Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-27 14:41:39 +00:00
Code Issues Packages Projects Releases Wiki Activity
a992562872
linux/net/dsa
History
Vladimir Oltean 91158e1680 net: dsa: clear devlink port type before unregistering slave netdevs 
Florian reported a use-after-free bug in devlink_nl_port_fill found with
KASAN:

(devlink_nl_port_fill)
(devlink_port_notify)
(devlink_port_unregister)
(dsa_switch_teardown.part.3)
(dsa_tree_teardown_switches)
(dsa_unregister_switch)
(bcm_sf2_sw_remove)
(platform_remove)
(device_release_driver_internal)
(device_links_unbind_consumers)
(device_release_driver_internal)
(device_driver_detach)
(unbind_store)

Allocated by task 31:
 alloc_netdev_mqs+0x5c/0x50c
 dsa_slave_create+0x110/0x9c8
 dsa_register_switch+0xdb0/0x13a4
 b53_switch_register+0x47c/0x6dc
 bcm_sf2_sw_probe+0xaa4/0xc98
 platform_probe+0x90/0xf4
 really_probe+0x184/0x728
 driver_probe_device+0xa4/0x278
 __device_attach_driver+0xe8/0x148
 bus_for_each_drv+0x108/0x158

Freed by task 249:
 free_netdev+0x170/0x194
 dsa_slave_destroy+0xac/0xb0
 dsa_port_teardown.part.2+0xa0/0xb4
 dsa_tree_teardown_switches+0x50/0xc4
 dsa_unregister_switch+0x124/0x250
 bcm_sf2_sw_remove+0x98/0x13c
 platform_remove+0x44/0x5c
 device_release_driver_internal+0x150/0x254
 device_links_unbind_consumers+0xf8/0x12c
 device_release_driver_internal+0x84/0x254
 device_driver_detach+0x30/0x34
 unbind_store+0x90/0x134

What happens is that devlink_port_unregister emits a netlink
DEVLINK_CMD_PORT_DEL message which associates the devlink port that is
getting unregistered with the ifindex of its corresponding net_device.
Only trouble is, the net_device has already been unregistered.

It looks like we can stub out the search for a corresponding net_device
if we clear the devlink_port's type. This looks like a bit of a hack,
but also seems to be the reason why the devlink_port_type_clear function
exists in the first place.

Fixes: 3122433eb5 ("net: dsa: Register devlink ports before calling DSA driver setup()")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Tested-by: Florian fainelli <f.fainelli@gmail.com>
Reported-by: Florian Fainelli <f.fainelli@gmail.com>
Link: https://lore.kernel.org/r/20210112004831.3778323-1-olteanv@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-01-12 18:48:50 -08:00
..
dsa2.c net: dsa: clear devlink port type before unregistering slave netdevs 2021-01-12 18:48:50 -08:00
dsa_priv.h net: dsa: use net core stats64 handling 2020-11-09 17:50:27 -08:00
dsa.c net: dsa: use net core stats64 handling 2020-11-09 17:50:27 -08:00
Kconfig net: dsa: tag_dsa: Unify regular and ethertype DSA taggers 2020-11-17 09:16:12 -08:00
Makefile net: dsa: tag_dsa: Unify regular and ethertype DSA taggers 2020-11-17 09:16:12 -08:00
master.c net: dsa: unbind all switches from tree when DSA master unbinds 2021-01-12 18:48:40 -08:00
port.c net: dsa: propagate switchdev vlan_filtering prepare phase to drivers 2020-10-05 05:56:48 -07:00
slave.c net: dsa: print the MTU value that could not be set 2020-12-08 11:24:07 -08:00
switch.c net: dsa: propagate switchdev vlan_filtering prepare phase to drivers 2020-10-05 05:56:48 -07:00
tag_8021q.c net: dsa: tag_8021q: add VLANs to the master interface too 2020-09-20 19:01:34 -07:00
tag_ar9331.c net: dsa: tag_ar9331: let DSA core deal with TX reallocation 2020-11-02 17:41:17 -08:00
tag_brcm.c net: dsa: tag_brcm: let DSA core deal with TX reallocation 2020-11-02 17:41:16 -08:00
tag_dsa.c net: dsa: tag_dsa: Use a consistent comment style 2020-11-17 09:16:12 -08:00
tag_gswip.c net: dsa: tag_gswip: let DSA core deal with TX reallocation 2020-11-02 17:41:16 -08:00
tag_hellcreek.c net: dsa: tag_hellcreek: Cleanup includes 2020-11-23 16:57:21 -08:00
tag_ksz.c net: dsa: tag_ksz: don't allocate additional memory for padding/tagging 2020-11-02 17:41:16 -08:00
tag_lan9303.c net: dsa: tag_lan9303: let DSA core deal with TX reallocation 2020-11-02 17:41:16 -08:00
tag_mtk.c net: dsa: tag_mtk: let DSA core deal with TX reallocation 2020-11-02 17:41:16 -08:00
tag_ocelot.c net: dsa: tag_ocelot: let DSA core deal with TX reallocation 2020-11-02 17:41:16 -08:00
tag_qca.c net: dsa: tag_qca: let DSA core deal with TX reallocation 2020-11-02 17:41:16 -08:00
tag_rtl4_a.c net: dsa: tag_rtl4_a: use the generic flow dissector procedure 2020-09-26 14:17:59 -07:00
tag_sja1105.c net: dsa: tag_sja1105: use a custom flow dissector procedure 2020-09-26 14:17:59 -07:00
tag_trailer.c net: dsa: trailer: don't allocate additional memory for padding/tagging 2020-11-02 17:41:16 -08:00