From: Simon Horman <horms@kernel.org>
To: Lukasz Majewski <lukma@denx.de>
Cc: Jakub Kicinski <kuba@kernel.org>,
Jeongjun Park <aha310510@gmail.com>,
davem@davemloft.net, edumazet@google.com, pabeni@redhat.com,
ricardo@marliere.net, m-karicheri2@ti.com,
n.zhandarovich@fintech.ru, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org,
syzbot+02a42d9b1bd395cbcab4@syzkaller.appspotmail.com,
Edward Adam Davis <eadavis@qq.com>,
syzbot+c229849f5b6c82eba3c2@syzkaller.appspotmail.com
Subject: Re: [PATCH net] net: hsr: prevent NULL pointer dereference in hsr_proxy_announce()
Date: Wed, 11 Sep 2024 09:21:42 +0100 [thread overview]
Message-ID: <20240911082142.GA678243@kernel.org> (raw)
In-Reply-To: <20240911100007.31d600fc@wsk>
+ Edward Adam Davis, syzbot+c229849f5b6c82eba3c2
On Wed, Sep 11, 2024 at 10:00:07AM +0200, Lukasz Majewski wrote:
> Hi Jakub,
>
> > On Mon, 9 Sep 2024 10:58:22 +0200 Lukasz Majewski wrote:
> > > > In the function hsr_proxy_annouance() added in the previous
> > > > commit 5f703ce5c981 ("net: hsr: Send supervisory frames to HSR
> > > > network with ProxyNodeTable data"), the return value of the
> > > > hsr_port_get_hsr() function is not checked to be a NULL pointer,
> > > > which causes a NULL pointer dereference.
> > >
> > > Thank you for your patch.
> > >
> > > The code in hsr_proxy_announcement() is _only_ executed (the timer
> > > is configured to trigger this function) when hsr->redbox is set,
> > > which means that somebody has called earlier iproute2 command:
> > >
> > > ip link add name hsr1 type hsr slave1 lan4 slave2 lan5 interlink
> > > lan3 supervision 45 version 1
> >
> > Are you trying to say the patch is correct or incorrect?
>
> I'm just trying to explain that this code (i.e.
> hsr_proxy_announcement()) shall NOT be trigger if the interlink port is
> not configured.
>
> Nonetheless the patch is correct - as it was pointed out that the return
> value is not checked.
>
> > The structs have no refcounting - should the timers be deleted with
> > _sync() inside hsr_check_announce()?
>
> The timers don't need to be conditionally enabled (and removed) as we
> discussed it previously (as they only do useful work when they are
> configured and almost take no resources when declared during the
> driver probe).
>
> Anyway:
>
> Acked-by: Lukasz Majewski <lukma@denx.de>
Thanks,
Like Jakub I was a little confused about the intent of your previous
comment, but it is clear now.
It seems that along the way the patch got marked as rejected, presumably on
the basis of earlier discussion in this thread. But that seems
inappropriate now, so let me see if this will bring it back under
consideration.
pw-bot: under-review
For reference, the same change was also submitted as:
- [PATCH net] net: hsr: Fix null-ptr-deref in hsr_proxy_announce
https://lore.kernel.org/all/tencent_CF67CC46D7D2DBC677898AEEFBAECD0CAB06@qq.com/
I will attempt to somehow mark that as a duplicate in patchwork.
It also seems that there are duplicate syzbot reports for this problem [1][2]
I will also attempt to mark [2] as a duplicate of [1].
[1] https://syzkaller.appspot.com/bug?extid=02a42d9b1bd395cbcab4
[2] https://syzkaller.appspot.com/bug?extid=c229849f5b6c82eba3c2
next prev parent reply other threads:[~2024-09-11 8:21 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-07 19:03 [PATCH net] net: hsr: prevent NULL pointer dereference in hsr_proxy_announce() Jeongjun Park
2024-09-09 8:40 ` Simon Horman
2024-09-09 8:58 ` Lukasz Majewski
2024-09-11 2:15 ` Jakub Kicinski
2024-09-11 8:00 ` Lukasz Majewski
2024-09-11 8:21 ` Simon Horman [this message]
2024-09-11 14:43 ` Jakub Kicinski
2024-09-11 23:20 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240911082142.GA678243@kernel.org \
--to=horms@kernel.org \
--cc=aha310510@gmail.com \
--cc=davem@davemloft.net \
--cc=eadavis@qq.com \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lukma@denx.de \
--cc=m-karicheri2@ti.com \
--cc=n.zhandarovich@fintech.ru \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=ricardo@marliere.net \
--cc=syzbot+02a42d9b1bd395cbcab4@syzkaller.appspotmail.com \
--cc=syzbot+c229849f5b6c82eba3c2@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).