From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
To: Nikolay Aleksandrov <nikolay@redhat.com>
Cc: netdev@vger.kernel.org, andy@greyhouse.net, fubar@us.ibm.com,
davem@davemloft.net
Subject: Re: [PATCH 1/2] bonding: fix netdev event NULL pointer dereference
Date: Thu, 11 Apr 2013 17:40:01 +0400 [thread overview]
Message-ID: <5166BD31.5020404@cogentembedded.com> (raw)
In-Reply-To: <1365538644-1502-1-git-send-email-nikolay@redhat.com>
Hello.
On 10-04-2013 0:17, Nikolay Aleksandrov wrote:
> In commit 471cb5a33dcbd7c529684a2ac7ba4451414ee4a7 ("bonding: remove
> usage of dev->master") a bug was introduced which causes a NULL pointer
> dereference. If a bond device is in mode 6 (ALB) and a slave is added
> it will dereference a NULL pointer in bond_slave_netdev_event().
> This is because in bond_enslave we have bond_alb_init_slave() which
> changes the MAC address of the slave and causes a NETDEV_CHANGEADDR.
> Then we have in bond_slave_netdev_event():
> struct slave *slave = bond_slave_get_rtnl(slave_dev);
> struct bonding *bond = slave->bond;
> bond_slave_get_rtnl() dereferences slave_dev->rx_handler_data which at
> that time is NULL since netdev_rx_handler_register() is called later.
> This is fixed by checking if slave is NULL before dereferencing it.
> Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
[...]
Minor formatting nit.
> diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
> index 171b10f..9995ddc 100644
> --- a/drivers/net/bonding/bond_main.c
> +++ b/drivers/net/bonding/bond_main.c
> @@ -3168,11 +3168,21 @@ static int bond_slave_netdev_event(unsigned long event,
> struct net_device *slave_dev)
> {
> struct slave *slave = bond_slave_get_rtnl(slave_dev);
> - struct bonding *bond = slave->bond;
> - struct net_device *bond_dev = slave->bond->dev;
> + struct bonding *bond;
> + struct net_device *bond_dev;
> u32 old_speed;
> u8 old_duplex;
>
> + /*
> + * A netdev event can be generated while enslaving a device
> + * before netdev_rx_handler_register is called in which case
> + * slave will be NULL
> + */
The preferred multi-line comment style in the networking code is:
/* bla
* bla
*/
WBR, Sergei
next prev parent reply other threads:[~2013-04-11 13:41 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-09 20:17 [PATCH 1/2] bonding: fix netdev event NULL pointer dereference Nikolay Aleksandrov
2013-04-09 20:17 ` [PATCH 2/2] bonding: IFF_BONDING is not stripped on enslave failure Nikolay Aleksandrov
2013-04-11 13:40 ` Sergei Shtylyov [this message]
2013-04-11 13:45 ` [PATCHv2 1/2] bonding: fix netdev event NULL pointer dereference Nikolay Aleksandrov
2013-04-11 17:28 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5166BD31.5020404@cogentembedded.com \
--to=sergei.shtylyov@cogentembedded.com \
--cc=andy@greyhouse.net \
--cc=davem@davemloft.net \
--cc=fubar@us.ibm.com \
--cc=netdev@vger.kernel.org \
--cc=nikolay@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.