lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <tencent_75EF812B305E26B0869C673DD1160866C90A@qq.com>
Date: Thu, 25 Dec 2025 20:36:17 +0000
From: Jerry Wu <w.7erry@...mail.com>
To: vladimir.oltean@....com
Cc: UNGLinuxDriver@...rochip.com,
	alexandre.belloni@...tlin.com,
	andrew+netdev@...n.ch,
	christophe.jaillet@...adoo.fr,
	claudiu.manoil@....com,
	davem@...emloft.net,
	edumazet@...gle.com,
	kuba@...nel.org,
	linux-kernel@...r.kernel.org,
	netdev@...r.kernel.org,
	pabeni@...hat.com,
	w.7erry@...mail.com
Subject: [PATCH net v3] net: mscc: ocelot: Fix crash when adding interface under a lag

Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag")
fixed a similar issue in the lan966x driver caused by a NULL pointer dereference.
The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic
and is susceptible to the same crash.

This issue specifically affects the ocelot_vsc7514.c frontend, which leaves
unused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as
it uses the DSA framework which registers all ports.

Fix this by checking if the port pointer is valid before accessing it.

Fixes: 528d3f190c98 ("net: mscc: ocelot: drop the use of the "lags" array")
Signed-off-by: Jerry Wu <w.7erry@...mail.com>
---
v3:
  - Resending the correct version that compiles properly.
  - Retained the 'bond' variable as confirmed necessary in discussion with Vladimir Oltean.
  - Added links to previous versions as requested.
  - Thanks to the reviewers for the gentle and detailed feedback and guidance.

v2: https://lore.kernel.org/netdev/20251220210808.325isrbvmhjp3tlg@skbuf/T/
  - Addressed comments from v1 regarding variable name and null checking.
  - Sent by accident as a draft.

v1: https://lore.kernel.org/lkml/20251220180113.724txltmrkxzyaql@skbuf/T/
  - Try to fix the crash in the same way as previous patch did but failed for
    - improper variable name that is shadowing the "int port" definition.
	- unnecessary and incorrect hunk for null checking.
	- improper commit commit title.

 drivers/net/ethernet/mscc/ocelot.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c
index 08bee56aea35..c345d9b17c89 100644
--- a/drivers/net/ethernet/mscc/ocelot.c
+++ b/drivers/net/ethernet/mscc/ocelot.c
@@ -2307,14 +2307,16 @@ static void ocelot_set_aggr_pgids(struct ocelot *ocelot)
 
 	/* Now, set PGIDs for each active LAG */
 	for (lag = 0; lag < ocelot->num_phys_ports; lag++) {
-		struct net_device *bond = ocelot->ports[lag]->bond;
+		struct ocelot_port *ocelot_port = ocelot->ports[lag];
 		int num_active_ports = 0;
+		struct net_device *bond;
 		unsigned long bond_mask;
 		u8 aggr_idx[16];
 
-		if (!bond || (visited & BIT(lag)))
+		if (!ocelot_port || !ocelot_port->bond || (visited & BIT(lag)))
 			continue;
 
+		bond = ocelot_port->bond;
 		bond_mask = ocelot_get_bond_mask(ocelot, bond);
 
 		for_each_set_bit(port, &bond_mask, ocelot->num_phys_ports) {
-- 
2.52.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ