Evolution-X-Devices/kernel_google_wahoo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
25765e8afb01bdb7cd06d1bf2111cd0443323935
kernel_google_wahoo/drivers
History
Taehee Yoo 6ec73a87c2 macvlan: fix null dereference in macvlan_device_event() 
[ Upstream commit 4dee15b4fd0d61ec6bbd179238191e959d34cf7a ]

In the macvlan_device_event(), the list_first_entry_or_null() is used.
This function could return null pointer if there is no node.
But, the macvlan module doesn't check the null pointer.
So, null-ptr-deref would occur.

      bond0
        |
   +----+-----+
   |          |
macvlan0   macvlan1
   |          |
 dummy0     dummy1

The problem scenario.
If dummy1 is removed,
1. ->dellink() of dummy1 is called.
2. NETDEV_UNREGISTER of dummy1 notification is sent to macvlan module.
3. ->dellink() of macvlan1 is called.
4. NETDEV_UNREGISTER of macvlan1 notification is sent to bond module.
5. __bond_release_one() is called and it internally calls
   dev_set_mac_address().
6. dev_set_mac_address() calls the ->ndo_set_mac_address() of macvlan1,
   which is macvlan_set_mac_address().
7. macvlan_set_mac_address() calls the dev_set_mac_address() with dummy1.
8. NETDEV_CHANGEADDR of dummy1 is sent to macvlan module.
9. In the macvlan_device_event(), it calls list_first_entry_or_null().
At this point, dummy1 and macvlan1 were removed.
So, list_first_entry_or_null() will return NULL.

Test commands:
    ip netns add nst
    ip netns exec nst ip link add bond0 type bond
    for i in {0..10}
    do
        ip netns exec nst ip link add dummy$i type dummy
	ip netns exec nst ip link add macvlan$i link dummy$i \
		type macvlan mode passthru
	ip netns exec nst ip link set macvlan$i master bond0
    done
    ip netns del nst

Splat looks like:
[   40.585687][  T146] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEI
[   40.587249][  T146] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[   40.588342][  T146] CPU: 1 PID: 146 Comm: kworker/u8:2 Not tainted 5.7.0-rc1+ #532
[   40.589299][  T146] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[   40.590469][  T146] Workqueue: netns cleanup_net
[   40.591045][  T146] RIP: 0010:macvlan_device_event+0x4e2/0x900 [macvlan]
[   40.591905][  T146] Code: 00 00 00 00 00 fc ff df 80 3c 06 00 0f 85 45 02 00 00 48 89 da 48 b8 00 00 00 00 00 fc ff d2
[   40.594126][  T146] RSP: 0018:ffff88806116f4a0 EFLAGS: 00010246
[   40.594783][  T146] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   40.595653][  T146] RDX: 0000000000000000 RSI: ffff88806547ddd8 RDI: ffff8880540f1360
[   40.596495][  T146] RBP: ffff88804011a808 R08: fffffbfff4fb8421 R09: fffffbfff4fb8421
[   40.597377][  T146] R10: ffffffffa7dc2107 R11: 0000000000000000 R12: 0000000000000008
[   40.598186][  T146] R13: ffff88804011a000 R14: ffff8880540f1000 R15: 1ffff1100c22de9a
[   40.599012][  T146] FS:  0000000000000000(0000) GS:ffff888067800000(0000) knlGS:0000000000000000
[   40.600004][  T146] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   40.600665][  T146] CR2: 00005572d3a807b8 CR3: 000000005fcf4003 CR4: 00000000000606e0
[   40.601485][  T146] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   40.602461][  T146] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   40.603443][  T146] Call Trace:
[   40.603871][  T146]  ? nf_tables_dump_setelem+0xa0/0xa0 [nf_tables]
[   40.604587][  T146]  ? macvlan_uninit+0x100/0x100 [macvlan]
[   40.605212][  T146]  ? __module_text_address+0x13/0x140
[   40.605842][  T146]  notifier_call_chain+0x90/0x160
[   40.606477][  T146]  dev_set_mac_address+0x28e/0x3f0
[   40.607117][  T146]  ? netdev_notify_peers+0xc0/0xc0
[   40.607762][  T146]  ? __module_text_address+0x13/0x140
[   40.608440][  T146]  ? notifier_call_chain+0x90/0x160
[   40.609097][  T146]  ? dev_set_mac_address+0x1f0/0x3f0
[   40.609758][  T146]  dev_set_mac_address+0x1f0/0x3f0
[   40.610402][  T146]  ? __local_bh_enable_ip+0xe9/0x1b0
[   40.611071][  T146]  ? bond_hw_addr_flush+0x77/0x100 [bonding]
[   40.611823][  T146]  ? netdev_notify_peers+0xc0/0xc0
[   40.612461][  T146]  ? bond_hw_addr_flush+0x77/0x100 [bonding]
[   40.613213][  T146]  ? bond_hw_addr_flush+0x77/0x100 [bonding]
[   40.613963][  T146]  ? __local_bh_enable_ip+0xe9/0x1b0
[   40.614631][  T146]  ? bond_time_in_interval.isra.31+0x90/0x90 [bonding]
[   40.615484][  T146]  ? __bond_release_one+0x9f0/0x12c0 [bonding]
[   40.616230][  T146]  __bond_release_one+0x9f0/0x12c0 [bonding]
[   40.616949][  T146]  ? bond_enslave+0x47c0/0x47c0 [bonding]
[   40.617642][  T146]  ? lock_downgrade+0x730/0x730
[   40.618218][  T146]  ? check_flags.part.42+0x450/0x450
[   40.618850][  T146]  ? __mutex_unlock_slowpath+0xd0/0x670
[   40.619519][  T146]  ? trace_hardirqs_on+0x30/0x180
[   40.620117][  T146]  ? wait_for_completion+0x250/0x250
[   40.620754][  T146]  bond_netdev_event+0x822/0x970 [bonding]
[   40.621460][  T146]  ? __module_text_address+0x13/0x140
[   40.622097][  T146]  notifier_call_chain+0x90/0x160
[   40.622806][  T146]  rollback_registered_many+0x660/0xcf0
[   40.623522][  T146]  ? netif_set_real_num_tx_queues+0x780/0x780
[   40.624290][  T146]  ? notifier_call_chain+0x90/0x160
[   40.624957][  T146]  ? netdev_upper_dev_unlink+0x114/0x180
[   40.625686][  T146]  ? __netdev_adjacent_dev_unlink_neighbour+0x30/0x30
[   40.626421][  T146]  ? mutex_is_locked+0x13/0x50
[   40.627016][  T146]  ? unregister_netdevice_queue+0xf2/0x240
[   40.627663][  T146]  unregister_netdevice_many.part.134+0x13/0x1b0
[   40.628362][  T146]  default_device_exit_batch+0x2d9/0x390
[   40.628987][  T146]  ? unregister_netdevice_many+0x40/0x40
[   40.629615][  T146]  ? dev_change_net_namespace+0xcb0/0xcb0
[   40.630279][  T146]  ? prepare_to_wait_exclusive+0x2e0/0x2e0
[   40.630943][  T146]  ? ops_exit_list.isra.9+0x97/0x140
[   40.631554][  T146]  cleanup_net+0x441/0x890
[ ... ]

Fixes: e289fd2817 ("macvlan: fix the problem when mac address changes for passthru mode")
Reported-by: syzbot+5035b1f9dc7ea4558d5a@syzkaller.appspotmail.com
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-05-02 17:20:32 +02:00
..
accessibility
acpi
x86/mm: split vmalloc_sync_all()
2020-04-02 19:02:31 +02:00
amba
ARM: amba: Don't read past the end of sysfs "driver_override" buffer
2018-05-02 07:53:42 -07:00
android
ANDROID: binder: synchronize_rcu() when using POLLFREE.
2019-10-07 21:01:03 +02:00
ata
libata: Return correct status in sata_pmp_eh_recover_pm() when ATA_DFLAG_DETACH is set
2020-04-24 07:57:16 +02:00
atm
atm: eni: fix uninitialized variable warning
2020-02-05 13:03:36 +00:00
auxdisplay
base
driver core: Print device when resources present in really_probe()
2020-02-28 15:39:03 +01:00
bcma
bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA
2020-01-29 10:21:48 +01:00
block
floppy: check FDC index for errors before assigning it
2020-02-28 15:39:11 +01:00
bluetooth
Bluetooth: btusb: fix PM leak in error case of setup
2020-01-12 11:22:43 +01:00
bus
bus: sunxi-rsb: Return correct data when mixing 16-bit and 8-bit reads
2020-04-24 07:57:05 +02:00
cdrom
cdrom: respect device capabilities during opening action
2020-01-04 13:34:36 +01:00
char
ipmi: fix hung processes in __get_guid()
2020-04-24 07:57:17 +02:00
clk
clk: tegra: Fix Tegra PMC clock out parents
2020-04-24 07:57:23 +02:00
clocksource
clocksource/drivers/sun5i: Fail gracefully when clock rate is unavailable
2020-01-29 10:21:40 +01:00
connector
cpufreq
cpufreq: Register drivers only after CPU devices have been registered
2020-01-04 13:34:16 +01:00
cpuidle
cpuidle: Do not unset the driver if it is there already
2019-12-21 10:35:27 +01:00
crypto
crypto: mxs-dcp - make symbols 'sha1_null_hash' and 'sha256_null_hash' static
2020-05-02 17:20:29 +02:00
dca
devfreq
PM / devfreq: Don't fail devfreq_dev_release if not in list
2020-01-12 11:22:37 +01:00
dio
dma
dmaengine: coh901318: Fix a double lock bug in dma_tc_handle()
2020-03-11 07:51:19 +01:00
dma-buf
edac
EDAC/ghes: Fix grain calculation
2020-01-04 13:34:16 +01:00
eisa
extcon
extcon: sm5502: Reset registers during initialization
2020-01-04 13:34:13 +01:00
firewire
net: add annotations on hh->hh_len lockless accesses
2020-01-12 11:22:45 +01:00
firmware
efi: Add a sanity check to efivar_store_raw()
2020-03-20 09:06:24 +01:00
fmc
fpga
gpio
gpio: Fix error message on out-of-range GPIO in lookup table
2020-01-23 08:18:36 +01:00
gpu
drm: NULL pointer dereference [null-pointer-deref] (CWE 476) problem
2020-04-24 07:57:21 +02:00
hid
HID: hiddev: Fix race in in hiddev_disconnect()
2020-03-11 07:51:14 +01:00
hsi
hv
Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels
2019-01-13 10:05:27 +01:00
hwmon
hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT()
2020-03-11 07:51:18 +01:00
hwspinlock
drivers/hwspinlock: use correct radix tree API
2020-04-02 19:02:34 +02:00
hwtracing
intel_th: Fix user-visible error codes
2020-04-02 19:02:30 +02:00
i2c
i2c: st: fix missing struct parameter description
2020-04-24 07:57:06 +02:00
ide
ide: serverworks: potential overflow in svwks_set_pio_mode()
2020-02-28 15:39:05 +01:00
idle
iio
iio: buffer: align the size of scan bytes to size of the largest element
2020-01-29 10:21:52 +01:00
infiniband
IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush
2020-04-24 07:57:14 +02:00
input
Input: i8042 - add Acer Aspire 5738z to nomux list
2020-04-24 07:57:15 +02:00
iommu
iommu/amd: Fix the configuration of GCR3 table root pointer
2020-04-24 07:57:25 +02:00
ipack
irqchip
irqchip/versatile-fpga: Apply clear-mask earlier
2020-04-24 07:57:11 +02:00
isdn
staging: gigaset: add endpoint-type sanity check
2019-12-21 10:35:11 +01:00
leds
leds: leds-lp5562 allow firmware files up to the maximum length
2019-10-05 12:27:44 +02:00
lguest
lightnvm
macintosh
macintosh/windfarm_smu_sat: Fix debug output
2019-11-28 18:25:45 +01:00
mailbox
mailbox: handle failed named mailbox channel request
2019-08-04 09:34:58 +02:00
mcb
md
dm flakey: check for null arg_name in parse_features()
2020-04-24 07:57:20 +02:00
media
media: xirlink_cit: add missing descriptor sanity checks
2020-04-02 19:02:39 +02:00
memory
memory: tegra: Fix integer overflow on tick value calculation
2019-06-11 12:23:46 +02:00
memstick
memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()'
2019-10-29 09:13:31 +01:00
message
scsi: mptfusion: Fix double fetch bug in ioctl
2020-01-23 08:18:39 +01:00
mfd
mfd: dln2: Fix sanity checking for endpoints
2020-04-24 07:57:18 +02:00
misc
misc: echo: Remove unnecessary parentheses and simplify check for zero
2020-04-24 07:57:18 +02:00
mmc
mmc: spi: Toggle SPI polarity, do not hardcode it
2020-02-14 16:29:55 -05:00
mtd
mtd: phram: fix a double free issue in error path
2020-04-24 07:57:26 +02:00
net
macvlan: fix null dereference in macvlan_device_event()
2020-05-02 17:20:32 +02:00
nfc
NFC: fdp: Fix a signedness bug in fdp_nci_send_patch()
2020-04-02 19:02:33 +02:00
ntb
ntb: intel: fix return value for ndev_vec_mask()
2019-11-28 18:25:59 +01:00
nubus
nvdimm
libnvdimm/btt: Fix a kmemdup failure check
2019-05-16 19:45:05 +02:00
nvme
nvme-pci: initialize queue memory before interrupts
2018-07-11 16:03:47 +02:00
nvmem
nvmem: core: return error code instead of NULL from nvmem_device_get
2019-11-25 15:53:55 +01:00
of
of: unittest: kmemleak in of_unittest_platform_populate()
2020-04-24 07:57:23 +02:00
oprofile
parisc
parisc: Disable HP HSC-PCI Cards to prevent kernel crash
2019-10-05 12:27:52 +02:00
parport
parport: load lowlevel driver if ports not found
2020-01-04 13:34:16 +01:00
pci
PCI: Don't disable bridge BARs when assigning bus resources
2020-02-28 15:39:03 +01:00
pcmcia
pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges
2018-11-21 09:27:30 +01:00
perf
phy
phy: renesas: rcar-gen2: Fix memory leak at error paths
2019-08-04 09:34:57 +02:00
pinctrl
pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs
2020-02-28 15:39:01 +01:00
platform
MIPS: Loongson: Fix return value of loongson_hwmon_init
2020-01-29 10:21:50 +01:00
pnp
power
power: supply: axp288_charger: Fix unchecked return value
2020-04-13 10:31:32 +02:00
powercap
pps
drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl
2019-08-04 09:35:02 +02:00
ps3
ptp
ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl
2019-02-20 10:13:05 +01:00
pwm
pwm: bcm2835: Dynamically allocate base
2020-05-02 17:20:32 +02:00
rapidio
ras
regulator
regulator: rk808: Lower log level on optional GPIOs being not available
2020-02-28 15:38:57 +01:00
remoteproc
remoteproc: Initialize rproc_class before use
2020-02-28 15:39:06 +01:00
reset
rpmsg
rtc
rtc: pm8xxx: Fix issue in RTC write path
2020-04-24 07:57:22 +02:00
s390
s390/cio: avoid duplicated 'ADD' uevents
2020-05-02 17:20:31 +02:00
sbus
drivers/sbus/char: add of_node_put()
2018-12-21 14:09:52 +01:00
scsi
scsi: iscsi: Report unbind session event when the target has been removed
2020-05-02 17:20:30 +02:00
sfi
sh
sn
soc
soc: qcom: smem: Use le32_to_cpu for comparison
2020-04-24 07:57:22 +02:00
spi
spi/zynqmp: remove entry that causes a cs glitch
2020-04-02 19:02:28 +02:00
spmi
ssb
ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit
2019-06-11 12:23:53 +02:00
staging
IB/hfi1: Call kobject_put() when kobject_init_and_add() fails
2020-04-13 10:31:33 +02:00
target
scsi: Revert "target: iscsi: Wait for all commands to finish before freeing a session"
2020-02-28 15:39:17 +01:00
tc
TC: Set DMA masks for devices
2018-11-21 09:27:36 +01:00
thermal
thermal: cpu_cooling: Actually trace CPU load in thermal_power_cpu_get_power
2020-01-29 10:21:44 +01:00
thunderbolt
thunderbolt: Use 32-bit writes when writing ring producer/consumer
2019-11-06 12:09:17 +01:00
tty
tty: evh_bytechan: Fix out of bounds accesses
2020-04-24 07:57:25 +02:00
uio
uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()
2020-02-28 15:38:54 +01:00
usb
usb: gadget: composite: Inform controller driver of self-powered
2020-04-24 07:57:09 +02:00
uwb
uwb: hwa-rc: fix memory leak at probe
2018-10-10 08:52:04 +02:00
vfio
vfio_pci: Enable memory accesses before calling pci_map_rom
2020-01-29 10:21:40 +01:00
vhost
vhost: Check docket sk_family instead of call getname
2020-04-02 19:02:34 +02:00
video
fbdev: potential information leak in do_fb_ioctl()
2020-04-24 07:57:25 +02:00
virt
drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl
2019-05-16 19:45:18 +02:00
virtio
virtio-balloon: fix managed page counts when migrating pages between zones
2019-12-21 10:35:18 +01:00
vlynq
vme
w1
w1: fix the resume command API
2019-06-11 12:23:55 +02:00
watchdog
watchdog: da9062: do not ping the hw during stop()
2020-03-11 07:51:16 +01:00
xen
xen: Enable interrupts when calling _cond_resched()
2020-02-28 15:39:18 +01:00
zorro
zorro: Set up z->dev.dma_mask for the DMA API
2018-05-30 07:49:11 +02:00
Kconfig
Makefile