iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Eric Dumazet 919f13c564 net: hsr: fix possible NULL deref in hsr_handle_frame() 
[ Upstream commit 2b5b8251bc9fe2f9118411f037862ee17cf81e97 ]

hsr_port_get_rcu() can return NULL, so we need to be careful.

general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 1 PID: 10249 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
RIP: 0010:hsr_addr_is_self+0x86/0x330 net/hsr/hsr_framereg.c:44
Code: 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 6b ff 94 f9 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 02 00 00 48 8b 43 30 49 39 c6 49 89 47 c0 0f
RSP: 0018:ffffc90000da8a90 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87e0cc33
RDX: 0000000000000006 RSI: ffffffff87e035d5 RDI: 0000000000000000
RBP: ffffc90000da8b20 R08: ffff88808e7de040 R09: ffffed1015d2707c
R10: ffffed1015d2707b R11: ffff8880ae9383db R12: ffff8880a689bc5e
R13: 1ffff920001b5153 R14: 0000000000000030 R15: ffffc90000da8af8
FS:  00007fd7a42be700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32338000 CR3: 00000000a928c000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 hsr_handle_frame+0x1c5/0x630 net/hsr/hsr_slave.c:31
 __netif_receive_skb_core+0xfbc/0x30b0 net/core/dev.c:5099
 __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:5196
 __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5312
 process_backlog+0x206/0x750 net/core/dev.c:6144
 napi_poll net/core/dev.c:6582 [inline]
 net_rx_action+0x508/0x1120 net/core/dev.c:6650
 __do_softirq+0x262/0x98c kernel/softirq.c:292
 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1082
 </IRQ>

Fixes: c5a759117210 ("net/hsr: Use list_head (and rcu) instead of array for slave devices.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-11 04:35:04 -08:00
..
6lowpan
6lowpan: no need to check return value of debugfs_create functions
2019-07-06 12:50:01 +02:00
9p
9p pull request for inclusion in 5.4
2019-09-27 15:10:34 -07:00
802
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
2019-06-19 17:09:55 +02:00
8021q
vlan: vlan_changelink() should propagate errors
2020-01-12 12:21:50 +01:00
appletalk
appletalk: enforce CAP_NET_RAW for raw sockets
2019-09-24 16:37:18 +02:00
atm
net: atm: Reduce the severity of logging in unlink_clip_vcc
2019-11-18 17:08:20 -08:00
ax25
ax25: enforce CAP_NET_RAW for raw sockets
2019-09-24 16:37:18 +02:00
batman-adv
batman-adv: Fix DAT candidate selection on little endian systems
2020-01-23 08:22:49 +01:00
bluetooth
Bluetooth: Fix race condition in hci_release_sock()
2020-02-05 21:22:42 +00:00
bpf
bpf/flow_dissector: support flags in BPF_PROG_TEST_RUN
2019-07-25 18:00:41 -07:00
bpfilter
Kbuild updates for v5.3
2019-07-12 16:03:16 -07:00
bridge
net: add bool confirm_neigh parameter for dst_ops.update_pmtu
2020-01-04 19:18:58 +01:00
caif
net: use skb_queue_empty_lockless() in poll() handlers
2019-10-28 13:33:41 -07:00
can
can: j1939: j1939_sk_bind(): take priv after lock is held
2019-12-31 16:45:56 +01:00
ceph
libceph: use ceph_kvmalloc() for osdmap arrays
2019-09-16 12:06:25 +02:00
core
flow_dissector: Fix to use new variables for port ranges in bpf hook
2020-02-05 21:22:52 +00:00
dcb
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 201
2019-05-30 11:29:52 -07:00
dccp
net: ipv6: add net argument to ip6_dst_lookup_flow
2019-12-18 16:08:40 +01:00
decnet
net: add bool confirm_neigh parameter for dst_ops.update_pmtu
2020-01-04 19:18:58 +01:00
dns_resolver
Revert "Merge tag 'keys-acl-20190703' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs"
2019-07-10 18:43:43 -07:00
dsa
net: dsa: tag_gswip: fix typo in tagger name
2020-01-23 08:22:52 +01:00
ethernet
net: add annotations on hh->hh_len lockless accesses
2020-01-09 10:20:06 +01:00
hsr
net: hsr: fix possible NULL deref in hsr_handle_frame()
2020-02-11 04:35:04 -08:00
ieee802154
net: core: add generic lockdep keys
2019-10-24 14:53:48 -07:00
ife
net: Fix Kconfig indentation
2019-09-26 08:56:17 +02:00
ipv4
vti[6]: fix packet tx through bpf_redirect()
2020-02-05 21:22:48 +00:00
ipv6
vti[6]: fix packet tx through bpf_redirect()
2020-02-05 21:22:48 +00:00
iucv
net/af_iucv: mark expected switch fall-throughs
2019-07-29 10:26:14 -07:00
kcm
kcm: disable preemption in kcm_parse_func_strparser()
2019-09-27 10:27:14 +02:00
key
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2019-07-08 19:48:57 -07:00
l2tp
l2tp: Allow duplicate session creation with UDP
2020-02-11 04:35:04 -08:00
l3mdev
ipv6: convert major tx path to use RT6_LOOKUP_F_DST_NOREF
2019-06-23 13:24:17 -07:00
lapb
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2019-06-17 20:20:36 -07:00
llc
llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c)
2020-01-12 12:21:45 +01:00
mac80211
mac80211: Fix TKIP replay protection immediately after key setup
2020-02-05 21:22:46 +00:00
mac802154
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 174
2019-05-30 11:26:41 -07:00
mpls
net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup
2019-12-18 16:08:42 +01:00
ncsi
net/ncsi: Disable global multicast filter
2019-09-19 18:04:40 -07:00
netfilter
netfilter: nf_tables_offload: fix check the chain offload flag
2020-02-05 21:22:52 +00:00
netlabel
netlabel: remove redundant assignment to pointer iter
2019-09-01 11:45:02 -07:00
netlink
net: remove empty netlink_tap_exit_net
2019-06-14 19:50:33 -07:00
netrom
net: core: add generic lockdep keys
2019-10-24 14:53:48 -07:00
nfc
net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive()
2019-12-31 16:41:23 +01:00
nsh
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
2019-06-19 17:09:55 +02:00
openvswitch
net: openvswitch: don't unlock mutex when changing the user_features fails
2020-01-26 10:01:05 +01:00
packet
packet: fix data-race in fanout_flow_is_huge()
2020-01-26 10:01:06 +01:00
phonet
net: use skb_queue_empty_lockless() in poll() handlers
2019-10-28 13:33:41 -07:00
psample
net: psample: fix skb_over_panic
2019-12-04 22:30:54 +01:00
qrtr
net: qrtr: Stop rx_worker before freeing node
2019-09-21 18:45:46 -07:00
rds
rds: ib: update WR sizes when bringing up connection
2019-11-16 12:59:08 -08:00
rfkill
rfkill: Fix incorrect check to avoid NULL pointer dereference
2020-01-12 12:21:33 +01:00
rose
net: core: add generic lockdep keys
2019-10-24 14:53:48 -07:00
rxrpc
rxrpc: Fix use-after-free in rxrpc_receive_data()
2020-02-01 09:34:40 +00:00
sched
cls_rsvp: fix rsvp_policy
2020-02-11 04:35:03 -08:00
sctp
sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY
2020-01-12 12:21:48 +01:00
smc
net/smc: add fallback check to connect()
2020-01-04 19:18:37 +01:00
strparser
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2019-06-22 08:59:24 -04:00
sunrpc
SUNRPC: Fix another issue with MIC buffer space
2020-01-26 10:01:07 +01:00
switchdev
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
tipc
tipc: fix wrong timeout input for tipc_wait_for_cond()
2020-01-26 10:01:00 +01:00
tls
net/tls: fix async operation
2020-01-29 16:45:28 +01:00
unix
af_unix: add compat_ioctl support
2020-01-17 19:48:52 +01:00
vmw_vsock
vsock/virtio: fix sock refcnt holding during the shutdown
2019-11-08 12:17:50 -08:00
wimax
wimax: no need to check return value of debugfs_create functions
2019-08-10 15:25:47 -07:00
wireless
wireless: wext: avoid gcc -O3 warning
2020-02-05 21:22:47 +00:00
x25
net/x25: fix nonblocking connect
2020-01-29 16:45:33 +01:00
xdp
xsk: Add rcu_read_lock around the XSK wakeup
2020-01-12 12:21:41 +01:00
xfrm
xfrm: interface: do not confirm neighbor when do pmtu update
2020-02-05 21:22:48 +00:00
compat.c
uio: make import_iovec()/compat_import_iovec() return bytes on success
2019-05-31 15:30:03 -06:00
Kconfig
devlink: Add packet trap infrastructure
2019-08-17 12:40:08 -07:00
Makefile
socket.c
compat_ioctl: handle SIOCOUTQNSD
2020-01-17 19:48:52 +01:00
sysctl_net.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00