From: Lukasz Majewski <lukma@denx.de>
To: Zichen Xie <zichenxie0106@gmail.com>
Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, horms@kernel.org,
aleksander.lobakin@intel.com, n.zhandarovich@fintech.ru,
ricardo@marliere.net, m-karicheri2@ti.com,
netdev@vger.kernel.org, Zijie Zhao <zzjas98@gmail.com>,
Chenyuan Yang <chenyuan0y@gmail.com>
Subject: Re: net/hsr: Question about hsr_port_get_hsr() and possbile null-pointer-dereference
Date: Mon, 7 Oct 2024 10:01:38 +0200 [thread overview]
Message-ID: <20241007100138.643f5c61@wsk> (raw)
In-Reply-To: <CANdh5G7KBdzVcyrf5dPG2fbXQ5KCzr0LXu_p38H2-Cd4_FNsxw@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1879 bytes --]
Hi Zichen,
> Dear Developers for NETWORKING [GENERAL],
>
> We are curious about the function hsr_port_get_hsr().
> The function may return NULL when it cannot find a corresponding port.
> But there is no NULL check in hsr_check_carrier_and_operstate() here:
> https://elixir.bootlin.com/linux/v6.12-rc1/source/net/hsr/hsr_device.c#L93
> The relevant code is:
> ```
> master = hsr_port_get_hsr(hsr, HSR_PT_MASTER);
> /* netif_stacked_transfer_operstate() cannot be used here since
> * it doesn't set IF_OPER_LOWERLAYERDOWN (?)
> */
> has_carrier = hsr_check_carrier(master);
> hsr_set_operstate(master, has_carrier);
> hsr_check_announce(master->dev);
> ```
> There may be possible NULL Pointer Dereference.
> However, in hsr_dev_xmit() the NULL checker exists.
This function is called when NETDEV_UP/DOWN/CHANGE is called for hsr
net device.
IMHO, this cannot be called without having first created hsr network
device (with iproute2 command).
> ```
> master = hsr_port_get_hsr(hsr, HSR_PT_MASTER);
> if (master) {
> skb->dev = master->dev;
> skb_reset_mac_header(skb);
> skb_reset_mac_len(skb);
> spin_lock_bh(&hsr->seqnr_lock);
> hsr_forward_skb(skb, master);
> spin_unlock_bh(&hsr->seqnr_lock);
> } else {
> dev_core_stats_tx_dropped_inc(dev);
> dev_kfree_skb_any(skb);
> }
> ```
> So we are curious if this NULL check is necessary. The function
> hsr_port_get_hsr() is called several times, but NULL checks seem to
> exist occasionally.
>
> Please kindly correct us if we missed any key information. Looking
> forward to your response!
>
> Best,
> Zichen
Best regards,
Lukasz Majewski
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-59 Fax: (+49)-8142-66989-80 Email: lukma@denx.de
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
prev parent reply other threads:[~2024-10-07 8:01 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-02 15:51 net/hsr: Question about hsr_port_get_hsr() and possbile null-pointer-dereference Zichen Xie
2024-10-07 8:01 ` Lukasz Majewski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241007100138.643f5c61@wsk \
--to=lukma@denx.de \
--cc=aleksander.lobakin@intel.com \
--cc=chenyuan0y@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=m-karicheri2@ti.com \
--cc=n.zhandarovich@fintech.ru \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=ricardo@marliere.net \
--cc=zichenxie0106@gmail.com \
--cc=zzjas98@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.