[SRU] [B] [PATCH 0/2] Fix NULL pointer dereference in netvsc_probe()

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU] [B] [PATCH 0/2] Fix NULL pointer dereference in netvsc_probe()

Kai-Heng Feng
BugLink: https://bugs.launchpad.net/bugs/1814069

[Impact]
NULL pointer dereference in netvsc_probe(). Module hv_netvsc is included
in initramfs, so this blocks the boot process.

For Hyper-V only supports single channel, rndis_filter_device_add()
bails early and jump to tag "out". Subsequent code calls
rndis_filter_device_remove() and returns ERR_PTR(ret), where ret is
0 (sucess). Because of that, it passes IS_ERR(nvdev) check in
netvsc_probe() and cause a NULL pointer dereference, as nvdev now is 0:

...
        if (nvdev->num_chn > 1)
                schedule_work(&nvdev->subchan_work);

[Fix]
Correctly return net_device at the end of rndis_filter_device_add().

[Test]
Users report positive result.

[Regression Potenial]
Low. Trivial change, patches are in upstream sometime.

Stephen Hemminger (1):
  hv/netvsc: fix handling of fallback to single queue mode

Takashi Iwai (1):
  hv/netvsc: Fix NULL dereference at single queue mode fallback

 drivers/net/hyperv/rndis_filter.c | 1 +
 1 file changed, 1 insertion(+)

--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 1/2] hv/netvsc: fix handling of fallback to single queue mode

Kai-Heng Feng
From: Stephen Hemminger <[hidden email]>

BugLink: https://bugs.launchpad.net/bugs/1814069

The netvsc device may need to fallback to running in single queue
mode if host side only wants to support single queue.

Recent change for handling mtu broke this in setup logic.

Reported-by: Dan Carpenter <[hidden email]>
Fixes: 3ffe64f1a641 ("hv_netvsc: split sub-channel setup into async and sync")
Signed-off-by: Stephen Hemminger <[hidden email]>
Signed-off-by: David S. Miller <[hidden email]>
(cherry picked from commit 916c5e1413be058d1c1f6e502db350df890730ce)
Signed-off-by: Kai-Heng Feng <[hidden email]>
---
 drivers/net/hyperv/rndis_filter.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c
index 3857df77771a..d9f75289cd0a 100644
--- a/drivers/net/hyperv/rndis_filter.c
+++ b/drivers/net/hyperv/rndis_filter.c
@@ -1299,6 +1299,7 @@ struct netvsc_device *rndis_filter_device_add(struct hv_device *dev,
  /* setting up multiple channels failed */
  net_device->max_chn = 1;
  net_device->num_chn = 1;
+ return 0;
 
 err_dev_remv:
  rndis_filter_device_remove(dev, net_device);
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 2/2] hv/netvsc: Fix NULL dereference at single queue mode fallback

Kai-Heng Feng
In reply to this post by Kai-Heng Feng
From: Takashi Iwai <[hidden email]>

BugLink: https://bugs.launchpad.net/bugs/1814069

The recent commit 916c5e1413be ("hv/netvsc: fix handling of fallback
to single queue mode") tried to fix the fallback behavior to a single
queue mode, but it changed the function to return zero incorrectly,
while the function should return an object pointer.  Eventually this
leads to a NULL dereference at the callers that expect non-NULL
value.

Fix it by returning the proper net_device object.

Fixes: 916c5e1413be ("hv/netvsc: fix handling of fallback to single queue mode")
Signed-off-by: Takashi Iwai <[hidden email]>
Reviewed-by: Stephen Hemminger <[hidden email]>
Signed-off-by: David S. Miller <[hidden email]>
(cherry picked from commit b19b46346f483ae055fa027cb2d5c2ca91484b91)
Signed-off-by: Kai-Heng Feng <[hidden email]>
---
 drivers/net/hyperv/rndis_filter.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c
index d9f75289cd0a..88eb9545e454 100644
--- a/drivers/net/hyperv/rndis_filter.c
+++ b/drivers/net/hyperv/rndis_filter.c
@@ -1299,7 +1299,7 @@ struct netvsc_device *rndis_filter_device_add(struct hv_device *dev,
  /* setting up multiple channels failed */
  net_device->max_chn = 1;
  net_device->num_chn = 1;
- return 0;
+ return net_device;
 
 err_dev_remv:
  rndis_filter_device_remove(dev, net_device);
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team