, NULL);
   160		 * because we waited an RCU grace period before calling
   161		 * free_fib_info_rcu()
   162		 */
   163	
   164		dst_dev_put(&rt->dst);
   165		dst_release_immediate(&rt->dst);
   166	}
   167	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ