From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+5035b1f9dc7ea4558d5a@syzkaller.appspotmail.com,
Taehee Yoo <ap420073@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 22/80] macvlan: fix null dereference in macvlan_device_event()
Date: Fri, 1 May 2020 15:21:16 +0200 [thread overview]
Message-ID: <20200501131521.533881155@linuxfoundation.org> (raw)
In-Reply-To: <20200501131513.810761598@linuxfoundation.org>
From: Taehee Yoo <ap420073@gmail.com>
[ Upstream commit 4dee15b4fd0d61ec6bbd179238191e959d34cf7a ]
In the macvlan_device_event(), the list_first_entry_or_null() is used.
This function could return null pointer if there is no node.
But, the macvlan module doesn't check the null pointer.
So, null-ptr-deref would occur.
bond0
|
+----+-----+
| |
macvlan0 macvlan1
| |
dummy0 dummy1
The problem scenario.
If dummy1 is removed,
1. ->dellink() of dummy1 is called.
2. NETDEV_UNREGISTER of dummy1 notification is sent to macvlan module.
3. ->dellink() of macvlan1 is called.
4. NETDEV_UNREGISTER of macvlan1 notification is sent to bond module.
5. __bond_release_one() is called and it internally calls
dev_set_mac_address().
6. dev_set_mac_address() calls the ->ndo_set_mac_address() of macvlan1,
which is macvlan_set_mac_address().
7. macvlan_set_mac_address() calls the dev_set_mac_address() with dummy1.
8. NETDEV_CHANGEADDR of dummy1 is sent to macvlan module.
9. In the macvlan_device_event(), it calls list_first_entry_or_null().
At this point, dummy1 and macvlan1 were removed.
So, list_first_entry_or_null() will return NULL.
Test commands:
ip netns add nst
ip netns exec nst ip link add bond0 type bond
for i in {0..10}
do
ip netns exec nst ip link add dummy$i type dummy
ip netns exec nst ip link add macvlan$i link dummy$i \
type macvlan mode passthru
ip netns exec nst ip link set macvlan$i master bond0
done
ip netns del nst
Splat looks like:
[ 40.585687][ T146] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEI
[ 40.587249][ T146] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[ 40.588342][ T146] CPU: 1 PID: 146 Comm: kworker/u8:2 Not tainted 5.7.0-rc1+ #532
[ 40.589299][ T146] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 40.590469][ T146] Workqueue: netns cleanup_net
[ 40.591045][ T146] RIP: 0010:macvlan_device_event+0x4e2/0x900 [macvlan]
[ 40.591905][ T146] Code: 00 00 00 00 00 fc ff df 80 3c 06 00 0f 85 45 02 00 00 48 89 da 48 b8 00 00 00 00 00 fc ff d2
[ 40.594126][ T146] RSP: 0018:ffff88806116f4a0 EFLAGS: 00010246
[ 40.594783][ T146] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 40.595653][ T146] RDX: 0000000000000000 RSI: ffff88806547ddd8 RDI: ffff8880540f1360
[ 40.596495][ T146] RBP: ffff88804011a808 R08: fffffbfff4fb8421 R09: fffffbfff4fb8421
[ 40.597377][ T146] R10: ffffffffa7dc2107 R11: 0000000000000000 R12: 0000000000000008
[ 40.598186][ T146] R13: ffff88804011a000 R14: ffff8880540f1000 R15: 1ffff1100c22de9a
[ 40.599012][ T146] FS: 0000000000000000(0000) GS:ffff888067800000(0000) knlGS:0000000000000000
[ 40.600004][ T146] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 40.600665][ T146] CR2: 00005572d3a807b8 CR3: 000000005fcf4003 CR4: 00000000000606e0
[ 40.601485][ T146] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 40.602461][ T146] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 40.603443][ T146] Call Trace:
[ 40.603871][ T146] ? nf_tables_dump_setelem+0xa0/0xa0 [nf_tables]
[ 40.604587][ T146] ? macvlan_uninit+0x100/0x100 [macvlan]
[ 40.605212][ T146] ? __module_text_address+0x13/0x140
[ 40.605842][ T146] notifier_call_chain+0x90/0x160
[ 40.606477][ T146] dev_set_mac_address+0x28e/0x3f0
[ 40.607117][ T146] ? netdev_notify_peers+0xc0/0xc0
[ 40.607762][ T146] ? __module_text_address+0x13/0x140
[ 40.608440][ T146] ? notifier_call_chain+0x90/0x160
[ 40.609097][ T146] ? dev_set_mac_address+0x1f0/0x3f0
[ 40.609758][ T146] dev_set_mac_address+0x1f0/0x3f0
[ 40.610402][ T146] ? __local_bh_enable_ip+0xe9/0x1b0
[ 40.611071][ T146] ? bond_hw_addr_flush+0x77/0x100 [bonding]
[ 40.611823][ T146] ? netdev_notify_peers+0xc0/0xc0
[ 40.612461][ T146] ? bond_hw_addr_flush+0x77/0x100 [bonding]
[ 40.613213][ T146] ? bond_hw_addr_flush+0x77/0x100 [bonding]
[ 40.613963][ T146] ? __local_bh_enable_ip+0xe9/0x1b0
[ 40.614631][ T146] ? bond_time_in_interval.isra.31+0x90/0x90 [bonding]
[ 40.615484][ T146] ? __bond_release_one+0x9f0/0x12c0 [bonding]
[ 40.616230][ T146] __bond_release_one+0x9f0/0x12c0 [bonding]
[ 40.616949][ T146] ? bond_enslave+0x47c0/0x47c0 [bonding]
[ 40.617642][ T146] ? lock_downgrade+0x730/0x730
[ 40.618218][ T146] ? check_flags.part.42+0x450/0x450
[ 40.618850][ T146] ? __mutex_unlock_slowpath+0xd0/0x670
[ 40.619519][ T146] ? trace_hardirqs_on+0x30/0x180
[ 40.620117][ T146] ? wait_for_completion+0x250/0x250
[ 40.620754][ T146] bond_netdev_event+0x822/0x970 [bonding]
[ 40.621460][ T146] ? __module_text_address+0x13/0x140
[ 40.622097][ T146] notifier_call_chain+0x90/0x160
[ 40.622806][ T146] rollback_registered_many+0x660/0xcf0
[ 40.623522][ T146] ? netif_set_real_num_tx_queues+0x780/0x780
[ 40.624290][ T146] ? notifier_call_chain+0x90/0x160
[ 40.624957][ T146] ? netdev_upper_dev_unlink+0x114/0x180
[ 40.625686][ T146] ? __netdev_adjacent_dev_unlink_neighbour+0x30/0x30
[ 40.626421][ T146] ? mutex_is_locked+0x13/0x50
[ 40.627016][ T146] ? unregister_netdevice_queue+0xf2/0x240
[ 40.627663][ T146] unregister_netdevice_many.part.134+0x13/0x1b0
[ 40.628362][ T146] default_device_exit_batch+0x2d9/0x390
[ 40.628987][ T146] ? unregister_netdevice_many+0x40/0x40
[ 40.629615][ T146] ? dev_change_net_namespace+0xcb0/0xcb0
[ 40.630279][ T146] ? prepare_to_wait_exclusive+0x2e0/0x2e0
[ 40.630943][ T146] ? ops_exit_list.isra.9+0x97/0x140
[ 40.631554][ T146] cleanup_net+0x441/0x890
[ ... ]
Fixes: e289fd28176b ("macvlan: fix the problem when mac address changes for passthru mode")
Reported-by: syzbot+5035b1f9dc7ea4558d5a@syzkaller.appspotmail.com
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/macvlan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -1607,7 +1607,7 @@ static int macvlan_device_event(struct n
struct macvlan_dev,
list);
- if (macvlan_sync_address(vlan->dev, dev->dev_addr))
+ if (vlan && macvlan_sync_address(vlan->dev, dev->dev_addr))
return NOTIFY_BAD;
break;
next prev parent reply other threads:[~2020-05-01 13:59 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-01 13:20 [PATCH 4.9 00/80] 4.9.221-rc1 review Greg Kroah-Hartman
2020-05-01 13:20 ` [PATCH 4.9 01/80] ext4: fix extent_status fragmentation for plain files Greg Kroah-Hartman
2020-05-01 13:20 ` [PATCH 4.9 02/80] net: ipv4: emulate READ_ONCE() on ->hdrincl bit-field in raw_sendmsg() Greg Kroah-Hartman
2020-05-01 13:20 ` [PATCH 4.9 03/80] net: ipv4: avoid unused variable warning for sysctl Greg Kroah-Hartman
2020-05-01 13:20 ` [PATCH 4.9 04/80] drm/msm: Use the correct dma_sync calls harder Greg Kroah-Hartman
2020-05-01 13:20 ` [PATCH 4.9 05/80] crypto: mxs-dcp - make symbols sha1_null_hash and sha256_null_hash static Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 06/80] vti4: removed duplicate log message Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 07/80] watchdog: reset last_hw_keepalive time at start Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 08/80] scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 09/80] ceph: return ceph_mdsc_do_request() errors from __get_parent() Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 10/80] ceph: dont skip updating wanted caps when cap is stale Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 11/80] pwm: rcar: Fix late Runtime PM enablement Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 12/80] scsi: iscsi: Report unbind session event when the target has been removed Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 13/80] ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map() Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 14/80] kernel/gcov/fs.c: gcov_seq_next() should increase position index Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 15/80] ipc/util.c: sysvipc_find_ipc() " Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 16/80] s390/cio: avoid duplicated ADD uevents Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 17/80] pwm: renesas-tpu: Fix late Runtime PM enablement Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 18/80] pwm: bcm2835: Dynamically allocate base Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 19/80] PCI/ASPM: Allow re-enabling Clock PM Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 20/80] ipv6: fix restrict IPV6_ADDRFORM operation Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 21/80] macsec: avoid to set wrong mtu Greg Kroah-Hartman
2020-05-01 13:21 ` Greg Kroah-Hartman [this message]
2020-05-01 13:21 ` [PATCH 4.9 23/80] net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 24/80] net/x25: Fix x25_neigh refcnt leak when receiving frame Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 25/80] tcp: cache line align MAX_TCP_HEADER Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 26/80] team: fix hang in team_mode_get() Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 27/80] net: dsa: b53: Fix ARL register definitions Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 28/80] xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 29/80] ALSA: hda: Remove ASUS ROG Zenith from the blacklist Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 30/80] iio: xilinx-xadc: Fix ADC-B powerdown Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 31/80] iio: xilinx-xadc: Fix clearing interrupt when enabling trigger Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 32/80] iio: xilinx-xadc: Fix sequencer configuration for aux channels in simultaneous mode Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 33/80] fs/namespace.c: fix mountpoint reference counter race Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 34/80] USB: sisusbvga: Change port variable from signed to unsigned Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 35/80] USB: Add USB_QUIRK_DELAY_CTRL_MSG and USB_QUIRK_DELAY_INIT for Corsair K70 RGB RAPIDFIRE Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 36/80] USB: core: Fix free-while-in-use bug in the USB S-Glibrary Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 37/80] USB: hub: Fix handling of connect changes during sleep Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 38/80] overflow.h: Add arithmetic shift helper Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 39/80] vmalloc: fix remap_vmalloc_range() bounds checks Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 40/80] ALSA: usx2y: Fix potential NULL dereference Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 41/80] ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 42/80] ALSA: usb-audio: Filter out unsupported sample rates on Focusrite devices Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 43/80] tpm/tpm_tis: Free IRQ if probing fails Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 44/80] KVM: Check validity of resolved slot when searching memslots Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 45/80] KVM: VMX: Enable machine check support for 32bit targets Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 46/80] tty: hvc: fix buffer overflow during hvc_alloc() Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 47/80] tty: rocket, avoid OOB access Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 48/80] usb-storage: Add unusual_devs entry for JMicron JMS566 Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 49/80] audit: check the length of userspace generated audit records Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 50/80] ASoC: dapm: fixup dapm kcontrol widget Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 51/80] ARM: imx: provide v7_cpu_resume() only on ARM_CPU_SUSPEND=y Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 52/80] staging: comedi: dt2815: fix writing hi byte of analog output Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 53/80] staging: comedi: Fix comedi_device refcnt leak in comedi_open Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 54/80] staging: vt6656: Fix drivers TBTT timing counter Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 55/80] staging: vt6656: Power save stop wake_up_count wrap around Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 56/80] UAS: no use logging any details in case of ENODEV Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 57/80] UAS: fix deadlock in error handling and PM flushing work Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 58/80] usb: f_fs: Clear OS Extended descriptor counts to zero in ffs_data_reset() Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 59/80] remoteproc: Fix wrong rvring index computation Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 60/80] fuse: fix possibly missed wake-up after abort Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 61/80] mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 62/80] usb: gadget: udc: bdc: Remove unnecessary NULL checks in bdc_req_complete Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 63/80] nfsd: memory corruption in nfsd4_lock() Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 64/80] net/cxgb4: Check the return from t4_query_params properly Greg Kroah-Hartman
2020-05-01 13:21 ` [PATCH 4.9 65/80] perf/core: fix parent pid/tid in task exit events Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 66/80] bpf, x86: Fix encoding for lower 8-bit registers in BPF_STX BPF_B Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 67/80] xfs: fix partially uninitialized structure in xfs_reflink_remap_extent Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 68/80] scsi: target: fix PR IN / READ FULL STATUS for FC Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 69/80] objtool: Fix CONFIG_UBSAN_TRAP unreachable warnings Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 70/80] objtool: Support Clang non-section symbols in ORC dump Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 71/80] xen/xenbus: ensure xenbus_map_ring_valloc() returns proper grant status Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 72/80] ext4: convert BUG_ONs to WARN_ONs in mballoc.c Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 73/80] of: unittest: kmemleak on changeset destroy Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 74/80] hwmon: (jc42) Fix name to have no illegal characters Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 75/80] ext4: avoid declaring fs inconsistent due to invalid file handles Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 76/80] ext4: protect journal inodes blocks using block_validity Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 77/80] ext4: dont perform block validity checks on the journal inode Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 78/80] ext4: fix block validity checks for journal inodes using indirect blocks Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 79/80] ext4: unsigned int compared against zero Greg Kroah-Hartman
2020-05-01 13:22 ` [PATCH 4.9 80/80] ext4: check for non-zero journal inum in ext4_calculate_overhead Greg Kroah-Hartman
2020-05-01 15:16 ` [PATCH 4.9 00/80] 4.9.221-rc1 review Jon Hunter
2020-05-01 21:58 ` Guenter Roeck
2020-05-01 22:43 ` Naresh Kamboju
2020-05-02 23:18 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200501131521.533881155@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ap420073@gmail.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+5035b1f9dc7ea4558d5a@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).