• A
    net/hsr: Fix NULL pointer dereference and refcnt bugs when deleting a HSR interface. · 56b08fdc
    Arvid Brodin 提交于
    To repeat:
    
    $ sudo ip link del hsr0
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
    IP: [<ffffffff8187f495>] hsr_del_port+0x15/0xa0
    etc...
    
    Bug description:
    
    As part of the hsr master device destruction, hsr_del_port() is called for each of
    the hsr ports. At each such call, the master device is updated regarding features
    and mtu. When the master device is freed before the slave interfaces, master will
    be NULL in hsr_del_port(), which led to a NULL pointer dereference.
    
    Additionally, dev_put() was called on the master device itself in hsr_del_port(),
    causing a refcnt error.
    
    A third bug in the same code path was that the rtnl lock was not taken before
    hsr_del_port() was called as part of hsr_dev_destroy().
    
    The reporter (Nicolas Dichtel) also said: "hsr_netdev_notify() supposes that the
    port will always be available when the notification is for an hsr interface. It's
    wrong. For example, netdev_wait_allrefs() may resend NETDEV_UNREGISTER.". As a
    precaution against this, a check for port == NULL was added in hsr_dev_notify().
    Reported-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
    Fixes: 51f3c605 ("net/hsr: Move slave init to hsr_slave.c.")
    Signed-off-by: NArvid Brodin <arvid.brodin@alten.se>
    Signed-off-by: NDavid S. Miller <davem@davemloft.net>
    56b08fdc
hsr_device.c 11.7 KB