From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
To: Su-Hyun Park <suhyun.park@ahnlab.com>,
Stephen Hemminger <stephen@networkplumber.org>,
"David S. Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org, bridge@lists.linux-foundation.org,
linux-kernel@vger.kernel.org
Subject: Re: [Bridge] [PATCH] bridge: missing null bridge device check causing null pointer dereference (bugfix)
Date: Thu, 06 Nov 2014 16:07:19 +0900 [thread overview]
Message-ID: <545B1E27.3080302@lab.ntt.co.jp> (raw)
In-Reply-To: <1415255192-13584-1-git-send-email-suhyun.park@ahnlab.com>
On 2014/11/06 15:26, Su-Hyun Park wrote:
> the bridge device can be null if the bridge is being deleted while processing
> the packet, which causes the null pointer dereference in switch statement.
How can this happen??
It is guarded by rcu.
netdev_rx_handler_unregister() ensures rx_handler_data is non NULL.
Thanks,
Toshiaki Makita
>
> crash dump snippet:
>
> <1>BUG: unable to handle kernel NULL pointer dereference at 0000000000000021
> <1>IP: [<ffffffff814179f6>] br_handle_frame+0xe6/0x270
>
> <0>Code: 4c 0f 44 f0 89 f8 66 33 15 32 52 24 00 66 33 05 29 52 24 00 09 c2 89
> f0 66 33 05 22 52 24 00 80 e4 f0 66 09 c2 0f 84 eb 00 00 00 <41> 0f b6 46 21
> 3c 02 74 61 3c 03 74 1d 48 89 df e8 d5 bc f0 ff
> ---
> net/bridge/br_input.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
> index 6fd5522..7e899ca 100644
> --- a/net/bridge/br_input.c
> +++ b/net/bridge/br_input.c
> @@ -176,6 +176,8 @@ rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
> return RX_HANDLER_CONSUMED;
>
> p = br_port_get_rcu(skb->dev);
> + if (!p)
> + goto drop;
>
> if (unlikely(is_link_local_ether_addr(dest))) {
> u16 fwd_mask = p->br->group_fwd_mask_required;
>
WARNING: multiple messages have this Message-ID (diff)
From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
To: Su-Hyun Park <suhyun.park@ahnlab.com>,
Stephen Hemminger <stephen@networkplumber.org>,
"David S. Miller" <davem@davemloft.net>
Cc: bridge@lists.linux-foundation.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] bridge: missing null bridge device check causing null pointer dereference (bugfix)
Date: Thu, 06 Nov 2014 16:07:19 +0900 [thread overview]
Message-ID: <545B1E27.3080302@lab.ntt.co.jp> (raw)
In-Reply-To: <1415255192-13584-1-git-send-email-suhyun.park@ahnlab.com>
On 2014/11/06 15:26, Su-Hyun Park wrote:
> the bridge device can be null if the bridge is being deleted while processing
> the packet, which causes the null pointer dereference in switch statement.
How can this happen??
It is guarded by rcu.
netdev_rx_handler_unregister() ensures rx_handler_data is non NULL.
Thanks,
Toshiaki Makita
>
> crash dump snippet:
>
> <1>BUG: unable to handle kernel NULL pointer dereference at 0000000000000021
> <1>IP: [<ffffffff814179f6>] br_handle_frame+0xe6/0x270
>
> <0>Code: 4c 0f 44 f0 89 f8 66 33 15 32 52 24 00 66 33 05 29 52 24 00 09 c2 89
> f0 66 33 05 22 52 24 00 80 e4 f0 66 09 c2 0f 84 eb 00 00 00 <41> 0f b6 46 21
> 3c 02 74 61 3c 03 74 1d 48 89 df e8 d5 bc f0 ff
> ---
> net/bridge/br_input.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
> index 6fd5522..7e899ca 100644
> --- a/net/bridge/br_input.c
> +++ b/net/bridge/br_input.c
> @@ -176,6 +176,8 @@ rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
> return RX_HANDLER_CONSUMED;
>
> p = br_port_get_rcu(skb->dev);
> + if (!p)
> + goto drop;
>
> if (unlikely(is_link_local_ether_addr(dest))) {
> u16 fwd_mask = p->br->group_fwd_mask_required;
>
WARNING: multiple messages have this Message-ID (diff)
From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
To: Su-Hyun Park <suhyun.park@ahnlab.com>,
Stephen Hemminger <stephen@networkplumber.org>,
"David S. Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org, bridge@lists.linux-foundation.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] bridge: missing null bridge device check causing null pointer dereference (bugfix)
Date: Thu, 06 Nov 2014 16:07:19 +0900 [thread overview]
Message-ID: <545B1E27.3080302@lab.ntt.co.jp> (raw)
In-Reply-To: <1415255192-13584-1-git-send-email-suhyun.park@ahnlab.com>
On 2014/11/06 15:26, Su-Hyun Park wrote:
> the bridge device can be null if the bridge is being deleted while processing
> the packet, which causes the null pointer dereference in switch statement.
How can this happen??
It is guarded by rcu.
netdev_rx_handler_unregister() ensures rx_handler_data is non NULL.
Thanks,
Toshiaki Makita
>
> crash dump snippet:
>
> <1>BUG: unable to handle kernel NULL pointer dereference at 0000000000000021
> <1>IP: [<ffffffff814179f6>] br_handle_frame+0xe6/0x270
>
> <0>Code: 4c 0f 44 f0 89 f8 66 33 15 32 52 24 00 66 33 05 29 52 24 00 09 c2 89
> f0 66 33 05 22 52 24 00 80 e4 f0 66 09 c2 0f 84 eb 00 00 00 <41> 0f b6 46 21
> 3c 02 74 61 3c 03 74 1d 48 89 df e8 d5 bc f0 ff
> ---
> net/bridge/br_input.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
> index 6fd5522..7e899ca 100644
> --- a/net/bridge/br_input.c
> +++ b/net/bridge/br_input.c
> @@ -176,6 +176,8 @@ rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
> return RX_HANDLER_CONSUMED;
>
> p = br_port_get_rcu(skb->dev);
> + if (!p)
> + goto drop;
>
> if (unlikely(is_link_local_ether_addr(dest))) {
> u16 fwd_mask = p->br->group_fwd_mask_required;
>
next prev parent reply other threads:[~2014-11-06 7:07 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-06 6:26 [PATCH] bridge: missing null bridge device check causing null pointer dereference (bugfix) Su-Hyun Park
2014-11-06 6:33 ` [Bridge] " Su-Hyun Park
2014-11-06 7:07 ` Toshiaki Makita [this message]
2014-11-06 7:07 ` Toshiaki Makita
2014-11-06 7:07 ` Toshiaki Makita
2014-11-06 7:58 ` 박수현
2014-11-06 7:58 ` [Bridge] " 박수현
2014-11-06 7:58 ` 박수현
2014-11-06 8:28 ` [Bridge] " Toshiaki Makita
2014-11-06 8:28 ` Toshiaki Makita
2014-11-06 8:28 ` Toshiaki Makita
2014-11-06 11:35 ` [Bridge] " Eric Dumazet
2014-11-06 11:35 ` Eric Dumazet
2014-11-06 11:35 ` Eric Dumazet
2014-11-06 11:52 ` 박수현
2014-11-06 11:52 ` [Bridge] " 박수현
2014-11-06 11:52 ` 박수현
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=545B1E27.3080302@lab.ntt.co.jp \
--to=makita.toshiaki@lab.ntt.co.jp \
--cc=bridge@lists.linux-foundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stephen@networkplumber.org \
--cc=suhyun.park@ahnlab.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.