Received: by 2002:a25:2c96:0:0:0:0:0 with SMTP id s144csp1195797ybs;
        Mon, 25 May 2020 09:25:54 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJynGW2tg+Qlq3Ft/CFKtsbizBSIAcNt59RFVDrbXp958+JOtd4eTsoZSkL1fvsgmL7OSges
X-Received: by 2002:a17:906:6a92:: with SMTP id p18mr19146183ejr.233.1590423953870;
        Mon, 25 May 2020 09:25:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1590423953; cv=none;
        d=google.com; s=arc-20160816;
        b=xu/YHzMX+LEyPcAxOTrSyqcrGwUwxFTEYpDcrtMO2CVvMvvOHU+2Q3uevKcQM17mbn
         U0H89anP7g0WbRxvmgJLLvc9hLD5gcpvzK4BncOwI4NNp4TrPrFPXBE3e7kZGP4YHIsS
         lrdnleoWqmOH4OmBE8FFbtJ/wLdLciIVfVciYlAsk6FvBVr4tNIhwZO2G1wGhDsmfYHk
         6XrUkuIVAA8dCB1xJAFiFeoHgY4qpDMzusTlssK5YW1kEdmDgaPgdr+S9qkbcd8w4QZ3
         42c+7BkEUcFDJ01euNyiOhoS0HhBrDtTEPcmV5X4Wg42KOfVSReJSiVE05+FhFVYHnXQ
         O3Fw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature;
        bh=xsaSOL3nxn5UWojYLGHf0GidZv1f0eBsy1Kan4mSPis=;
        b=txPRxm34YW7BQqtdQA51Wa7oIGQVi3nX6qviX2YsvwyRPEQLfnMaEoJzK6DHQPBsPh
         uRsn/q7tQZVKDivscUx/w5NbtHze8rjLH6jb0fS+05s+oMz/9R3swoPsAUg/aa/SPeVR
         Vf3/kOE0j6OA04sLbxVFvl+LkKitiwsg0knHw76ET7pblPwwmW/UuX/TDESnpbrnq95u
         9OGgwtYnu/snCTho54ApU7fUkLkDHF1Tdnh91PqKYYBtCRoYQSNtPB/C3tB8lbNu6bHF
         hCMqx3GPZ87owwBCiMoV+Fc1AAJnIo37T3QZvb+M4D67yCkJxh5hTPn6UqmWLLngZsKq
         Tvdw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@cumulusnetworks.com header.s=google header.b=WiBv6Jwg;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cumulusnetworks.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id w26si9794332edq.38.2020.05.25.09.25.29;
        Mon, 25 May 2020 09:25:53 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@cumulusnetworks.com header.s=google header.b=WiBv6Jwg;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cumulusnetworks.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2387838AbgEYIeY (ORCPT <rfc822;fezhang.suse@gmail.com>
        + 99 others); Mon, 25 May 2020 04:34:24 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46958 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727894AbgEYIeX (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 25 May 2020 04:34:23 -0400
Received: from mail-wm1-x343.google.com (mail-wm1-x343.google.com [IPv6:2a00:1450:4864:20::343])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8463CC061A0E
        for <linux-kernel@vger.kernel.org>; Mon, 25 May 2020 01:34:21 -0700 (PDT)
Received: by mail-wm1-x343.google.com with SMTP id n5so15932224wmd.0
        for <linux-kernel@vger.kernel.org>; Mon, 25 May 2020 01:34:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=cumulusnetworks.com; s=google;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=xsaSOL3nxn5UWojYLGHf0GidZv1f0eBsy1Kan4mSPis=;
        b=WiBv6JwgwoGFabLxJtlkNV2QTT18NNEhPH3iMNUS8TNvE4V38+UFSMP4ahMe76Z26m
         3WZNnG0LPNH7VrsaC39jgTQrROurGyfDpKw9DM/HRotlOw/dSjLuFAmFmcccTchAX/FM
         JBqeHfDHPNhynj+Szb4t+GSyQIGsQ902ccVIA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=xsaSOL3nxn5UWojYLGHf0GidZv1f0eBsy1Kan4mSPis=;
        b=aWHEObx9UkLX5EDMiwvWlzZ2wTzJkqDJ+J/MY1aR9gbSkmdnRxa3E0TO5sQ9vZvWag
         lS5TmdjKgd0bkPk0UZODhOwSiZnfdMSsjNtonm7de/flhS/vjqT70kH5kARg1SrMaUeE
         YxGsiQy00Yaun0p1CBytfZH/52c4PG7RFkLUV5kU/z4dZVmNGFxqaYqNlwvLk/vn+adQ
         X3zonYz0IQ/CWlBoJg9LMTyYYbLoLAcT5iYQL4d56p0DuzfiiDSrvxT0ybZ3rCt6kkN+
         nlB+P+vb9ltz0OhsqoqK7+mFZZEqQpfrs0DSuEgycAFNLfEO0r3nNd9RKBPLzvGLbY4M
         LDAA==
X-Gm-Message-State: AOAM530bO97q5gQVwsWoYyJaM5KaqRkUAlJGIoXq/rg1O6rE0ONJ9vpp
        EGNmF9fgy18wVFqii8JPPnxLLA==
X-Received: by 2002:a1c:808d:: with SMTP id b135mr1598301wmd.94.1590395660196;
        Mon, 25 May 2020 01:34:20 -0700 (PDT)
Received: from [192.168.0.109] (84-238-136-197.ip.btc-net.bg. [84.238.136.197])
        by smtp.gmail.com with ESMTPSA id p4sm17583856wrq.31.2020.05.25.01.34.19
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Mon, 25 May 2020 01:34:19 -0700 (PDT)
Subject: Re: [PATCH] bridge: mrp: Fix out-of-bounds read in br_mrp_parse
To:     Horatiu Vultur <horatiu.vultur@microchip.com>,
        roopa@cumulusnetworks.com, davem@davemloft.net, kuba@kernel.org,
        andrew@lunn.ch, UNGLinuxDriver@microchip.com,
        bridge@lists.linux-foundation.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org
Cc:     syzbot+9c6f0f1f8e32223df9a4@syzkaller.appspotmail.com
References: <20200525095541.46673-1-horatiu.vultur@microchip.com>
From:   Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Message-ID: <a44f412e-dbde-93e9-be72-78515fa5b9d4@cumulusnetworks.com>
Date:   Mon, 25 May 2020 11:34:17 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.6.0
MIME-Version: 1.0
In-Reply-To: <20200525095541.46673-1-horatiu.vultur@microchip.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 25/05/2020 12:55, Horatiu Vultur wrote:
> The issue was reported by syzbot. When the function br_mrp_parse was
> called with a valid net_bridge_port, the net_bridge was an invalid
> pointer. Therefore the check br->stp_enabled could pass/fail
> depending where it was pointing in memory.
> The fix consists of setting the net_bridge pointer if the port is a
> valid pointer.
> 
> Reported-by: syzbot+9c6f0f1f8e32223df9a4@syzkaller.appspotmail.com
> Fixes: 6536993371fa ("bridge: mrp: Integrate MRP into the bridge")
> Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
> ---
>  net/bridge/br_mrp_netlink.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/net/bridge/br_mrp_netlink.c b/net/bridge/br_mrp_netlink.c
> index 397e7f710772a..4a08a99519b04 100644
> --- a/net/bridge/br_mrp_netlink.c
> +++ b/net/bridge/br_mrp_netlink.c
> @@ -27,6 +27,12 @@ int br_mrp_parse(struct net_bridge *br, struct net_bridge_port *p,
>  	struct nlattr *tb[IFLA_BRIDGE_MRP_MAX + 1];
>  	int err;
>  
> +	/* When this function is called for a port then the br pointer is
> +	 * invalid, therefor set the br to point correctly
> +	 */
> +	if (p)
> +		br = p->br;
> +
>  	if (br->stp_enabled != BR_NO_STP) {
>  		NL_SET_ERR_MSG_MOD(extack, "MRP can't be enabled if STP is already enabled");
>  		return -EINVAL;
> 

You should tag the fix for net-next when it's intended for it.

Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>