From patchwork Thu Mar 18 23:19:38 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Dumazet <eric.dumazet@gmail.com>
X-Patchwork-Id: 48085
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id A6728B7C06
	for <patchwork-incoming@ozlabs.org>;
	Fri, 19 Mar 2010 10:19:47 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751735Ab0CRXTn (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Thu, 18 Mar 2010 19:19:43 -0400
Received: from mail-bw0-f209.google.com ([209.85.218.209]:65327 "EHLO
	mail-bw0-f209.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751622Ab0CRXTm (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 18 Mar 2010 19:19:42 -0400
Received: by bwz1 with SMTP id 1so2553941bwz.21
	for <netdev@vger.kernel.org>; Thu, 18 Mar 2010 16:19:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:subject:from:to:cc
	:content-type:date:message-id:mime-version:x-mailer
	:content-transfer-encoding;
	bh=1iL7oxdLMhAKQx10CbX68v7XUb4HzT6gnVZA9f2Z2mE=;
	b=f/by06nYcGahCxCwu3kUWcqC9MrFM3ukKG3NTfeFJNw0Bw5+aK6gHZboIHgCNHqg1X
	Pd6NB3rA1nsdYtrnH5t06GOJxJE7L3ryw+FxkjmeLBT/6q623pxGeknp3jZNaiDPMbSR
	XC9ytujUmS3JBMMncvSbhqQiLGwBs0xalGI8Q=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=subject:from:to:cc:content-type:date:message-id:mime-version
	:x-mailer:content-transfer-encoding;
	b=StHpbi32txD3gMvkLyiCN+kcoJfHf5+/WAGCRbcOgozEwEY0MRXzehJ1LRvzDnDXVn
	QYcMEbeE+JxFGCnNWE+B9JNlXdkQvIfi1MNGieL+XsF365fqgkfLFTobLKEfmWtn2AWY
	0BZGGQwWr+epf8rTfkfiyEGeVCVgCwlHX+A78=
Received: by 10.204.34.76 with SMTP id k12mr23865bkd.61.1268954380629;
	Thu, 18 Mar 2010 16:19:40 -0700 (PDT)
Received: from [127.0.0.1] (gw1.cosmosbay.com [212.99.114.194])
	by mx.google.com with ESMTPS id 13sm377810bwz.3.2010.03.18.16.19.39
	(version=SSLv3 cipher=RC4-MD5);
	Thu, 18 Mar 2010 16:19:40 -0700 (PDT)
Subject: [PATCH net-2.6] net: Potential null skb->dev dereference
From: Eric Dumazet <eric.dumazet@gmail.com>
To: David Miller <davem@davemloft.net>
Cc: netdev <netdev@vger.kernel.org>
Date: Fri, 19 Mar 2010 00:19:38 +0100
Message-ID: <1268954378.2894.201.camel@edumazet-laptop>
Mime-Version: 1.0
X-Mailer: Evolution 2.28.1 
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

When doing "ifenslave -d bond0 eth0", there is chance to get NULL
dereference in netif_receive_skb(), because dev->master suddenly becomes
NULL after we tested it.

We should use ACCESS_ONCE() to avoid this (or rcu_dereference())

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
---
 include/linux/netdevice.h |    8 ++++----
 net/8021q/vlan_core.c     |    4 ++--
 net/core/dev.c            |    8 +++++---
 3 files changed, 11 insertions(+), 9 deletions(-)




--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index c79a88b..fa8b476 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -2059,12 +2059,12 @@ static inline void skb_bond_set_mac_by_master(struct sk_buff *skb,
  * duplicates except for 802.3ad ETH_P_SLOW, alb non-mcast/bcast, and
  * ARP on active-backup slaves with arp_validate enabled.
  */
-static inline int skb_bond_should_drop(struct sk_buff *skb)
+static inline int skb_bond_should_drop(struct sk_buff *skb,
+				       struct net_device *master)
 {
-	struct net_device *dev = skb->dev;
-	struct net_device *master = dev->master;
-
 	if (master) {
+		struct net_device *dev = skb->dev;
+
 		if (master->priv_flags & IFF_MASTER_ARPMON)
 			dev->last_rx = jiffies;
 
diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
index c0316e0..c584a0a 100644
--- a/net/8021q/vlan_core.c
+++ b/net/8021q/vlan_core.c
@@ -11,7 +11,7 @@ int __vlan_hwaccel_rx(struct sk_buff *skb, struct vlan_group *grp,
 	if (netpoll_rx(skb))
 		return NET_RX_DROP;
 
-	if (skb_bond_should_drop(skb))
+	if (skb_bond_should_drop(skb, ACCESS_ONCE(skb->dev->master)))
 		goto drop;
 
 	skb->skb_iif = skb->dev->ifindex;
@@ -83,7 +83,7 @@ vlan_gro_common(struct napi_struct *napi, struct vlan_group *grp,
 {
 	struct sk_buff *p;
 
-	if (skb_bond_should_drop(skb))
+	if (skb_bond_should_drop(skb, ACCESS_ONCE(skb->dev->master)))
 		goto drop;
 
 	skb->skb_iif = skb->dev->ifindex;
diff --git a/net/core/dev.c b/net/core/dev.c
index bcc490c..59d4394 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2483,6 +2483,7 @@ int netif_receive_skb(struct sk_buff *skb)
 {
 	struct packet_type *ptype, *pt_prev;
 	struct net_device *orig_dev;
+	struct net_device *master;
 	struct net_device *null_or_orig;
 	struct net_device *null_or_bond;
 	int ret = NET_RX_DROP;
@@ -2503,11 +2504,12 @@ int netif_receive_skb(struct sk_buff *skb)
 
 	null_or_orig = NULL;
 	orig_dev = skb->dev;
-	if (orig_dev->master) {
-		if (skb_bond_should_drop(skb))
+	master = ACCESS_ONCE(orig_dev->master);
+	if (master) {
+		if (skb_bond_should_drop(skb, master))
 			null_or_orig = orig_dev; /* deliver only exact match */
 		else
-			skb->dev = orig_dev->master;
+			skb->dev = master;
 	}
 
 	__get_cpu_var(netdev_rx_stat).total++;