From: xiaoming gao <gxm.linux.kernel@gmail.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: stephen@networkplumber.org, netdev@vger.kernel.org,
bridge@lists.linux-foundation.org, davem@davemloft.net,
linux-kernel@vger.kernel.org
Subject: Re: [Bridge] [PATCH] net bridge: add null pointer check, fix panic
Date: Thu, 20 Jun 2013 15:00:58 +0800 [thread overview]
Message-ID: <51C2A8AA.5010902@gmail.com> (raw)
In-Reply-To: <1371704129.3252.356.camel@edumazet-glaptop>
Eric Dumazet said, at 2013-6-20 12:55:
> On Thu, 2013-06-20 at 11:08 +0800, xiaoming gao wrote:
>> From: newtongao <newtongao@tencent.com>
>> Date: Wed, 19 Jun 2013 14:58:33 +0800
>> Subject: [PATCH] net bridge: add null pointer check,fix panic
>>
>> in kernel 3.0, br_port_get_rcu() may return NULL when network interface be deleting from bridge,
>> but in function br_handle_frame and br_handle_local_finish, the pointer didn't be checked before using,
>> so all br_port_get_rcu callers must do null check,or there occurs the null pointer panic.
>>
>> kernel 3.4 also has this bug,i have verified.
>> mainline kernel still did not check br_port_get_rcu()'s NULL pointer, but i have not tested it yet.
>
> Please check current version before sending a patch.
>
> This was most probably fixed in commit 00cfec37484761a44
> ("net: add a synchronize_net() in netdev_rx_handler_unregister()")
>
> Thanks
>
>
HI Eric
the problem is as follow:
br_del_if()-->del_nbp():
list_del_rcu(&p->list);
dev->priv_flags &= ~IFF_BRIDGE_PORT;
------>at this point, the nic be deleting still have rx_handler , so , may in br_handle_frame()
------>br_port_exists() will return false,so br_get_port_rcu() will return NULL
------>so in br_handle_frame , there will be a null panic.
netdev_rx_handler_unregister(dev);
synchronize_net();
i have checked commit 00cfec37484761a44, i think it didn't fix this bug..
thanks.
WARNING: multiple messages have this Message-ID (diff)
From: xiaoming gao <gxm.linux.kernel@gmail.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: stephen@networkplumber.org, davem@davemloft.net,
bridge@lists.linux-foundation.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] net bridge: add null pointer check, fix panic
Date: Thu, 20 Jun 2013 15:00:58 +0800 [thread overview]
Message-ID: <51C2A8AA.5010902@gmail.com> (raw)
In-Reply-To: <1371704129.3252.356.camel@edumazet-glaptop>
Eric Dumazet said, at 2013-6-20 12:55:
> On Thu, 2013-06-20 at 11:08 +0800, xiaoming gao wrote:
>> From: newtongao <newtongao@tencent.com>
>> Date: Wed, 19 Jun 2013 14:58:33 +0800
>> Subject: [PATCH] net bridge: add null pointer check,fix panic
>>
>> in kernel 3.0, br_port_get_rcu() may return NULL when network interface be deleting from bridge,
>> but in function br_handle_frame and br_handle_local_finish, the pointer didn't be checked before using,
>> so all br_port_get_rcu callers must do null check,or there occurs the null pointer panic.
>>
>> kernel 3.4 also has this bug,i have verified.
>> mainline kernel still did not check br_port_get_rcu()'s NULL pointer, but i have not tested it yet.
>
> Please check current version before sending a patch.
>
> This was most probably fixed in commit 00cfec37484761a44
> ("net: add a synchronize_net() in netdev_rx_handler_unregister()")
>
> Thanks
>
>
HI Eric
the problem is as follow:
br_del_if()-->del_nbp():
list_del_rcu(&p->list);
dev->priv_flags &= ~IFF_BRIDGE_PORT;
------>at this point, the nic be deleting still have rx_handler , so , may in br_handle_frame()
------>br_port_exists() will return false,so br_get_port_rcu() will return NULL
------>so in br_handle_frame , there will be a null panic.
netdev_rx_handler_unregister(dev);
synchronize_net();
i have checked commit 00cfec37484761a44, i think it didn't fix this bug..
thanks.
next prev parent reply other threads:[~2013-06-20 7:00 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <51C2710D.2060405@gmail.com>
2013-06-20 3:08 ` [Bridge] [PATCH] net bridge: add null pointer check, fix panic xiaoming gao
2013-06-20 3:08 ` xiaoming gao
2013-06-20 4:55 ` [Bridge] " Eric Dumazet
2013-06-20 4:55 ` Eric Dumazet
2013-06-20 4:55 ` Eric Dumazet
[not found] ` <CAHBR9PJQRw2vuSaG6gpUAGVYsrotNVTjYU_YY6jsA6o0mq4-Jw@mail.gmail.com>
2013-06-20 6:53 ` [Bridge] Fwd: " xiaoming gao
2013-06-20 6:53 ` xiaoming gao
2013-06-20 7:00 ` xiaoming gao [this message]
2013-06-20 7:00 ` xiaoming gao
2013-06-20 7:29 ` [Bridge] " Eric Dumazet
2013-06-20 7:29 ` Eric Dumazet
2013-06-20 7:29 ` Eric Dumazet
2013-06-20 7:47 ` [Bridge] " xiaoming gao
2013-06-20 7:47 ` xiaoming gao
2013-06-20 8:14 ` [Bridge] " Eric Dumazet
2013-06-20 8:14 ` Eric Dumazet
2013-06-20 8:14 ` Eric Dumazet
2013-11-11 10:27 ` Alexander Y. Fomichev
2013-11-11 10:27 ` [Bridge] " Alexander Y. Fomichev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51C2A8AA.5010902@gmail.com \
--to=gxm.linux.kernel@gmail.com \
--cc=bridge@lists.linux-foundation.org \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.