From mboxrd@z Thu Jan 1 00:00:00 1970 From: Garry McNulty Subject: [PATCH] net: bridge: fix potential null pointer dereference on return from br_port_get_rtnl() Date: Thu, 21 Jun 2018 21:14:27 +0100 Message-ID: <20180621201427.4961-1-garrmcnu@gmail.com> Cc: stephen@networkplumber.org, davem@davemloft.net, jiri@resnulli.us, nikolay@cumulusnetworks.com, bridge@lists.linux-foundation.org, linux-kernel@vger.kernel.org, Garry McNulty To: netdev@vger.kernel.org Return-path: Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org br_port_get_rtnl() can return NULL if the network device is not a bridge port (IFF_BRIDGE_PORT flag not set). br_port_slave_changelink() and br_port_fill_slave_info() callbacks dereference this pointer without checking. Currently this is not a problem because slave devices always set this flag. Add null check in case these conditions ever change. Detected by CoverityScan, CID 1339613 ("Dereference null return value") Signed-off-by: Garry McNulty --- net/bridge/br_netlink.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c index 9f5eb05b0373..b3ad135b7157 100644 --- a/net/bridge/br_netlink.c +++ b/net/bridge/br_netlink.c @@ -947,13 +947,14 @@ static int br_port_slave_changelink(struct net_device *brdev, struct netlink_ext_ack *extack) { struct net_bridge *br = netdev_priv(brdev); + struct net_bridge_port *p = br_port_get_rtnl(dev); int ret; - if (!data) + if (!data || !p) return 0; spin_lock_bh(&br->lock); - ret = br_setport(br_port_get_rtnl(dev), data); + ret = br_setport(p, data); spin_unlock_bh(&br->lock); return ret; @@ -963,7 +964,9 @@ static int br_port_fill_slave_info(struct sk_buff *skb, const struct net_device *brdev, const struct net_device *dev) { - return br_port_fill_attrs(skb, br_port_get_rtnl(dev)); + struct net_bridge_port *p = br_port_get_rtnl(dev); + + return p ? br_port_fill_attrs(skb, p) : -EINVAL; } static size_t br_port_get_slave_size(const struct net_device *brdev, -- 2.14.4