[net] mlxsw: spectrum_router: Fix NULL pointer deref

Message ID 20171225075735.2058-1-jiri@resnulli.us
State Accepted
Delegated to: David Miller
Headers show
Series
  • [net] mlxsw: spectrum_router: Fix NULL pointer deref
Related show

Commit Message

Jiri Pirko Dec. 25, 2017, 7:57 a.m.
From: Ido Schimmel <idosch@mellanox.com>

When we remove the neighbour associated with a nexthop we should always
refuse to write the nexthop to the adjacency table. Regardless if it is
already present in the table or not.

Otherwise, we risk dereferencing the NULL pointer that was set instead
of the neighbour.

Fixes: a7ff87acd995 ("mlxsw: spectrum_router: Implement next-hop routing")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reported-by: Alexander Petrovskiy <alexpe@mellanox.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
---
 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Jiri Pirko Dec. 25, 2017, 8:02 a.m. | #1
Mon, Dec 25, 2017 at 08:57:35AM CET, jiri@resnulli.us wrote:
>From: Ido Schimmel <idosch@mellanox.com>
>
>When we remove the neighbour associated with a nexthop we should always
>refuse to write the nexthop to the adjacency table. Regardless if it is
>already present in the table or not.
>
>Otherwise, we risk dereferencing the NULL pointer that was set instead
>of the neighbour.
>
>Fixes: a7ff87acd995 ("mlxsw: spectrum_router: Implement next-hop routing")
>Signed-off-by: Ido Schimmel <idosch@mellanox.com>
>Reported-by: Alexander Petrovskiy <alexpe@mellanox.com>
>Signed-off-by: Jiri Pirko <jiri@mellanox.com>

Dave, could you please queue this up for 4.14.y together
with "mlxsw: spectrum: Relax sanity checks during enslavement".

Thanks!
David Miller Jan. 2, 2018, 5:39 p.m. | #2
From: Jiri Pirko <jiri@resnulli.us>
Date: Mon, 25 Dec 2017 09:02:54 +0100

> Mon, Dec 25, 2017 at 08:57:35AM CET, jiri@resnulli.us wrote:
>>From: Ido Schimmel <idosch@mellanox.com>
>>
>>When we remove the neighbour associated with a nexthop we should always
>>refuse to write the nexthop to the adjacency table. Regardless if it is
>>already present in the table or not.
>>
>>Otherwise, we risk dereferencing the NULL pointer that was set instead
>>of the neighbour.
>>
>>Fixes: a7ff87acd995 ("mlxsw: spectrum_router: Implement next-hop routing")
>>Signed-off-by: Ido Schimmel <idosch@mellanox.com>
>>Reported-by: Alexander Petrovskiy <alexpe@mellanox.com>
>>Signed-off-by: Jiri Pirko <jiri@mellanox.com>
> 
> Dave, could you please queue this up for 4.14.y together
> with "mlxsw: spectrum: Relax sanity checks during enslavement".

Both applied and queued up for -stable.

Patch

diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
index be657b8..434b392 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
@@ -3228,7 +3228,7 @@  static void __mlxsw_sp_nexthop_neigh_update(struct mlxsw_sp_nexthop *nh,
 {
 	if (!removing)
 		nh->should_offload = 1;
-	else if (nh->offloaded)
+	else
 		nh->should_offload = 0;
 	nh->update = 1;
 }