iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Eric Dumazet 7950ef0969 net: hsr: fix possible NULL deref in hsr_handle_frame() 
[ Upstream commit 2b5b8251bc9fe2f9118411f037862ee17cf81e97 ]

hsr_port_get_rcu() can return NULL, so we need to be careful.

general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 1 PID: 10249 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
RIP: 0010:hsr_addr_is_self+0x86/0x330 net/hsr/hsr_framereg.c:44
Code: 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 6b ff 94 f9 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 02 00 00 48 8b 43 30 49 39 c6 49 89 47 c0 0f
RSP: 0018:ffffc90000da8a90 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87e0cc33
RDX: 0000000000000006 RSI: ffffffff87e035d5 RDI: 0000000000000000
RBP: ffffc90000da8b20 R08: ffff88808e7de040 R09: ffffed1015d2707c
R10: ffffed1015d2707b R11: ffff8880ae9383db R12: ffff8880a689bc5e
R13: 1ffff920001b5153 R14: 0000000000000030 R15: ffffc90000da8af8
FS:  00007fd7a42be700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32338000 CR3: 00000000a928c000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 hsr_handle_frame+0x1c5/0x630 net/hsr/hsr_slave.c:31
 __netif_receive_skb_core+0xfbc/0x30b0 net/core/dev.c:5099
 __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:5196
 __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5312
 process_backlog+0x206/0x750 net/core/dev.c:6144
 napi_poll net/core/dev.c:6582 [inline]
 net_rx_action+0x508/0x1120 net/core/dev.c:6650
 __do_softirq+0x262/0x98c kernel/softirq.c:292
 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1082
 </IRQ>

Fixes: c5a759117210 ("net/hsr: Use list_head (and rcu) instead of array for slave devices.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-14 16:32:06 -05:00
..
6lowpan
6lowpan: Off by one handling ->nexthdr
2020-01-27 14:46:30 +01:00
9p
9p/virtio: Add cleanup path in p9_virtio_init
2019-07-31 07:28:39 +02:00
802
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
8021q
vlan: fix memory leak in vlan_dev_set_egress_priority
2020-01-12 12:12:09 +01:00
appletalk
appletalk: Set error code if register_snap_client failed
2019-12-17 20:38:59 +01:00
atm
net: use skb_queue_empty_lockless() in poll() handlers
2019-11-10 11:25:34 +01:00
ax25
ax25: enforce CAP_NET_RAW for raw sockets
2019-10-05 12:47:43 +02:00
batman-adv
batman-adv: Fix DAT candidate selection on little endian systems
2020-01-23 08:20:34 +01:00
bluetooth
Bluetooth: Fix race condition in hci_release_sock()
2020-02-05 14:18:16 +00:00
bpf
bridge
netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last rule
2020-01-27 14:46:34 +01:00
caif
net: use skb_queue_empty_lockless() in poll() handlers
2019-11-10 11:25:34 +01:00
can
can: af_can: Fix error path of can_init()
2019-07-21 09:04:22 +02:00
ceph
libceph: fix PG split vs OSD (re)connect race
2019-08-29 08:26:42 +02:00
core
net: Fix skb->csum update in inet_proto_csum_replace16().
2020-02-05 14:18:28 +00:00
dcb
net: dcb: For wild-card lookups, use priority -1, not 0
2018-09-19 22:43:43 +02:00
dccp
dccp: Fix memleak in __feat_register_sp
2020-01-17 19:45:43 +01:00
decnet
net: add bool confirm_neigh parameter for dst_ops.update_pmtu
2020-01-04 14:00:14 +01:00
dns_resolver
KEYS: DNS: fix parsing multiple options
2018-07-22 14:28:49 +02:00
dsa
net: dsa: tag_qca: fix doubled Tx statistics
2020-01-23 08:20:34 +01:00
ethernet
net: add annotations on hh->hh_len lockless accesses
2020-01-09 10:17:59 +01:00
hsr
net: hsr: fix possible NULL deref in hsr_handle_frame()
2020-02-14 16:32:06 -05:00
ieee802154
inet: frags: call inet_frags_fini() after unregister_pernet_subsys()
2020-01-27 14:46:36 +01:00
ife
net: sched: ife: check on metadata length
2018-04-29 11:33:13 +02:00
ipv4
vti[6]: fix packet tx through bpf_redirect()
2020-02-05 14:18:23 +00:00
ipv6
vti[6]: fix packet tx through bpf_redirect()
2020-02-05 14:18:23 +00:00
ipx
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
iucv
net/af_iucv: always register net_device notifier
2020-01-27 14:46:38 +01:00
kcm
kcm: switch order of device registration to fix a crash
2019-04-17 08:37:45 +02:00
key
xfrm: clean up xfrm protocol checks
2019-09-16 08:20:44 +02:00
l2tp
l2tp: Allow duplicate session creation with UDP
2020-02-14 16:32:06 -05:00
l3mdev
lapb
lapb: fixed leak of control-blocks.
2019-06-22 08:16:14 +02:00
llc
llc: fix sk_buff refcounting in llc_conn_state_process()
2020-01-27 14:46:49 +01:00
mac80211
mac80211: Fix TKIP replay protection immediately after key setup
2020-02-05 14:18:21 +00:00
mac802154
net: mac802154: tx: expand tailroom if necessary
2018-09-09 19:55:52 +02:00
mpls
mpls: fix warning with multi-label encap
2020-01-27 14:46:37 +01:00
ncsi
net/ncsi: Fix length of GVI response packet
2017-10-21 01:56:38 +01:00
netfilter
netfilter: ipset: use bitmap infrastructure completely
2020-01-29 15:02:39 +01:00
netlabel
netlabel: fix out-of-bounds memory accesses
2019-03-13 14:03:08 -07:00
netlink
genetlink: Fix a memory leak on error path
2019-04-03 06:25:08 +02:00
netrom
netrom: hold sock when setting skb->destructor
2019-07-31 07:28:46 +02:00
nfc
net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive()
2019-12-31 12:36:41 +01:00
nsh
nsh: set mac len based on inner packet
2018-07-22 14:28:49 +02:00
openvswitch
openvswitch: support asymmetric conntrack
2019-12-21 10:47:34 +01:00
packet
packet: fix data-race in fanout_flow_is_huge()
2020-01-27 14:46:51 +01:00
phonet
net: use skb_queue_empty_lockless() in poll() handlers
2019-11-10 11:25:34 +01:00
psample
net: psample: fix skb_over_panic
2019-12-05 15:38:15 +01:00
qrtr
net: qrtr: Stop rx_worker before freeing node
2019-10-05 12:47:40 +02:00
rds
net/rds: Fix 'ib_evt_handler_call' element in 'rds_ib_stat_names'
2020-01-27 14:46:47 +01:00
rfkill
rfkill: Fix incorrect check to avoid NULL pointer dereference
2020-01-12 12:11:57 +01:00
rose
net/rose: fix unbound loop in rose_loopback_timer()
2019-05-02 09:40:34 +02:00
rxrpc
rxrpc: Fix uninitialized error code in rxrpc_send_data_packet()
2020-01-27 14:46:39 +01:00
sched
cls_rsvp: fix rsvp_policy
2020-02-14 16:32:06 -05:00
sctp
sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY
2020-01-12 12:12:07 +01:00
smc
net/smc: use after free fix in smc_wr_tx_put_slot()
2019-12-17 20:38:01 +01:00
strparser
strparser: Remove early eaten to fix full tcp receive buffer stall
2018-07-22 14:28:47 +02:00
sunrpc
xprtrdma: Fix completion wait during device removal
2020-01-17 19:45:47 +01:00
switchdev
net: switchdev: Remove bridge bypass support from switchdev
2017-08-07 14:48:48 -07:00
tipc
tipc: reduce risk of wakeup queue starvation
2020-01-27 14:46:41 +01:00
tls
net/tls: Fixed return value when tls_complete_pending_work() fails
2018-12-05 19:41:11 +01:00
unix
af_unix: add compat_ioctl support
2020-01-17 19:45:49 +01:00
vmw_vsock
VSOCK: bind to random port for VMADDR_PORT_ANY
2019-12-05 15:37:24 +01:00
wimax
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
wireless
wireless: wext: avoid gcc -O3 warning
2020-02-05 14:18:22 +00:00
x25
net/x25: fix nonblocking connect
2020-01-29 15:02:39 +01:00
xfrm
xfrm: release device reference for invalid state
2019-12-17 20:37:28 +01:00
compat.c
sock: Make sock->sk_stamp thread-safe
2019-01-09 17:14:46 +01:00
Kconfig
net: Remove CONFIG_NETFILTER_DEBUG and _ASSERT() macros.
2017-09-04 13:25:20 +02:00
Makefile
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
socket.c
compat_ioctl: handle SIOCOUTQNSD
2020-01-17 19:45:49 +01:00
sysctl_net.c