From patchwork Tue Mar 13 05:32:00 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Josh Elsasser <jelsasser@appneta.com>
X-Patchwork-Id: 884986
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=pass (p=quarantine dis=none)
	header.from=appneta.com
Authentication-Results: ozlabs.org; dkim=pass (1024-bit key;
	unprotected) header.d=appneta.com header.i=@appneta.com
	header.b="GioQIY8O"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 400k8K5B80z9sSh
	for <patchwork-incoming@ozlabs.org>;
	Tue, 13 Mar 2018 16:35:13 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751673AbeCMFe4 (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Tue, 13 Mar 2018 01:34:56 -0400
Received: from mail-pg0-f66.google.com ([74.125.83.66]:39689 "EHLO
	mail-pg0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750784AbeCMFez (ORCPT
	<rfc822;netdev@vger.kernel.org>); Tue, 13 Mar 2018 01:34:55 -0400
Received: by mail-pg0-f66.google.com with SMTP id e3so7535456pga.6
	for <netdev@vger.kernel.org>; Mon, 12 Mar 2018 22:34:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=appneta.com; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=+C9QRfiazf9HUsqnEssuj2nDukPSST/RcV5959A9/EA=;
	b=GioQIY8OBjHH4XskJhzMQ9kbRd+B9GtQoR1mHb16CbI8+AxAaZqipkTfiIXOpalYhw
	nMDRPDdqEp1IEH6tkzYMhSFmLmCAzzmKRhvgGa++aZKBueSGbZJ3pTA5edqIUfZlpVCP
	WLQi3MAup3qnvZe5d0b4kxtfYF2vcbBsOfL1M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=+C9QRfiazf9HUsqnEssuj2nDukPSST/RcV5959A9/EA=;
	b=slpFdmEi1S5zGCT856bmclRe5l1DFti7dyfk3/K+yUXa09bnEPDQqNLl/MEUoy2hCN
	fOsnNn67sto+oO1eDPttTeVvITm+oaF5ScFITOYWaYJbAwGSr0hCs7qXw/lPj8kWlXNa
	dMy3DWw9X0sKaQfp4ydLRWOfmyIbZoVcYv1XnzKagKlT3rbE+N763sxVDJ7ZNv+olLRQ
	n5ZZ+wHmtYbjLjg0JJwOF9scoCJYHiCUEH6ott66m74dmi6wjS5epNW4fawyQ7CB4XtR
	TIvC9eAGJk6Kd3xSy7VlzYRTIwiE8OqOAt9dooPCQo3e/TcdXCIOksz9lxiRFbhMZglu
	OSmA==
X-Gm-Message-State: AElRT7Htx5Ordf6DBBW9VD8vtx1+KO5piGBxgebvOOeczAQCDfp4yQfm
	go6rPKar/YJtjmstjWPch+/g
X-Google-Smtp-Source: 
 AG47ELtT093xv1ThQRSy0Rybp7n1ExksUEpSO6CX0TnaDWCEMgzgx++af/w3YxxrpKAOZSbqHgA6iA==
X-Received: by 10.99.63.14 with SMTP id m14mr8579894pga.174.1520919294909;
	Mon, 12 Mar 2018 22:34:54 -0700 (PDT)
Received: from debian8-stable-jae.jaalam.net
	(d173-180-161-165.bchsia.telus.net. [173.180.161.165])
	by smtp.gmail.com with ESMTPSA id
	c14sm16695807pfn.185.2018.03.12.22.34.53
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Mon, 12 Mar 2018 22:34:54 -0700 (PDT)
From: Josh Elsasser <jelsasser@appneta.com>
To: davem@davemloft.net
Cc: Josh Elsasser <jelsasser@appneta.com>, Greg Kroah-Hartman
	<gregkh@linuxfoundation.org>, Eric Dumazet <edumazet@google.com>,
	Willem de Bruijn <willemb@google.com>, Alexander Potapenko
	<glider@google.com>,         Cong Wang <xiyou.wangcong@gmail.com>,
	Vlad Yasevich <vyasevich@gmail.com>, =?utf-8?q?Michal_Kube=C4=8Dek?=
	<mkubecek@suse.cz>, netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v2 1/1] net: check before dereferencing netdev_ops during
	busy poll
Date: Mon, 12 Mar 2018 22:32:00 -0700
Message-Id: <20180313053248.13654-2-jelsasser@appneta.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20180313053248.13654-1-jelsasser@appneta.com>
References: <20180313053248.13654-1-jelsasser@appneta.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

init_dummy_netdev() leaves its netdev_ops pointer zeroed. This leads
to a NULL pointer dereference when sk_busy_loop fires against an iwlwifi
wireless adapter and checks napi->dev->netdev_ops->ndo_busy_poll.

Avoid this by ensuring napi->dev->netdev_ops is valid before following
the pointer, avoiding the following panic when busy polling on a dummy
netdev:

  BUG: unable to handle kernel NULL pointer dereference at 00000000000000c8
  IP: [<ffffffff817b4b72>] sk_busy_loop+0x92/0x2f0
  Call Trace:
   [<ffffffff815a3134>] ? uart_write_room+0x74/0xf0
   [<ffffffff817964a9>] sock_poll+0x99/0xa0
   [<ffffffff81223142>] do_sys_poll+0x2e2/0x520
   [<ffffffff8118d3fc>] ? get_page_from_freelist+0x3bc/0xa30
   [<ffffffff810ada22>] ? update_curr+0x62/0x140
   [<ffffffff811ea671>] ? __slab_free+0xa1/0x2a0
   [<ffffffff811ea671>] ? __slab_free+0xa1/0x2a0
   [<ffffffff8179dbb1>] ? skb_free_head+0x21/0x30
   [<ffffffff81221bd0>] ? poll_initwait+0x50/0x50
   [<ffffffff811eaa36>] ? kmem_cache_free+0x1c6/0x1e0
   [<ffffffff815a4884>] ? uart_write+0x124/0x1d0
   [<ffffffff810bd1cd>] ? remove_wait_queue+0x4d/0x60
   [<ffffffff810bd224>] ? __wake_up+0x44/0x50
   [<ffffffff81582731>] ? tty_write_unlock+0x31/0x40
   [<ffffffff8158c5c6>] ? tty_ldisc_deref+0x16/0x20
   [<ffffffff81584820>] ? tty_write+0x1e0/0x2f0
   [<ffffffff81587e50>] ? process_echoes+0x80/0x80
   [<ffffffff8120c17b>] ? __vfs_write+0x2b/0x130
   [<ffffffff8120d09a>] ? vfs_write+0x15a/0x1a0
   [<ffffffff81223455>] SyS_poll+0x75/0x100
   [<ffffffff819a6524>] entry_SYSCALL_64_fastpath+0x24/0xcf

Commit 79e7fff47b7b ("net: remove support for per driver ndo_busy_poll()")
indirectly fixed this upstream in linux-4.11 by removing the offending
pointer usage. No other users of napi->dev touch its netdev_ops.

Fixes: 060212928670 ("net: add low latency socket poll")
Fixes: ce6aea93f751 ("net: network drivers no longer need to implement ndo_busy_poll()") - 4.9.y
Signed-off-by: Josh Elsasser <jelsasser@appneta.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
---
 net/core/dev.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/core/dev.c b/net/core/dev.c
index 8898618bf341..1f50c131ed15 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -5042,7 +5042,10 @@ bool sk_busy_loop(struct sock *sk, int nonblock)
 		goto out;
 
 	/* Note: ndo_busy_poll method is optional in linux-4.5 */
-	busy_poll = napi->dev->netdev_ops->ndo_busy_poll;
+	if (napi->dev->netdev_ops)
+		busy_poll = napi->dev->netdev_ops->ndo_busy_poll;
+	else
+		busy_poll = NULL;
 
 	do {
 		rc = 0;