• Eric Dumazet's avatar
    net: hsr: fix possible NULL deref in hsr_handle_frame() · 2b5b8251
    Eric Dumazet authored
    hsr_port_get_rcu() can return NULL, so we need to be careful.
    
    general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
    KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
    CPU: 1 PID: 10249 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
    RIP: 0010:hsr_addr_is_self+0x86/0x330 net/hsr/hsr_framereg.c:44
    Code: 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 6b ff 94 f9 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 02 00 00 48 8b 43 30 49 39 c6 49 89 47 c0 0f
    RSP: 0018:ffffc90000da8a90 EFLAGS: 00010206
    RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87e0cc33
    RDX: 0000000000000006 RSI: ffffffff87e035d5 RDI: 0000000000000000
    RBP: ffffc90000da8b20 R08: ffff88808e7de040 R09: ffffed1015d2707c
    R10: ffffed1015d2707b R11: ffff8880ae9383db R12: ffff8880a689bc5e
    R13: 1ffff920001b5153 R14: 0000000000000030 R15: ffffc90000da8af8
    FS:  00007fd7a42be700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000001b32338000 CR3: 00000000a928c000 CR4: 00000000001406e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     <IRQ>
     hsr_handle_frame+0x1c5/0x630 net/hsr/hsr_slave.c:31
     __netif_receive_skb_core+0xfbc/0x30b0 net/core/dev.c:5099
     __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:5196
     __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5312
     process_backlog+0x206/0x750 net/core/dev.c:6144
     napi_poll net/core/dev.c:6582 [inline]
     net_rx_action+0x508/0x1120 net/core/dev.c:6650
     __do_softirq+0x262/0x98c kernel/softirq.c:292
     do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1082
     </IRQ>
    
    Fixes: c5a75911 ("net/hsr: Use list_head (and rcu) instead of array for slave devices.")
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    2b5b8251
hsr_slave.c 4.21 KB