From patchwork Tue Mar 16 03:10:05 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Herbert Xu <herbert@gondor.apana.org.au>
X-Patchwork-Id: 47803
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 7D42EB7D88
	for <patchwork-incoming@ozlabs.org>;
	Tue, 16 Mar 2010 14:10:15 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S965966Ab0CPDKK (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Mon, 15 Mar 2010 23:10:10 -0400
Received: from rhun.apana.org.au ([64.62.148.172]:51578 "EHLO
	arnor.apana.org.au" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
	with ESMTP id S965922Ab0CPDKI (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 15 Mar 2010 23:10:08 -0400
Received: from gondolin.me.apana.org.au ([192.168.0.6])
	by arnor.apana.org.au with esmtp (Exim 4.63 #1 (Debian))
	id 1NrNAU-0000Ql-TG; Tue, 16 Mar 2010 14:10:06 +1100
Received: from herbert by gondolin.me.apana.org.au with local (Exim 4.69)
	(envelope-from <herbert@gondor.apana.org.au>)
	id 1NrNAT-0004dC-LS; Tue, 16 Mar 2010 11:10:05 +0800
Date: Tue, 16 Mar 2010 11:10:05 +0800
From: Herbert Xu <herbert@gondor.apana.org.au>
To: michael-dev@fami-braun.de
Cc: netdev@vger.kernel.org, "David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH] BUG: unable to handle kernel NULL pointer dereference
	at br_multicast_leave_group
Message-ID: <20100316031005.GA17727@gondor.apana.org.au>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <4B9C49E7.1080703@fami-braun.de>
Organization: Core
X-Newsgroups: apana.lists.os.linux.netdev
User-Agent: Mutt/1.5.18 (2008-05-17)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

michael-dev@fami-braun.de wrote:
> 
> I'm currently using linux-next and have been running into an OOPs which
> I think might be caused by a patch you submitted on 2010-02-27.
> 
> It's a linux-next kernel from 2010-03-12 on an x86 system and it
> OOPs in the bridge module in br_mdp_ip_get (called by
> br_multicast_leave_group) because the br->mdb is null.

Thanks, there's actually another spot (the query handler) where
the same thing can happen.

Here's a patch to fix them both.

bridge: Move NULL mdb check into br_mdb_ip_get

Since all callers of br_mdb_ip_get need to check whether the
hash table is NULL, this patch moves the check into the function.

This fixes the two callers (query/leave handler) that didn't
check it.

Reported-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>


Thanks,

diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index fd96a8d..398221e 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -49,22 +49,23 @@ static struct net_bridge_mdb_entry *__br_mdb_ip_get(
 static struct net_bridge_mdb_entry *br_mdb_ip_get(
 	struct net_bridge_mdb_htable *mdb, __be32 dst)
 {
+	if (!mdb)
+		return NULL;
+
 	return __br_mdb_ip_get(mdb, dst, br_ip_hash(mdb, dst));
 }
 
 struct net_bridge_mdb_entry *br_mdb_get(struct net_bridge *br,
 					struct sk_buff *skb)
 {
-	struct net_bridge_mdb_htable *mdb = br->mdb;
-
-	if (!mdb || br->multicast_disabled)
+	if (br->multicast_disabled)
 		return NULL;
 
 	switch (skb->protocol) {
 	case htons(ETH_P_IP):
 		if (BR_INPUT_SKB_CB(skb)->igmp)
 			break;
-		return br_mdb_ip_get(mdb, ip_hdr(skb)->daddr);
+		return br_mdb_ip_get(br->mdb, ip_hdr(skb)->daddr);
 	}
 
 	return NULL;