From: =?utf-8?B?67CV7IiY7ZiE?= <suhyun.park@ahnlab.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
CC: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>,
        Stephen Hemminger <stephen@networkplumber.org>,
        "David S. Miller" <davem@davemloft.net>,
        "bridge@lists.linux-foundation.org" 
	<bridge@lists.linux-foundation.org>,
        "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: RE: [PATCH] bridge: missing null bridge device check causing null
 pointer dereference (bugfix)
Thread-Topic: [PATCH] bridge: missing null bridge device check causing null
 pointer dereference (bugfix)
Thread-Index: AQHP+YqrhNePGBbJkEOg7Nz1l90pj5xSlqaAgACjdfD//6digIAAmgCg
Date: Thu, 6 Nov 2014 11:52:33 +0000
Message-ID: <8D1F1238A24CE743B8F3CED0F137C69E408AA143@EXMB02.ahnbang.ahnlab.com>
References: <1415255192-13584-1-git-send-email-suhyun.park@ahnlab.com>
	 <545B1E27.3080302@lab.ntt.co.jp>
	 <8D1F1238A24CE743B8F3CED0F137C69E408AA087@EXMB02.ahnbang.ahnlab.com>
 <1415273711.13896.67.camel@edumazet-glaptop2.roam.corp.google.com>
In-Reply-To: <1415273711.13896.67.camel@edumazet-glaptop2.roam.corp.google.com>
Accept-Language: ko-KR, en-US
Content-Language: ko-KR
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Sender: linux-kernel-owner@vger.kernel.org
Content-Transfer-Encoding: 8bit

My appologies,

I was working on kernel 3.2.30 when I hit the crash. I only looked at the up-to-date kernel for br_handle_frame function where I still found "p->state" reference.

Please disregard my patch.

Thanks,
Su-Hyun Park

-----Original Message-----
From: Eric Dumazet [mailto:eric.dumazet@gmail.com] 
Sent: Thursday, November 06, 2014 8:35 PM
To: 박수현
Cc: Toshiaki Makita; Stephen Hemminger; David S. Miller; bridge@lists.linux-foundation.org; netdev@vger.kernel.org; linux-kernel@vger.kernel.org
Subject: Re: [PATCH] bridge: missing null bridge device check causing null pointer dereference (bugfix)

On Thu, 2014-11-06 at 07:58 +0000, 박수현 wrote:
> >-----Original Message-----
> >From: Toshiaki Makita [mailto:makita.toshiaki@lab.ntt.co.jp]
> >Sent: Thursday, November 06, 2014 4:07 PM
> >To: 박수현; Stephen Hemminger; David S. Miller
> >Cc: bridge@lists.linux-foundation.org; netdev@vger.kernel.org; linux- 
> >kernel@vger.kernel.org
> >Subject: Re: [PATCH] bridge: missing null bridge device check causing 
> >null pointer dereference (bugfix)
> >
> >On 2014/11/06 15:26, Su-Hyun Park wrote:
> >> the bridge device can be null if the bridge is being deleted while 
> >> processing the packet, which causes the null pointer dereference in
> >switch statement.
> >
> >How can this happen??
> >It is guarded by rcu.
> >netdev_rx_handler_unregister() ensures rx_handler_data is non NULL.
> >
> 
> The RCU protect rx_handler_data, not the bridge member port. It can be NULL according to below code.
> 

Where do you find this 'below code' ?

Are you sending a patch for an old linux kernel ?

> static inline struct net_bridge_port *br_port_get_rcu(const struct net_device *dev) {
> 	struct net_bridge_port *port = rcu_dereference(dev->rx_handler_data);
> 	return br_port_exists(dev) ? port : NULL; }

Actual code is :

static inline struct net_bridge_port *br_port_get_rcu(const struct net_device *dev) {
	return rcu_dereference(dev->rx_handler_data);
}


> 
> The crash happens at the below switch statement in br_handle_frame, where p is NULL.
> 
> 	switch (p->state)

Is your tree really including the fix we already did to fix this issue ?

(commit 716ec052d2280d511e10e90ad54a86f5b5d4dcc2 )
bridge: fix NULL pointer deref of br_port_get_rcu


????{.n?+???????+%?????ݶ??w??{.n?+????{??G?????{ay?ʇڙ?,j??f???h?????????z_??(?階?ݢj"???m??????G????????????&???~???iO???z??v?^?m????????????I?