diff mbox series

[net-next] net: bridge: multicast: fix igmp/mld port context null pointer dereferences

Message ID 20210721100624.704110-1-razor@blackwall.org (mailing list archive)
State Accepted
Commit 54cb43199e14c1181ddcd4a3782f1f7eb56bdab8
Delegated to: Netdev Maintainers
Headers show
Series [net-next] net: bridge: multicast: fix igmp/mld port context null pointer dereferences | expand

Checks

Context Check Description
netdev/cover_letter success Link
netdev/fixes_present success Link
netdev/patch_count success Link
netdev/tree_selection success Clearly marked for net-next
netdev/subject_prefix success Link
netdev/cc_maintainers fail 1 blamed authors not CCed: davem@davemloft.net; 2 maintainers not CCed: davem@davemloft.net kuba@kernel.org
netdev/source_inline success Was 0 now: 0
netdev/verify_signedoff success Link
netdev/module_param success Was 0 now: 0
netdev/build_32bit fail Errors and warnings before: 7 this patch: 7
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/verify_fixes success Link
netdev/checkpatch warning CHECK: Comparison to NULL could be written "p" CHECK: Comparison to NULL could be written "pmctx"
netdev/build_allmodconfig_warn fail Errors and warnings before: 7 this patch: 7
netdev/header_inline success Link

Commit Message

Nikolay Aleksandrov July 21, 2021, 10:06 a.m. UTC 
From: Nikolay Aleksandrov <nikolay@nvidia.com>

With the recent change to use bridge/port multicast context pointers
instead of bridge/port I missed to convert two locations which pass the
port pointer as-is, but with the new model we need to verify the port
context is non-NULL first and retrieve the port from it. The first
location is when doing querier selection when a query is received, the
second location is when leaving a group. The port context will be null
if the packets originated from the bridge device (i.e. from the host).
The fix is simple just check if the port context exists and retrieve
the port pointer from it.

Fixes: adc47037a7d5 ("net: bridge: multicast: use multicast contexts instead of bridge or port")
Signed-off-by: Nikolay Aleksandrov <nikolay@nvidia.com>
---
note: the != NULL checks are in line with the rest of the code style of
      br_multicast_leave_group()

 net/bridge/br_multicast.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

Comments

patchwork-bot+netdevbpf@kernel.org July 21, 2021, 4:10 p.m. UTC | #1 
Hello:

This patch was applied to netdev/net-next.git (refs/heads/master):

On Wed, 21 Jul 2021 13:06:24 +0300 you wrote:
> From: Nikolay Aleksandrov <nikolay@nvidia.com>
> 
> With the recent change to use bridge/port multicast context pointers
> instead of bridge/port I missed to convert two locations which pass the
> port pointer as-is, but with the new model we need to verify the port
> context is non-NULL first and retrieve the port from it. The first
> location is when doing querier selection when a query is received, the
> second location is when leaving a group. The port context will be null
> if the packets originated from the bridge device (i.e. from the host).
> The fix is simple just check if the port context exists and retrieve
> the port pointer from it.
> 
> [...]

Here is the summary with links:
  - [net-next] net: bridge: multicast: fix igmp/mld port context null pointer dereferences
    https://git.kernel.org/netdev/net-next/c/54cb43199e14

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
diff mbox series

Patch

diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 976491951c82..214d1bf854ad 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -2827,9 +2827,11 @@  static int br_ip6_multicast_mld2_report(struct net_bridge_mcast *brmctx,
 #endif
 
 static bool br_ip4_multicast_select_querier(struct net_bridge_mcast *brmctx,
-					    struct net_bridge_port *port,
+					    struct net_bridge_mcast_port *pmctx,
 					    __be32 saddr)
 {
+	struct net_bridge_port *port = pmctx ? pmctx->port : NULL;
+
 	if (!timer_pending(&brmctx->ip4_own_query.timer) &&
 	    !timer_pending(&brmctx->ip4_other_query.timer))
 		goto update;
@@ -2853,9 +2855,11 @@  static bool br_ip4_multicast_select_querier(struct net_bridge_mcast *brmctx,
 
 #if IS_ENABLED(CONFIG_IPV6)
 static bool br_ip6_multicast_select_querier(struct net_bridge_mcast *brmctx,
-					    struct net_bridge_port *port,
+					    struct net_bridge_mcast_port *pmctx,
 					    struct in6_addr *saddr)
 {
+	struct net_bridge_port *port = pmctx ? pmctx->port : NULL;
+
 	if (!timer_pending(&brmctx->ip6_own_query.timer) &&
 	    !timer_pending(&brmctx->ip6_other_query.timer))
 		goto update;
@@ -3076,7 +3080,7 @@  br_ip4_multicast_query_received(struct net_bridge_mcast *brmctx,
 				struct br_ip *saddr,
 				unsigned long max_delay)
 {
-	if (!br_ip4_multicast_select_querier(brmctx, pmctx->port, saddr->src.ip4))
+	if (!br_ip4_multicast_select_querier(brmctx, pmctx, saddr->src.ip4))
 		return;
 
 	br_multicast_update_query_timer(brmctx, query, max_delay);
@@ -3091,7 +3095,7 @@  br_ip6_multicast_query_received(struct net_bridge_mcast *brmctx,
 				struct br_ip *saddr,
 				unsigned long max_delay)
 {
-	if (!br_ip6_multicast_select_querier(brmctx, pmctx->port, &saddr->src.ip6))
+	if (!br_ip6_multicast_select_querier(brmctx, pmctx, &saddr->src.ip6))
 		return;
 
 	br_multicast_update_query_timer(brmctx, query, max_delay);
@@ -3322,7 +3326,7 @@  br_multicast_leave_group(struct net_bridge_mcast *brmctx,
 		mod_timer(&own_query->timer, time);
 
 		for (p = mlock_dereference(mp->ports, brmctx->br);
-		     p != NULL;
+		     p != NULL && pmctx != NULL;
 		     p = mlock_dereference(p->next, brmctx->br)) {
 			if (!br_port_group_equal(p, pmctx->port, src))
 				continue;