[net PATCH] hsr: fix a NULL pointer dereference in hsr_dev_xmit()

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Taehee Yoo <ap420073@gmail.com>
To: davem@davemloft.net, xiyou.wangcong@gmail.com, netdev@vger.kernel.org
Cc: ap420073@gmail.com, treeze.taeung@gmail.com
Subject: [net PATCH] hsr: fix a NULL pointer dereference in hsr_dev_xmit()
Date: Sat, 30 Nov 2019 14:24:00 +0000	[thread overview]
Message-ID: <20191130142400.3930-1-ap420073@gmail.com> (raw)

hsr_dev_xmit() calls hsr_port_get_hsr() to find master node and that would
return NULL if master node is not existing in the list.
But hsr_dev_xmit() doesn't check return pointer so a NULL dereference
could occur.

In the TX datapath, there is no rcu_read_lock() so this patch adds missing
rcu_read_lock() in the hsr_dev_xmit() too.

Test commands:
    ip netns add nst
    ip link add v0 type veth peer name v1
    ip link add v2 type veth peer name v3
    ip link set v1 netns nst
    ip link set v3 netns nst
    ip link add hsr0 type hsr slave1 v0 slave2 v2
    ip a a 192.168.100.1/24 dev hsr0
    ip link set v0 up
    ip link set v2 up
    ip link set hsr0 up
    ip netns exec nst ip link add hsr1 type hsr slave1 v1 slave2 v3
    ip netns exec nst ip a a 192.168.100.2/24 dev hsr1
    ip netns exec nst ip link set v1 up
    ip netns exec nst ip link set v3 up
    ip netns exec nst ip link set hsr1 up
    hping3 192.168.100.2 -2 --flood &
    modprobe -rv hsr

Splat looks like:
[  390.879740][ T1362] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[  390.880789][ T1362] CPU: 3 PID: 1362 Comm: hping3 Not tainted 5.4.0+ #183
[  390.881679][ T1362] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[  390.882804][ T1362] RIP: 0010:hsr_dev_xmit+0x34/0x90 [hsr]
[  390.883528][ T1362] Code: 48 8d be 00 0c 00 00 be 04 00 00 00 48 83 ec 08 e8 21 be ff ff 48 8d 78 10 48 ba 00 00 00 0b
[  390.887020][ T1362] RSP: 0018:ffff888045507058 EFLAGS: 00010202
[  390.888067][ T1362] RAX: 0000000000000000 RBX: ffff88804a5d0cc0 RCX: 0000000000000002
[  390.889390][ T1362] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: 0000000000000010
[  390.890525][ T1362] RBP: ffff88804a5d0cc0 R08: ffffed100d9c0d5d R09: 0000000000000001
[  390.891527][ T1362] R10: 0000000000000001 R11: ffffed100d9c0d5c R12: ffff888063bac000
[  390.893637][ T1362] R13: ffff888063bac088 R14: 0000000000000000 R15: ffff88806428fa00
[  390.900829][ T1362] FS:  00007fa5a5f40740(0000) GS:ffff88806cc00000(0000) knlGS:0000000000000000
[  390.908566][ T1362] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  390.909280][ T1362] CR2: 0000555eaf8cef58 CR3: 000000005c8ec002 CR4: 00000000000606e0
[  390.910070][ T1362] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  390.910899][ T1362] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  390.911722][ T1362] Call Trace:
[  390.912105][ T1362]  dev_hard_start_xmit+0x160/0x740
[  390.912640][ T1362]  __dev_queue_xmit+0x1961/0x2e10
[  390.913148][ T1362]  ? check_object+0xaf/0x260
[  390.913630][ T1362]  ? __alloc_skb+0xb9/0x500
[  390.914088][ T1362]  ? init_object+0x6b/0x80
[  390.914558][ T1362]  ? netdev_core_pick_tx+0x2e0/0x2e0
[  390.915085][ T1362]  ? __alloc_skb+0xb9/0x500
[  390.915588][ T1362]  ? rcu_read_lock_sched_held+0x90/0xc0
[  390.916182][ T1362]  ? rcu_read_lock_bh_held+0xa0/0xa0
[  390.916742][ T1362]  ? kasan_unpoison_shadow+0x30/0x40
[  390.917276][ T1362]  ? __kasan_kmalloc.constprop.4+0xa0/0xd0
[  390.924192][ T1362]  ? __kmalloc_node_track_caller+0x3a8/0x3f0
[  390.924902][ T1362]  ? __kasan_kmalloc.constprop.4+0xa0/0xd0
[  390.925662][ T1362]  ? __kmalloc_reserve.isra.46+0x2e/0xb0
[  390.926398][ T1362]  ? memset+0x1f/0x40
[  390.926904][ T1362]  ? __alloc_skb+0x317/0x500
[  390.927492][ T1362]  ? arp_xmit+0xca/0x2c0
[  390.928050][ T1362]  arp_xmit+0xca/0x2c0
[  390.928576][ T1362]  ? arp_error_report+0x150/0x150
[  390.929209][ T1362]  ? eth_header+0x1b5/0x200
[  390.929781][ T1362]  ? memset+0x1f/0x40
[  390.930288][ T1362]  ? arp_create+0x616/0x780
[  390.930857][ T1362]  arp_send_dst.part.16+0x124/0x180
[  390.931524][ T1362]  ? arp_xmit+0x2c0/0x2c0
[  390.932088][ T1362]  arp_solicit+0x8cf/0xfb0
[  390.932654][ T1362]  ? lock_downgrade+0x6e0/0x6e0
[  390.933269][ T1362]  ? arp_send+0x90/0x90
[  390.933803][ T1362]  neigh_probe+0xaf/0xf0
[ ... ]

Fixes: 311633b60406 ("hsr: switch ->dellink() to ->ndo_uninit()")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
---
 net/hsr/hsr_device.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/net/hsr/hsr_device.c b/net/hsr/hsr_device.c
index f509b495451a..e3871491960c 100644
--- a/net/hsr/hsr_device.c
+++ b/net/hsr/hsr_device.c
@@ -226,9 +226,16 @@ static int hsr_dev_xmit(struct sk_buff *skb, struct net_device *dev)
 	struct hsr_priv *hsr = netdev_priv(dev);
 	struct hsr_port *master;
 
+	rcu_read_lock();
 	master = hsr_port_get_hsr(hsr, HSR_PT_MASTER);
-	skb->dev = master->dev;
-	hsr_forward_skb(skb, master);
+	if (master) {
+		skb->dev = master->dev;
+		hsr_forward_skb(skb, master);
+	} else {
+		atomic_long_inc(&dev->tx_dropped);
+		dev_kfree_skb_any(skb);
+	}
+	rcu_read_unlock();
 	return NETDEV_TX_OK;
 }
 
-- 
2.17.1

next             reply	other threads:[~2019-11-30 14:24 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-30 14:24 Taehee Yoo [this message]
2019-11-30 18:34 ` [net PATCH] hsr: fix a NULL pointer dereference in hsr_dev_xmit() David Miller
2019-12-01 15:52   ` Taehee Yoo
2019-11-30 18:35 ` Cong Wang
2019-11-30 21:04   ` Cong Wang
2019-12-01 16:08     ` Taehee Yoo
2019-12-04 17:24       ` Cong Wang
2019-12-01 16:01   ` Taehee Yoo
2019-12-04 17:29 ` Cong Wang
2019-12-05  7:00   ` Taehee Yoo

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f509b495451 dfblob:e3871491960 )
 OR (
bs:"[net PATCH] hsr: fix a NULL pointer dereference in hsr_dev_xmit()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191130142400.3930-1-ap420073@gmail.com \
    --to=ap420073@gmail.com \
    --cc=davem@davemloft.net \
    --cc=netdev@vger.kernel.org \
    --cc=treeze.taeung@gmail.com \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).