Re: [PATCH] net-bridge: fix unsafe dereference of potential null ptr in __vlan_del()

From: Alexander Lobakin
Date: Fri Feb 17 2023 - 08:49:45 EST


From: Alexander Sapozhnikov <alsp705@xxxxxxxxx>
Date: Fri, 17 Feb 2023 16:16:57 +0300

> [PATCH] net-bridge: fix unsafe dereference of potential null ptr in
> __vlan_del()

Must be:

[PATCH net] net: bridge: fix unsafe dereference of potential null ptr in
__vlan_del()

> After having been compared to NULL value at br_vlan.c:399,
> pointer 'p' is passed as 1st parameter in call to function
> 'nbp_vlan_set_vlan_dev_state' at br_vlan.c:420,
> where it is dereferenced at br_vlan.c:1722.

Do you have a reproducer for this or it's purely hypothetical? I'm not
saying it's strongly required, at least I wouldn't require it, just
curious. And sometimes without a stable repro you should target
net-next, not net, but better ask the bridge maintainers re this.

>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>

Here you should have a "Fixes:" tag with a reference to the commit which
introduced this nullptr-deref.

> Signed-off-by: Alexander Sapozhnikov <alsp705@xxxxxxxxx>

You have 2 copies of this patch in the list. The first one lacks proper
commit message, this one has it. But you didn't marked this resent as v2
(it's v2 in fact).
Please mark it accordingly next spin and don't forget always provide a
changelog between versions.

> ---
> net/bridge/br_vlan.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
> index bc75fa1e4666..87091e270adf 100644
> --- a/net/bridge/br_vlan.c
> +++ b/net/bridge/br_vlan.c
> @@ -417,7 +417,8 @@ static int __vlan_del(struct net_bridge_vlan *v)
> rhashtable_remove_fast(&vg->vlan_hash, &v->vnode,
> br_vlan_rht_params);
> __vlan_del_list(v);
> - nbp_vlan_set_vlan_dev_state(p, v->vid);
> + if (p)
> + nbp_vlan_set_vlan_dev_state(p, v->vid);
> br_multicast_toggle_one_vlan(v, false);
> br_multicast_port_ctx_deinit(&v->port_mcast_ctx);
> call_rcu(&v->rcu, nbp_vlan_rcu_free);

Thanks,
Olek