Commit c630dee0 authored Jul 06, 2024 by Liu Jian

net: fix one NULL pointer dereference bug in net_rship module

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IAAZJ8



--------------------------------

The call trace as below:
Call trace:
 __netdev_alloc_skb+0x8c/0x1e0
 ad_lacpdu_send+0x34/0x18c [bonding]
 ad_tx_machine+0xcc/0x174 [bonding]
 bond_3ad_state_machine_handler+0x120/0x470 [bonding]
 process_one_work+0x1d8/0x4e0
 worker_thread+0x154/0x420
 kthread+0x108/0x150
 ret_from_fork+0x10/0x18

It is caused by null pointer dereference in net_rship module.
The code path is as follows:
ad_lacpdu_send
  dev_alloc_skb
    netdev_alloc_skb(NULL, length) // dev is NULL
      __netdev_alloc_skb(dev, length, GFP_ATOMIC)
	net_rship_skb_record_dev_rxinfo(skb, dev)
          // here dereference dev, it is NULL pointer, trigger issue.

So we should add null pointer check to avoid the issue.

Fixes: 64ba5634 ("net: add some bpf hooks in tcp stack for network numa relationship")
Signed-off-by: Liu Jian <liujian56@huawei.com>

parent 3486fdb9

include/net/net_rship.h

+3 −0

Original line number	Diff line number	Diff line
		@@ -222,6 +222,9 @@ static inline void net_rship_skb_record_dev_rxinfo(struct sk_buff *skb, struct n
		if (gnet_bpf_enabled(GNET_RCV_NIC_NODE)) {
		struct sched_net_rship_skb *ext = __get_skb_net_rship(skb);

		if (!dev)
		return;

		ext->rx_dev_idx = dev->ifindex;
		ext->rx_dev_net_cookie = dev_net(dev)->net_cookie;
		}