From patchwork Fri Jul 6 14:28:36 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 141326 Delivered-To: patch@linaro.org Received: by 2002:a2e:9754:0:0:0:0:0 with SMTP id f20-v6csp3180320ljj; Fri, 6 Jul 2018 07:28:47 -0700 (PDT) X-Google-Smtp-Source: AAOMgpdv8eFjhqohp03Jw+twnJ+wN+Z6sLeQzLZvC8YyAJE0ZvkRvP/x8H7t3Gd3769nhyTBXiFL X-Received: by 2002:a17:902:b494:: with SMTP id y20-v6mr10349163plr.136.1530887327134; Fri, 06 Jul 2018 07:28:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530887327; cv=none; d=google.com; s=arc-20160816; b=Vw3j0fwogVgKOS6M220XfnwMNz0SSigbdjKFuGNODUgJjCki8hmdIs9HijwCZSG+6W LtIs+Dew8bGt64PTyEUUvEWI2m+YMt9/JmVmzuZ4Eeo1ScXUga1B1kX9vwdFkV1x/nQR rNGStNJSVhksa0gpuQU19fE5kUkPdSppf8KFq08KCPXMcbtmnODeXPu1wxAarLUrx2iQ hnqc4LA4N1+ChAMlgKXNdn4GRg0rFGc+GTYmabddmrfEwRPNXGO5/VCLlIMVXojfDJRj 3LxwI+0QmKdq9hDMTBJ/htyPPppy6z2B70zWkIsDS4FzJnkEBWMP9bAYbVO0+yQZNys7 iqLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=M6tVzeEYaYra9puobOh0L1zBiNc5zY3Fk1oiwH5Tcjk=; b=CmFqgPedpktZdWa5mKcEOXL2T4tjgz461fTfwnoAXdH6zRW8sYDKaT/bAJGS/ZBqw7 ur2I3d2IW0AEl00FwPecEV8GAgeB59T1W0Tuv4E7PQZtcdFMx6hYipmpjaQGe2kjK73I w8D5oPh59f6TvfslIfgeISPVr7NZqklfM8E9wIAj1vSYNY5ndXeS7PvoG2fdOlIN2418 TdUru9Q1ve5Rs13PDwZk1AizAK1eLTXYiOLmFHRO5XKH05wcnR8iqc3s9XOhWZ1gSZBD hm9AFp/H0+/eVm6wEaOpIS6Rece9rQIL6AplGsKuwn3mcVzMG8qSYfAhSvQ8y/fDwHqv wJXg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o3-v6si8475955plk.321.2018.07.06.07.28.46; Fri, 06 Jul 2018 07:28:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932974AbeGFO2p (ORCPT + 31 others); Fri, 6 Jul 2018 10:28:45 -0400 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:37654 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932429AbeGFO2n (ORCPT ); Fri, 6 Jul 2018 10:28:43 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id AC587ED1; Fri, 6 Jul 2018 07:28:42 -0700 (PDT) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 7AAD83F2EA; Fri, 6 Jul 2018 07:28:41 -0700 (PDT) From: Mark Rutland To: linux-kernel@vger.kernel.org Cc: Mark Rutland , Alexey Kuznetsov , "David S . Miller" , Hideaki YOSHIFUJI , netdev@vger.kernel.org Subject: [PATCH] ipv4: fib: avoid NULL dereference Date: Fri, 6 Jul 2018 15:28:36 +0100 Message-Id: <20180706142836.1822-1-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In tnode_free() we iterate over a callback_head list with a while loop. At the start of the loop body we generate the next head pointer, and at the end of the loop body we generate the tn pointer for the next iteration of the loop by using container_of() on the head pointer to find the tnode, and deriving the kv pointer from this. In the final iteration of the loop, this means that we derive a pointer from NULL, which is undefined behaviour, which UBSAN detects: -- 2.11.0 ================================================================================ UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:504:6 member access within null pointer of type 'struct tnode' CPU: 1 PID: 94 Comm: ip Not tainted 4.18.0-rc3+ #23 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x458 show_stack+0x20/0x30 dump_stack+0x18c/0x248 ubsan_epilogue+0x18/0x94 handle_null_ptr_deref+0x1d4/0x228 __ubsan_handle_type_mismatch_v1+0x188/0x1e0 tnode_free+0x16c/0x1d0 replace+0x1e0/0x5d0 resize+0xd98/0x2008 fib_insert_alias+0xb38/0x10c8 fib_table_insert+0x7d0/0x1108 fib_magic+0x530/0x780 fib_add_ifaddr+0x378/0x468 fib_netdev_event+0x2ac/0x3e8 notifier_call_chain+0x190/0x2f8 raw_notifier_call_chain+0x3c/0x68 call_netdevice_notifiers_info+0x3c/0xc0 __dev_notify_flags+0x1f8/0x398 dev_change_flags+0xe8/0x150 do_setlink+0x924/0x4050 rtnl_newlink+0x8c4/0x14b0 rtnetlink_rcv_msg+0x408/0xef8 netlink_rcv_skb+0x144/0x390 rtnetlink_rcv+0x24/0x30 netlink_unicast+0x4e8/0x740 netlink_sendmsg+0x6d8/0xe78 sock_sendmsg+0x90/0x168 ___sys_sendmsg+0x680/0x9b0 __sys_sendmsg+0xf0/0x230 sys_sendmsg+0x34/0x48 el0_svc_naked+0x30/0x34 ================================================================================ We can avoid the undefined behaviour by generating tn for the current iteration of the loop before we advance head, so let's do that. Signed-off-by: Mark Rutland Cc: Alexey Kuznetsov Cc: David S. Miller Cc: Hideaki YOSHIFUJI Cc: netdev@vger.kernel.org --- net/ipv4/fib_trie.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c index 5bc0c89e81e4..8d98c8162554 100644 --- a/net/ipv4/fib_trie.c +++ b/net/ipv4/fib_trie.c @@ -497,11 +497,11 @@ static void tnode_free(struct key_vector *tn) struct callback_head *head = &tn_info(tn)->rcu; while (head) { + tn = container_of(head, struct tnode, rcu)->kv; + head = head->next; tnode_free_size += TNODE_SIZE(1ul << tn->bits); node_free(tn); - - tn = container_of(head, struct tnode, rcu)->kv; } if (tnode_free_size >= PAGE_SIZE * sync_pages) {