linux-next

mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-22 12:14:01 +08:00

History

Taehee Yoo 3a303cfdd2 hsr: fix general protection fault in hsr_addr_is_self() The port->hsr is used in the hsr_handle_frame(), which is a callback of rx_handler. hsr master and slaves are initialized in hsr_add_port(). This function initializes several pointers, which includes port->hsr after registering rx_handler. So, in the rx_handler routine, un-initialized pointer would be used. In order to fix this, pointers should be initialized before registering rx_handler. Test commands: ip netns del left ip netns del right modprobe -rv veth modprobe -rv hsr killall ping modprobe hsr ip netns add left ip netns add right ip link add veth0 type veth peer name veth1 ip link add veth2 type veth peer name veth3 ip link add veth4 type veth peer name veth5 ip link set veth1 netns left ip link set veth3 netns right ip link set veth4 netns left ip link set veth5 netns right ip link set veth0 up ip link set veth2 up ip link set veth0 address fc:00:00:00:00:01 ip link set veth2 address fc:00:00:00:00:02 ip netns exec left ip link set veth1 up ip netns exec left ip link set veth4 up ip netns exec right ip link set veth3 up ip netns exec right ip link set veth5 up ip link add hsr0 type hsr slave1 veth0 slave2 veth2 ip a a 192.168.100.1/24 dev hsr0 ip link set hsr0 up ip netns exec left ip link add hsr1 type hsr slave1 veth1 slave2 veth4 ip netns exec left ip a a 192.168.100.2/24 dev hsr1 ip netns exec left ip link set hsr1 up ip netns exec left ip n a 192.168.100.1 dev hsr1 lladdr \ fc:00:00:00:00:01 nud permanent ip netns exec left ip n r 192.168.100.1 dev hsr1 lladdr \ fc:00:00:00:00:01 nud permanent for i in {1..100} do ip netns exec left ping 192.168.100.1 & done ip netns exec left hping3 192.168.100.1 -2 --flood & ip netns exec right ip link add hsr2 type hsr slave1 veth3 slave2 veth5 ip netns exec right ip a a 192.168.100.3/24 dev hsr2 ip netns exec right ip link set hsr2 up ip netns exec right ip n a 192.168.100.1 dev hsr2 lladdr \ fc:00:00:00:00:02 nud permanent ip netns exec right ip n r 192.168.100.1 dev hsr2 lladdr \ fc:00:00:00:00:02 nud permanent for i in {1..100} do ip netns exec right ping 192.168.100.1 & done ip netns exec right hping3 192.168.100.1 -2 --flood & while : do ip link add hsr0 type hsr slave1 veth0 slave2 veth2 ip a a 192.168.100.1/24 dev hsr0 ip link set hsr0 up ip link del hsr0 done Splat looks like: [ 120.954938][ C0] general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1]I [ 120.957761][ C0] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 120.959064][ C0] CPU: 0 PID: 1511 Comm: hping3 Not tainted 5.6.0-rc5+ #460 [ 120.960054][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 120.962261][ C0] RIP: 0010:hsr_addr_is_self+0x65/0x2a0 [hsr] [ 120.963149][ C0] Code: 44 24 18 70 73 2f c0 48 c1 eb 03 48 8d 04 13 c7 00 f1 f1 f1 f1 c7 40 04 00 f2 f2 f2 4 [ 120.966277][ C0] RSP: 0018:ffff8880d9c09af0 EFLAGS: 00010206 [ 120.967293][ C0] RAX: 0000000000000006 RBX: 1ffff1101b38135f RCX: 0000000000000000 [ 120.968516][ C0] RDX: dffffc0000000000 RSI: ffff8880d17cb208 RDI: 0000000000000000 [ 120.969718][ C0] RBP: 0000000000000030 R08: ffffed101b3c0e3c R09: 0000000000000001 [ 120.972203][ C0] R10: 0000000000000001 R11: ffffed101b3c0e3b R12: 0000000000000000 [ 120.973379][ C0] R13: ffff8880aaf80100 R14: ffff8880aaf800f2 R15: ffff8880aaf80040 [ 120.974410][ C0] FS: 00007f58e693f740(0000) GS:ffff8880d9c00000(0000) knlGS:0000000000000000 [ 120.979794][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 120.980773][ C0] CR2: 00007ffcb8b38f29 CR3: 00000000afe8e001 CR4: 00000000000606f0 [ 120.981945][ C0] Call Trace: [ 120.982411][ C0] <IRQ> [ 120.982848][ C0] ? hsr_add_node+0x8c0/0x8c0 [hsr] [ 120.983522][ C0] ? rcu_read_lock_held+0x90/0xa0 [ 120.984159][ C0] ? rcu_read_lock_sched_held+0xc0/0xc0 [ 120.984944][ C0] hsr_handle_frame+0x1db/0x4e0 [hsr] [ 120.985597][ C0] ? hsr_nl_nodedown+0x2b0/0x2b0 [hsr] [ 120.986289][ C0] __netif_receive_skb_core+0x6bf/0x3170 [ 120.992513][ C0] ? check_chain_key+0x236/0x5d0 [ 120.993223][ C0] ? do_xdp_generic+0x1460/0x1460 [ 120.993875][ C0] ? register_lock_class+0x14d0/0x14d0 [ 120.994609][ C0] ? __netif_receive_skb_one_core+0x8d/0x160 [ 120.995377][ C0] __netif_receive_skb_one_core+0x8d/0x160 [ 120.996204][ C0] ? __netif_receive_skb_core+0x3170/0x3170 [ ... ] Reported-by: syzbot+fcf5dd39282ceb27108d@syzkaller.appspotmail.com Fixes: `c5a7591172` ("net/hsr: Use list_head (and rcu) instead of array for slave devices.") Signed-off-by: Taehee Yoo <ap420073@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>		2020-03-21 19:49:34 -07:00
..
6lowpan
9p
802	treewide: Use sizeof_field() macro	2019-12-09 10:36:44 -08:00
8021q	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2020-01-09 12:13:43 -08:00
appletalk
atm	proc: convert everything to "struct proc_ops"	2020-02-04 03:05:26 +00:00
ax25	net: Make sock protocol value checks more specific	2020-01-09 18:41:40 -08:00
batman-adv	batman-adv: Don't schedule OGM for disabled interface	2020-02-18 09:07:55 +01:00
bluetooth	Bluetooth: Fix race condition in hci_release_sock()	2020-01-26 10:34:17 +02:00
bpf	bpf: Allow to change skb mark in test_run	2019-12-18 17:05:58 -08:00
bpfilter	net/bpfilter: fix dprintf usage for /dev/kmsg	2020-03-14 20:58:10 -07:00
bridge	net: bridge: fix stale eth hdr pointer in br_dev_xmit	2020-02-24 11:11:19 -08:00
caif	net: caif: Add lockdep expression to RCU traversal primitive	2020-03-11 22:55:25 -07:00
can	can: j1939: j1939_sk_bind(): take priv after lock is held	2019-12-08 11:52:02 +01:00
ceph	Merge branch 'merge.nfs-fs_parse.1' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2020-02-08 13:26:41 -08:00
core	net: core: dev.c: fix a documentation warning	2020-03-17 23:39:29 -07:00
dcb
dccp	treewide: Use sizeof_field() macro	2019-12-09 10:36:44 -08:00
decnet	net: Make sock protocol value checks more specific	2020-01-09 18:41:40 -08:00
dns_resolver
dsa	net: dsa: Don't instantiate phylink for CPU/DSA ports unless needed	2020-03-11 23:46:11 -07:00
ethernet	net: remove eth_change_mtu	2020-01-27 11:09:31 +01:00
ethtool	ethtool: reject unrecognized request flags	2020-03-16 02:04:24 -07:00
hsr	hsr: fix general protection fault in hsr_addr_is_self()	2020-03-21 19:49:34 -07:00
ieee802154	nl802154: add missing attribute validation for dev_type	2020-03-03 13:28:48 -08:00
ife
ipv4	tcp: also NULL skb->dev when copy was needed	2020-03-20 19:36:38 -07:00
ipv6	seg6: fix SRv6 L2 tunnels to use IANA-assigned protocol number	2020-03-11 23:49:30 -07:00
iucv	treewide: Use sizeof_field() macro	2019-12-09 10:36:44 -08:00
kcm
key
l2tp	l2tp: Allow duplicate session creation with UDP	2020-02-04 12:35:49 +01:00
l3mdev
lapb
llc	llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c)	2019-12-20 21:19:36 -08:00
mac80211	mac80211: Do not send mesh HWMP PREQ if HWMP is disabled	2020-03-11 09:04:14 +01:00
mac802154
mpls	net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup	2019-12-04 12:27:13 -08:00
mptcp	mptcp: always include dack if possible.	2020-03-05 21:34:42 -08:00
ncsi	net/ncsi: Support for multi host mellanox card	2020-01-09 18:36:22 -08:00
netfilter	netfilter: flowtable: populate addr_type mask	2020-03-19 21:20:04 +01:00
netlabel	netlabel_domainhash.c: Use built-in RCU list checking	2020-02-18 12:44:23 -08:00
netlink	netlink: allow extack cookie also for error messages	2020-03-16 02:04:24 -07:00
netrom	net: core: add generic lockdep keys	2019-10-24 14:53:48 -07:00
nfc	net: nfc: fix bounds checking bugs on "pipe"	2020-03-05 21:32:42 -08:00
nsh
openvswitch	openvswitch: add missing attribute validation for hash	2020-03-03 13:28:48 -08:00
packet	net/packet: tpacket_rcv: avoid a producer race condition	2020-03-15 00:25:25 -07:00
phonet	net: Remove redundant BUG_ON() check in phonet_pernet	2020-01-03 12:25:50 -08:00
psample	net: psample: fix skb_over_panic	2019-11-26 14:40:13 -08:00
qrtr	net: qrtr: Remove receive worker	2020-01-14 18:36:42 -08:00
rds	net/rds: Track user mapped pages through special API	2020-02-16 18:37:09 -08:00
rfkill	rfkill: Fix incorrect check to avoid NULL pointer dereference	2019-12-16 10:15:49 +01:00
rose	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2020-01-26 10:40:21 +01:00
rxrpc	afs: Fix client call Rx-phase signal handling	2020-03-13 23:04:35 +00:00
sched	net/sched: act_ct: Fix leak of ct zone template on replace	2020-03-18 16:37:06 -07:00
sctp	inet_diag: return classid for all socket types	2020-03-08 21:57:48 -07:00
smc	net/smc: cancel event worker during device removal	2020-03-10 15:40:33 -07:00
strparser
sunrpc	xprtrdma: Fix DMA scatter-gather list mapping imbalance	2020-02-13 15:35:33 -05:00
switchdev
tipc	tipc: add missing attribute validation for MTU property	2020-03-03 13:28:49 -08:00
tls	net/tls: Fix to avoid gettig invalid tls record	2020-02-19 16:32:06 -08:00
unix	unix: It's CONFIG_PROC_FS not CONFIG_PROCFS	2020-02-27 11:52:35 -08:00
vmw_vsock	vsock: fix potential deadlock in transport->release()	2020-02-27 12:03:56 -08:00
wimax
wireless	nl80211: add missing attribute validation for channel switch	2020-03-11 08:58:39 +01:00
x25	net/x25: fix nonblocking connect	2020-01-09 18:39:33 -08:00
xdp	xsk: Publish global consumer pointers when NAPI is finished	2020-02-11 15:51:11 +01:00
xfrm	xfrm: interface: use icmp_ndo_send helper	2020-02-13 14:19:00 -08:00
compat.c	y2038: socket: use __kernel_old_timespec instead of timespec	2019-11-15 14:38:29 +01:00
Kconfig	net: disable BRIDGE_NETFILTER by default	2020-02-20 15:02:02 -08:00
Makefile	mptcp: Add MPTCP socket stubs	2020-01-24 13:44:07 +01:00
socket.c	socket: fix unused-function warning	2020-01-08 15:02:21 -08:00
sysctl_net.c