Commit a50a151e authored Mar 22, 2021 by Vladimir Oltean Committed by David S. Miller Mar 22, 2021

net: ipconfig: ic_dev can be NULL in ic_close_devs



ic_close_dev contains a generalization of the logic to not close a
network interface if it's the host port for a DSA switch. This logic is
disguised behind an iteration through the lowers of ic_dev in
ic_close_dev.

When no interface for ipconfig can be found, ic_dev is NULL, and
ic_close_dev:
- dereferences a NULL pointer when assigning selected_dev
- would attempt to search through the lower interfaces of a NULL
  net_device pointer

So we should protect against that case.

The "lower_dev" iterator variable was shortened to "lower" in order to
keep the 80 character limit.

Fixes: f68cbaed ("net: ipconfig: avoid use-after-free in ic_close_devs")
Fixes: 46acf7bd ("Revert "net: ipv4: handle DSA enabled master network devices"")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Tested-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 6debc0fd

net/ipv4/ipconfig.c

+8 −6

Original line number	Diff line number	Diff line
		@@ -309,7 +309,7 @@ static int __init ic_open_devs(void)
		*/
		static void __init ic_close_devs(void)
		{
		struct net_device *selected_dev = ic_dev->dev;
		struct net_device *selected_dev = ic_dev ? ic_dev->dev : NULL;
		struct ic_device d, next;
		struct net_device *dev;

		@@ -317,18 +317,20 @@ static void __init ic_close_devs(void)
		next = ic_first_dev;
		while ((d = next)) {
		bool bring_down = (d != ic_dev);
		struct net_device *lower_dev;
		struct net_device *lower;
		struct list_head *iter;

		next = d->next;
		dev = d->dev;

		netdev_for_each_lower_dev(selected_dev, lower_dev, iter) {
		if (dev == lower_dev) {
		if (selected_dev) {
		netdev_for_each_lower_dev(selected_dev, lower, iter) {
		if (dev == lower) {
		bring_down = false;
		break;
		}
		}
		}
		if (bring_down) {
		pr_debug("IP-Config: Downing %s\n", dev->name);
		dev_change_flags(dev, d->flags, NULL);