The result of nlmsg_find_attr() 'br_spec' is dereferenced in nla_for_each_nested(), but it can take null value in nla_find() function, which will result in an error.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 51616018dd1b ("i40e: Add support for getlink, setlink ndo ops") Signed-off-by: Natalia Petrova n.petrova@fintech.ru Reviewed-by: Jesse Brandeburg jesse.brandeburg@intel.com --- v2: The remark about the error code by Simon Horman simon.horman@corigine.com was taken into account; return value -ENOENT was changed to -EINVAL. drivers/net/ethernet/intel/i40e/i40e_main.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c index 53d0083e35da..4626d2a1af91 100644 --- a/drivers/net/ethernet/intel/i40e/i40e_main.c +++ b/drivers/net/ethernet/intel/i40e/i40e_main.c @@ -13167,6 +13167,8 @@ static int i40e_ndo_bridge_setlink(struct net_device *dev, }
br_spec = nlmsg_find_attr(nlh, sizeof(struct ifinfomsg), IFLA_AF_SPEC); + if (!br_spec) + return -EINVAL;
nla_for_each_nested(attr, br_spec, rem) { __u16 mode;
Hi,
Thanks for your patch.
FYI: kernel test robot notices the stable kernel rule is not satisfied.
Rule: 'Cc: stable@vger.kernel.org' or 'commit <sha1> upstream.' Subject: [PATCH v2] i40e: Add checking for null for nlmsg_find_attr() Link: https://lore.kernel.org/stable/20230130221106.19267-1-n.petrova%40fintech.ru
The check is based on https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
On Tue, Jan 31, 2023 at 01:11:06AM +0300, Natalia Petrova wrote:
The result of nlmsg_find_attr() 'br_spec' is dereferenced in nla_for_each_nested(), but it can take null value in nla_find() function, which will result in an error.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 51616018dd1b ("i40e: Add support for getlink, setlink ndo ops") Signed-off-by: Natalia Petrova n.petrova@fintech.ru Reviewed-by: Jesse Brandeburg jesse.brandeburg@intel.com
v2: The remark about the error code by Simon Horman simon.horman@corigine.com was taken into account; return value -ENOENT was changed to -EINVAL. drivers/net/ethernet/intel/i40e/i40e_main.c | 2 ++ 1 file changed, 2 insertions(+)
<formletter>
This is not the correct way to submit patches for inclusion in the stable kernel tree. Please read: https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html for how to do this properly.
</formletter>
On Tue, Jan 31, 2023 at 06:17:49AM +0100, Greg Kroah-Hartman wrote:
On Tue, Jan 31, 2023 at 01:11:06AM +0300, Natalia Petrova wrote:
The result of nlmsg_find_attr() 'br_spec' is dereferenced in nla_for_each_nested(), but it can take null value in nla_find() function, which will result in an error.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 51616018dd1b ("i40e: Add support for getlink, setlink ndo ops") Signed-off-by: Natalia Petrova n.petrova@fintech.ru Reviewed-by: Jesse Brandeburg jesse.brandeburg@intel.com
v2: The remark about the error code by Simon Horman simon.horman@corigine.com was taken into account; return value -ENOENT was changed to -EINVAL. drivers/net/ethernet/intel/i40e/i40e_main.c | 2 ++ 1 file changed, 2 insertions(+)
<formletter>
This is not the correct way to submit patches for inclusion in the stable kernel tree. Please read: https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html for how to do this properly.
</formletter>
Hi Natalia,
offering some friendly guidance here.
It seems to me that the problem you have highlighted is present in current upstream code, and thus should be addressed there.
If it is considered a bug fix, then it should be targeted at the 'net' tree. If the patch is accepted, into the release currently being worked on (v6.2), backporting to older kernels can follow from there. Otherwise it can be targeted at 'net-next', for inclusion in the following release (v6.3).
As I think might have been mentioned, elsewhere, for networking changes, you should indicate the target tree in the subject. E.g. for net
Subject: [PATCH v3] i40e: Check if nlmsg_find_attr() returns null
The above also incorporates a suggested enhancement to the subject text.
I believe there was also a typo spotted in the patch description: finction -> function
In all, my suggestion would be to address these problems as a v3. I do not believe that you need to include stable@vger.kernel.org or Greg on the recipient list, as the patch would be for 'net' or 'net-next', not stable.
linux-stable-mirror@lists.linaro.org
-
Greg Kroah-Hartman -
kernel test robot -
Natalia Petrova -
Simon Horman