Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp26961imm;
        Thu, 21 Jun 2018 13:15:53 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKJUf2k0iSLImeIPCRUMbGHsOxZszkJmgAXYkvUXCrteQehECg4RDHrsB2P0RTawN7Ol8Zd5
X-Received: by 2002:a63:186:: with SMTP id 128-v6mr23450402pgb.138.1529612153197;
        Thu, 21 Jun 2018 13:15:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1529612153; cv=none;
        d=google.com; s=arc-20160816;
        b=rPvzy5LXQnPe/hJsZwwaQafcTRhjgzDl6oV16xtiJXPBlq0xcIwjOgADrhGgCaqX6Q
         sYKBvHoHp9oPOt1MdqfO0HOF4gIHXjo8fnDsm6Q5aUswAjtRWavdF7IGbLA1o17Tt0xU
         sDqzhexrqBjJXdCQyKkBf9APSkQlPuWVNd/XPK54mcbva+HkshiGvE8rUtdIfoVIAML6
         vnd1Gyl3UXNarew+eYNOBmUUjaguRsJpDayXihozE7ZRWoMM7JZm/8q9K96mN3jh5BY0
         mXhH67EGmucoE79+bQBKUjf6cPFfuuR1Y9ZMIWq44fSBwAtngywH/eqnoN1bSt/ioeD6
         a/6w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature:arc-authentication-results;
        bh=PBJi5chp3HZzw5kkLKHlKCBDe5LsJc9Lk7cWakQM+Uc=;
        b=cuZT8UMMdApjM85+Am+VHMpSBI874dM5AzBVO33drZwNRVq2aBxO6/uZuSoz/dQ2XJ
         xFWGQlTSnHcLFipr73OzWAbr2uUfraERWL8yhuvjYhkvA2EHoLGgzMEmzLSYDosdeWfu
         cbPHS6lNz4IPX22K61wI9abRIcC0l6mY9qblj6pLB0kWG5kembIDDP9kJknQDOTq5uz4
         Sjq74AUq+xQcRXd2pIeLAFFcM+izAOZeTGpq844Da+u+BRW6b3WhtpJ/dCNP71vzXNsq
         qH3jALsbHJrpkdtd8Q3mO9zMieYMmRmrCdkG7J8nk3YKvTbfDf7rGGcQEAcCH+03Ptqe
         Ztwg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ddIpZeRc;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f69-v6si4504656pgc.551.2018.06.21.13.15.38;
        Thu, 21 Jun 2018 13:15:53 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ddIpZeRc;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S933274AbeFUUO5 (ORCPT <rfc822;rajatbajpailinux@gmail.com>
        + 99 others); Thu, 21 Jun 2018 16:14:57 -0400
Received: from mail-wr0-f196.google.com ([209.85.128.196]:35644 "EHLO
        mail-wr0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S933131AbeFUUOy (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 21 Jun 2018 16:14:54 -0400
Received: by mail-wr0-f196.google.com with SMTP id l8-v6so4447969wrr.2;
        Thu, 21 Jun 2018 13:14:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=PBJi5chp3HZzw5kkLKHlKCBDe5LsJc9Lk7cWakQM+Uc=;
        b=ddIpZeRccOMiiKGlwy/00tO4UnBlZYaBk1i7ZlgEKakiRkplbpjCC0+k+l2VrPnDIL
         CfSF2AU4YzzHLrnZiZIhQsGMe8LxbITzbZJnqGvAppFomDXGYn5Rm9YoXtcb6Kv5DHnA
         k+lch0MmFzOClMzqT0FmImfFxAeKiDyFeR40rMRzNau6Q5aqmdNOo0F4finASRN14bY2
         R7B09W2VZJk8yz2I6661X8yw63+N62fhVWtoei6QV0w+YnvCY8Dv6XN9GfyCZgBpe/vQ
         etS2lIKiUvLMQzHr1BdBFmKhUkEfNhFzT1OiaLYDCPWmeKmFCpTBrJhMOoy7KxnMoIxo
         q78w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=PBJi5chp3HZzw5kkLKHlKCBDe5LsJc9Lk7cWakQM+Uc=;
        b=FPFgIIbeYRJGEV0hn5QlHoqqVddlRMMkvUxjiLgdhfiTrETPy9LPsxQbLpE1cPzfDG
         vNIRYUaniJrcu2pf7ORCE4nOrlW7NyvBZJIhdRwB6K7TloqfZMgNdKcwZq2YKwkPY2V/
         S9NFPlUdhnobujy1NVwXTT7lwghUg/BpHaJPVDHQIrkRjQPMjOJv6gufhYzB7GPN4eer
         se/r0NDEYqSwQBcqLfz054wMy6iANTXvIrt0/2Qvms8nMwzwUA4RzlMsM34pkgnIDTzn
         HoBQMpWJsukxFlR1njg7TyV1i6nXD0lQ/vSQHAdbxRiuWNcl9q/fh+o+j7IBuEGq25YP
         CvDg==
X-Gm-Message-State: APt69E33h+7S18WN0MACsxLFYZiiJIt5fOqu0KsxTAt9cZlBEJz+DMyt
        JmGjIo9Xxl0q9xGHXKzXTkww6JI=
X-Received: by 2002:adf:f546:: with SMTP id j6-v6mr21779774wrp.241.1529612092687;
        Thu, 21 Jun 2018 13:14:52 -0700 (PDT)
Received: from localhost.Home ([2a02:c7d:9bd5:a300:d0b3:e272:20b0:ca8a])
        by smtp.gmail.com with ESMTPSA id n18-v6sm8950136wrj.58.2018.06.21.13.14.51
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 21 Jun 2018 13:14:52 -0700 (PDT)
From:   Garry McNulty <garrmcnu@gmail.com>
To:     netdev@vger.kernel.org
Cc:     stephen@networkplumber.org, davem@davemloft.net, jiri@resnulli.us,
        nikolay@cumulusnetworks.com, bridge@lists.linux-foundation.org,
        linux-kernel@vger.kernel.org, Garry McNulty <garrmcnu@gmail.com>
Subject: [PATCH] net: bridge: fix potential null pointer dereference on return from br_port_get_rtnl()
Date:   Thu, 21 Jun 2018 21:14:27 +0100
Message-Id: <20180621201427.4961-1-garrmcnu@gmail.com>
X-Mailer: git-send-email 2.9.5
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

br_port_get_rtnl() can return NULL if the network device is not a bridge
port (IFF_BRIDGE_PORT flag not set). br_port_slave_changelink() and
br_port_fill_slave_info() callbacks dereference this pointer without
checking. Currently this is not a problem because slave devices always
set this flag. Add null check in case these conditions ever change.

Detected by CoverityScan, CID 1339613 ("Dereference null return value")

Signed-off-by: Garry McNulty <garrmcnu@gmail.com>
---
 net/bridge/br_netlink.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index 9f5eb05b0373..b3ad135b7157 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -947,13 +947,14 @@ static int br_port_slave_changelink(struct net_device *brdev,
 				    struct netlink_ext_ack *extack)
 {
 	struct net_bridge *br = netdev_priv(brdev);
+	struct net_bridge_port *p = br_port_get_rtnl(dev);
 	int ret;
 
-	if (!data)
+	if (!data || !p)
 		return 0;
 
 	spin_lock_bh(&br->lock);
-	ret = br_setport(br_port_get_rtnl(dev), data);
+	ret = br_setport(p, data);
 	spin_unlock_bh(&br->lock);
 
 	return ret;
@@ -963,7 +964,9 @@ static int br_port_fill_slave_info(struct sk_buff *skb,
 				   const struct net_device *brdev,
 				   const struct net_device *dev)
 {
-	return br_port_fill_attrs(skb, br_port_get_rtnl(dev));
+	struct net_bridge_port *p = br_port_get_rtnl(dev);
+
+	return p ? br_port_fill_attrs(skb, p) : -EINVAL;
 }
 
 static size_t br_port_get_slave_size(const struct net_device *brdev,
-- 
2.14.4