From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Vladimir Oltean <vladimir.oltean@nxp.com>,
Florian Fainelli <f.fainelli@gmail.com>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 5.10 33/43] net: dsa: clear devlink port type before unregistering slave netdevs
Date: Fri, 22 Jan 2021 15:12:49 +0100 [thread overview]
Message-ID: <20210122135737.002440864@linuxfoundation.org> (raw)
In-Reply-To: <20210122135735.652681690@linuxfoundation.org>
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit 91158e1680b164c8d101144ca916a3dca10c3e17 ]
Florian reported a use-after-free bug in devlink_nl_port_fill found with
KASAN:
(devlink_nl_port_fill)
(devlink_port_notify)
(devlink_port_unregister)
(dsa_switch_teardown.part.3)
(dsa_tree_teardown_switches)
(dsa_unregister_switch)
(bcm_sf2_sw_remove)
(platform_remove)
(device_release_driver_internal)
(device_links_unbind_consumers)
(device_release_driver_internal)
(device_driver_detach)
(unbind_store)
Allocated by task 31:
alloc_netdev_mqs+0x5c/0x50c
dsa_slave_create+0x110/0x9c8
dsa_register_switch+0xdb0/0x13a4
b53_switch_register+0x47c/0x6dc
bcm_sf2_sw_probe+0xaa4/0xc98
platform_probe+0x90/0xf4
really_probe+0x184/0x728
driver_probe_device+0xa4/0x278
__device_attach_driver+0xe8/0x148
bus_for_each_drv+0x108/0x158
Freed by task 249:
free_netdev+0x170/0x194
dsa_slave_destroy+0xac/0xb0
dsa_port_teardown.part.2+0xa0/0xb4
dsa_tree_teardown_switches+0x50/0xc4
dsa_unregister_switch+0x124/0x250
bcm_sf2_sw_remove+0x98/0x13c
platform_remove+0x44/0x5c
device_release_driver_internal+0x150/0x254
device_links_unbind_consumers+0xf8/0x12c
device_release_driver_internal+0x84/0x254
device_driver_detach+0x30/0x34
unbind_store+0x90/0x134
What happens is that devlink_port_unregister emits a netlink
DEVLINK_CMD_PORT_DEL message which associates the devlink port that is
getting unregistered with the ifindex of its corresponding net_device.
Only trouble is, the net_device has already been unregistered.
It looks like we can stub out the search for a corresponding net_device
if we clear the devlink_port's type. This looks like a bit of a hack,
but also seems to be the reason why the devlink_port_type_clear function
exists in the first place.
Fixes: 3122433eb533 ("net: dsa: Register devlink ports before calling DSA driver setup()")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Tested-by: Florian fainelli <f.fainelli@gmail.com>
Reported-by: Florian Fainelli <f.fainelli@gmail.com>
Link: https://lore.kernel.org/r/20210112004831.3778323-1-olteanv@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/dsa/dsa2.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/dsa/dsa2.c
+++ b/net/dsa/dsa2.c
@@ -353,9 +353,13 @@ static int dsa_port_devlink_setup(struct
static void dsa_port_teardown(struct dsa_port *dp)
{
+ struct devlink_port *dlp = &dp->devlink_port;
+
if (!dp->setup)
return;
+ devlink_port_type_clear(dlp);
+
switch (dp->type) {
case DSA_PORT_TYPE_UNUSED:
break;
next prev parent reply other threads:[~2021-01-22 14:48 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-22 14:12 [PATCH 5.10 00/43] 5.10.10-rc1 review Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 01/43] Revert "kconfig: remove kvmconfig and xenconfig shorthands" Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 02/43] bpf: Fix selftest compilation on clang 11 Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 03/43] x86/hyperv: Initialize clockevents after LAPIC is initialized Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 04/43] drm/amdgpu/display: drop DCN support for aarch64 Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 05/43] bpf: Fix signed_{sub,add32}_overflows type handling Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 06/43] X.509: Fix crash caused by NULL pointer Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 07/43] nfsd4: readdirplus shouldnt return parent of export Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 08/43] bpf: Dont leak memory in bpf getsockopt when optlen == 0 Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 09/43] bpf: Support PTR_TO_MEM{,_OR_NULL} register spilling Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 10/43] bpf: Fix helper bpf_map_peek_elem_proto pointing to wrong callback Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 11/43] net: ipa: modem: add missing SET_NETDEV_DEV() for proper sysfs links Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 12/43] net: fix use-after-free when UDP GRO with shared fraglist Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 13/43] udp: Prevent reuseport_select_sock from reading uninitialized socks Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 14/43] netxen_nic: fix MSI/MSI-x interrupts Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 15/43] net: ipv6: Validate GSO SKB before finish IPv6 processing Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 16/43] tipc: fix NULL deref in tipc_link_xmit() Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 17/43] mlxsw: core: Add validation of transceiver temperature thresholds Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 18/43] mlxsw: core: Increase critical threshold for ASIC thermal zone Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 19/43] net: mvpp2: Remove Pause and Asym_Pause support Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 20/43] rndis_host: set proper input size for OID_GEN_PHYSICAL_MEDIUM request Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 21/43] esp: avoid unneeded kmap_atomic call Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 22/43] net: dcb: Validate netlink message in DCB handler Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 23/43] net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 24/43] rxrpc: Call state should be read with READ_ONCE() under some circumstances Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 25/43] i40e: fix potential NULL pointer dereferencing Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 26/43] net: stmmac: Fixed mtu channged by cache aligned Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 27/43] net: sit: unregister_netdevice on newlinks error path Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 28/43] net: stmmac: fix taprio schedule configuration Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 29/43] net: stmmac: fix taprio configuration when base_time is in the past Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 30/43] net: avoid 32 x truesize under-estimation for tiny skbs Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 31/43] dt-bindings: net: renesas,etheravb: RZ/G2H needs tx-internal-delay-ps Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 32/43] net: phy: smsc: fix clk error handling Greg Kroah-Hartman
2021-01-22 14:12 ` Greg Kroah-Hartman [this message]
2021-01-22 14:12 ` [PATCH 5.10 34/43] rxrpc: Fix handling of an unsupported token type in rxrpc_read() Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 35/43] net: stmmac: use __napi_schedule() for PREEMPT_RT Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 36/43] can: mcp251xfd: mcp251xfd_handle_rxif_one(): fix wrong NULL pointer check Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 37/43] drm/panel: otm8009a: allow using non-continuous dsi clock Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 38/43] mac80211: do not drop tx nulldata packets on encrypted links Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 39/43] mac80211: check if atf has been disabled in __ieee80211_schedule_txq Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 40/43] net: dsa: unbind all switches from tree when DSA master unbinds Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 41/43] cxgb4/chtls: Fix tid stuck due to wrong update of qid Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 42/43] spi: fsl: Fix driver breakage when SPI_CS_HIGH is not set in spi->mode Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.10 43/43] spi: cadence: cache reference clock rate during probe Greg Kroah-Hartman
2021-01-23 0:24 ` [PATCH 5.10 00/43] 5.10.10-rc1 review Shuah Khan
2021-01-23 15:06 ` Greg Kroah-Hartman
2021-01-23 5:44 ` Naresh Kamboju
2021-01-23 7:20 ` Naresh Kamboju
2021-01-23 15:06 ` Greg Kroah-Hartman
2021-01-23 9:52 ` Pavel Machek
2021-01-23 15:06 ` Greg Kroah-Hartman
2021-01-23 9:59 ` Jon Hunter
2021-01-23 15:19 ` Greg Kroah-Hartman
2021-01-23 14:36 ` Guenter Roeck
2021-01-23 15:07 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210122135737.002440864@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=f.fainelli@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=vladimir.oltean@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.