From: David Miller <davem@davemloft.net>
To: eric.dumazet@gmail.com
Cc: sasha.levin@oracle.com, netdev@vger.kernel.org,
linux-decnet-user@lists.sourceforge.net,
linux-kernel@vger.kernel.org, davej@redhat.com
Subject: Re: [PATCH] decnet: fix possible NULL deref in dnet_select_source()
Date: Mon, 07 Apr 2014 15:18:54 -0400 (EDT) [thread overview]
Message-ID: <20140407.151854.411047851818388937.davem@davemloft.net> (raw)
In-Reply-To: <1396821554.12330.51.camel@edumazet-glaptop2.roam.corp.google.com>
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Sun, 06 Apr 2014 14:59:14 -0700
> From: Eric Dumazet <edumazet@google.com>
>
> dnet_select_source() should make sure dn_ptr is not NULL.
>
> While looking at this decnet code, I believe I found a device
> reference leak, lets fix it as well.
>
> Reported-by: Sasha Levin <sasha.levin@oracle.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> ---
> It seems this bug is very old, no recent change is involved.
The callers work hard to ensure this.
Analyzing all call sites:
1) __dn_fib_res_prefsrc() uses the FIB entry device pointer, we should not
be adding FIB entries pointing to devices which do not have their
decnet private initialized yet.
2) dn_route_output_slow()
The paths leading to the dnet_select_address() call(s) check if
dev_out->dn_ptr is not NULL, except when using loopback.
In some other paths the device comes from neigh->dev, from which the
'neigh' was looked up in dn_neigh_table. There should not be neighbour
entries in this table pointing to devices which do not have their
decnet private setup yet.
And in the loopback case, it is the decnet stack's responsibility to
make sure ->dn_ptr is setup properly, else it should fail the module
load and stack initialization.
I think there is some core fundamental issue here, and just adding
a NULL check to dnet_select_source() is just papering around the issue.
Please look closer at the stack trace, this code, and my analysis
above to figure out what's really going on so we can fix this properly.
Thanks.
next prev parent reply other threads:[~2014-04-07 19:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-06 18:58 net: decnet: NULL ptr deref on connect() Sasha Levin
2014-04-06 21:59 ` [PATCH] decnet: fix possible NULL deref in dnet_select_source() Eric Dumazet
2014-04-07 19:18 ` David Miller [this message]
2014-04-08 4:51 ` Eric Dumazet
2014-04-08 16:37 ` David Miller
2015-12-17 21:07 ` Vegard Nossum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140407.151854.411047851818388937.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=davej@redhat.com \
--cc=eric.dumazet@gmail.com \
--cc=linux-decnet-user@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=sasha.levin@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).