From: Lukasz Majewski <lukma@denx.de>
To: Zichen Xie <zichenxie0106@gmail.com>
Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, horms@kernel.org,
aleksander.lobakin@intel.com, n.zhandarovich@fintech.ru,
ricardo@marliere.net, m-karicheri2@ti.com,
netdev@vger.kernel.org, Zijie Zhao <zzjas98@gmail.com>,
Chenyuan Yang <chenyuan0y@gmail.com>
Subject: Re: net/hsr: Question about hsr_port_get_hsr() and possbile null-pointer-dereference
Date: Mon, 7 Oct 2024 10:01:38 +0200 [thread overview]
Message-ID: <20241007100138.643f5c61@wsk> (raw)
In-Reply-To: <CANdh5G7KBdzVcyrf5dPG2fbXQ5KCzr0LXu_p38H2-Cd4_FNsxw@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1879 bytes --]
Hi Zichen,
> Dear Developers for NETWORKING [GENERAL],
>
> We are curious about the function hsr_port_get_hsr().
> The function may return NULL when it cannot find a corresponding port.
> But there is no NULL check in hsr_check_carrier_and_operstate() here:
> https://elixir.bootlin.com/linux/v6.12-rc1/source/net/hsr/hsr_device.c#L93
> The relevant code is:
> ```
> master = hsr_port_get_hsr(hsr, HSR_PT_MASTER);
> /* netif_stacked_transfer_operstate() cannot be used here since
> * it doesn't set IF_OPER_LOWERLAYERDOWN (?)
> */
> has_carrier = hsr_check_carrier(master);
> hsr_set_operstate(master, has_carrier);
> hsr_check_announce(master->dev);
> ```
> There may be possible NULL Pointer Dereference.
> However, in hsr_dev_xmit() the NULL checker exists.
This function is called when NETDEV_UP/DOWN/CHANGE is called for hsr
net device.
IMHO, this cannot be called without having first created hsr network
device (with iproute2 command).
> ```
> master = hsr_port_get_hsr(hsr, HSR_PT_MASTER);
> if (master) {
> skb->dev = master->dev;
> skb_reset_mac_header(skb);
> skb_reset_mac_len(skb);
> spin_lock_bh(&hsr->seqnr_lock);
> hsr_forward_skb(skb, master);
> spin_unlock_bh(&hsr->seqnr_lock);
> } else {
> dev_core_stats_tx_dropped_inc(dev);
> dev_kfree_skb_any(skb);
> }
> ```
> So we are curious if this NULL check is necessary. The function
> hsr_port_get_hsr() is called several times, but NULL checks seem to
> exist occasionally.
>
> Please kindly correct us if we missed any key information. Looking
> forward to your response!
>
> Best,
> Zichen
Best regards,
Lukasz Majewski
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-59 Fax: (+49)-8142-66989-80 Email: lukma@denx.de
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
prev parent reply other threads:[~2024-10-07 8:01 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-02 15:51 net/hsr: Question about hsr_port_get_hsr() and possbile null-pointer-dereference Zichen Xie
2024-10-07 8:01 ` Lukasz Majewski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241007100138.643f5c61@wsk \
--to=lukma@denx.de \
--cc=aleksander.lobakin@intel.com \
--cc=chenyuan0y@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=m-karicheri2@ti.com \
--cc=n.zhandarovich@fintech.ru \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=ricardo@marliere.net \
--cc=zichenxie0106@gmail.com \
--cc=zzjas98@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).