From: Saeed Mahameed <saeed@kernel.org>
To: "David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>
Cc: netdev@vger.kernel.org, Tariq Toukan <tariqt@nvidia.com>,
Leon Romanovsky <leonro@nvidia.com>,
Dima Chumak <dchumak@nvidia.com>, Vlad Buslov <vladbu@nvidia.com>,
Saeed Mahameed <saeedm@nvidia.com>
Subject: [net 06/16] net/mlx5e: Fix nullptr in mlx5e_tc_add_fdb_flow()
Date: Tue, 18 May 2021 23:05:13 -0700 [thread overview]
Message-ID: <20210519060523.17875-7-saeed@kernel.org> (raw)
In-Reply-To: <20210519060523.17875-1-saeed@kernel.org>
From: Dima Chumak <dchumak@nvidia.com>
The result of __dev_get_by_index() is not checked for NULL, which then
passed to mlx5e_attach_encap() and gets dereferenced.
Also, in case of a successful lookup, the net_device reference count is
not incremented, which may result in net_device pointer becoming invalid
at any time during mlx5e_attach_encap() execution.
Fix by using dev_get_by_index(), which does proper reference counting on
the net_device pointer. Also, handle nullptr return value when mirred
device is not found.
It's safe to call dev_put() on the mirred net_device pointer, right
after mlx5e_attach_encap() call, because it's not being saved/copied
down the call chain.
Fixes: 3c37745ec614 ("net/mlx5e: Properly deal with encap flows add/del under neigh update")
Addresses-Coverity: ("Dereference null return value")
Signed-off-by: Dima Chumak <dchumak@nvidia.com>
Reviewed-by: Vlad Buslov <vladbu@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
---
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
index 46945d04b5b8..882bafba43f2 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
@@ -1322,10 +1322,10 @@ mlx5e_tc_add_fdb_flow(struct mlx5e_priv *priv,
struct netlink_ext_ack *extack)
{
struct mlx5_eswitch *esw = priv->mdev->priv.eswitch;
- struct net_device *out_dev, *encap_dev = NULL;
struct mlx5e_tc_flow_parse_attr *parse_attr;
struct mlx5_flow_attr *attr = flow->attr;
bool vf_tun = false, encap_valid = true;
+ struct net_device *encap_dev = NULL;
struct mlx5_esw_flow_attr *esw_attr;
struct mlx5_fc *counter = NULL;
struct mlx5e_rep_priv *rpriv;
@@ -1371,16 +1371,22 @@ mlx5e_tc_add_fdb_flow(struct mlx5e_priv *priv,
esw_attr = attr->esw_attr;
for (out_index = 0; out_index < MLX5_MAX_FLOW_FWD_VPORTS; out_index++) {
+ struct net_device *out_dev;
int mirred_ifindex;
if (!(esw_attr->dests[out_index].flags & MLX5_ESW_DEST_ENCAP))
continue;
mirred_ifindex = parse_attr->mirred_ifindex[out_index];
- out_dev = __dev_get_by_index(dev_net(priv->netdev),
- mirred_ifindex);
+ out_dev = dev_get_by_index(dev_net(priv->netdev), mirred_ifindex);
+ if (!out_dev) {
+ NL_SET_ERR_MSG_MOD(extack, "Requested mirred device not found");
+ err = -ENODEV;
+ goto err_out;
+ }
err = mlx5e_attach_encap(priv, flow, out_dev, out_index,
extack, &encap_dev, &encap_valid);
+ dev_put(out_dev);
if (err)
goto err_out;
--
2.31.1
next prev parent reply other threads:[~2021-05-19 6:06 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-19 6:05 [pull request][net 00/16] mlx5 fixes 2021-05-18 Saeed Mahameed
2021-05-19 6:05 ` [net 01/16] {net, RDMA}/mlx5: Fix override of log_max_qp by other device Saeed Mahameed
2021-05-19 19:30 ` patchwork-bot+netdevbpf
2021-05-19 6:05 ` [net 02/16] net/mlx5e: Fix nullptr in add_vlan_push_action() Saeed Mahameed
2021-05-19 6:05 ` [net 03/16] net/mlx5: Set reformat action when needed for termination rules Saeed Mahameed
2021-05-19 6:05 ` [net 04/16] net/mlx5: Fix err prints and return when creating termination table Saeed Mahameed
2021-05-19 6:05 ` [net 05/16] net/mlx5: SF, Fix show state inactive when its inactivated Saeed Mahameed
2021-05-19 6:05 ` Saeed Mahameed [this message]
2021-05-19 6:05 ` [net 07/16] net/mlx5e: Fix null deref accessing lag dev Saeed Mahameed
2021-05-19 6:05 ` [net 08/16] net/mlx5e: Make sure fib dev exists in fib event Saeed Mahameed
2021-05-19 6:05 ` [net 09/16] net/mlx5e: reset XPS on error flow if netdev isn't registered yet Saeed Mahameed
2021-05-19 6:05 ` [net 10/16] net/mlx5e: Fix multipath lag activation Saeed Mahameed
2021-05-19 6:05 ` [net 11/16] net/mlx5e: Reject mirroring on source port change encap rules Saeed Mahameed
2021-05-19 6:05 ` [net 12/16] net/mlx5e: Fix error path of updating netdev queues Saeed Mahameed
2021-05-19 6:05 ` [net 13/16] {net,vdpa}/mlx5: Configure interface MAC into mpfs L2 table Saeed Mahameed
2021-05-19 6:05 ` [net 14/16] net/mlx5: Don't overwrite HCA capabilities when setting MSI-X count Saeed Mahameed
2021-05-19 6:05 ` [net 15/16] net/mlx5: Set term table as an unmanaged flow table Saeed Mahameed
2021-05-19 6:05 ` [net 16/16] mlx5e: add add missing BH locking around napi_schdule() Saeed Mahameed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210519060523.17875-7-saeed@kernel.org \
--to=saeed@kernel.org \
--cc=davem@davemloft.net \
--cc=dchumak@nvidia.com \
--cc=kuba@kernel.org \
--cc=leonro@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=saeedm@nvidia.com \
--cc=tariqt@nvidia.com \
--cc=vladbu@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.