net: rmnet: fix NULL pointer dereference in rmnet_newlink()

TaeheeYoo · intel-lab-lkp · commit 893a7347fe2a · 2020-02-27T04:05:36.000+08:00
rmnet registers IFLA_LINK interface as a lower interface. But, IFLA_LINK could be NULL. In the current code, rmnet doesn't check IFLA_LINK. So, panic would occur. Test commands: modprobe rmnet ip link add rmnet0 type rmnet mux_id 1 Splat looks like: [ 79.718433][ T923] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 I [ 79.721234][ T923] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 79.722852][ T923] CPU: 0 PID: 923 Comm: ip Not tainted 5.5.0+ torvalds#394 [ 79.723897][ T923] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 79.725395][ T923] RIP: 0010:rmnet_newlink+0x54/0x510 [rmnet] [ 79.726349][ T923] Code: 83 ec 18 48 c1 e9 03 80 3c 01 00 0f 85 d4 03 00 00 48 8b 6a 28 48 b8 00 00 00 00 00 fc ff dc [ 79.729114][ T923] RSP: 0018:ffff88804cc9f1c0 EFLAGS: 00010247 [ 79.729970][ T923] RAX: dffffc0000000000 RBX: ffff8880620dfa00 RCX: 1ffff11009993e99 [ 79.731122][ T923] RDX: 0000000000000000 RSI: ffff888064f34000 RDI: 0000000000000004 [ 79.732389][ T923] RBP: 0000000000000000 R08: ffff88804cc9f8b0 R09: ffff8880644f0990 [ 79.733533][ T923] R10: ffffffffc04cfa40 R11: ffffed100c89e137 R12: ffffffff96ceacc0 [ 79.734810][ T923] R13: ffff888064f34000 R14: ffff88804cc9f8b0 R15: ffff888064f34000 [ 79.736102][ T923] FS: 00007f11d83b60c0(0000) GS:ffff88806c000000(0000) knlGS:0000000000000000 [ 79.737509][ T923] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 79.738430][ T923] CR2: 00005614e7c6bb00 CR3: 0000000064d58006 CR4: 00000000000606f0 [ 79.739545][ T923] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 79.740663][ T923] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 79.741786][ T923] Call Trace: [ 79.742244][ T923] __rtnl_newlink+0xbdb/0x1270 [ 79.742846][ T923] ? lock_downgrade+0x6e0/0x6e0 [ 79.743450][ T923] ? rtnl_link_unregister+0x220/0x220 [ 79.744122][ T923] ? lock_acquire+0x164/0x3b0 [ 79.744724][ T923] ? is_bpf_image_address+0xff/0x1d0 [ 79.745397][ T923] ? rtnl_newlink+0x4c/0x90 [ 79.745958][ T923] ? kernel_text_address+0x111/0x140 [ 79.746621][ T923] ? __kernel_text_address+0xe/0x30 [ 79.747270][ T923] ? unwind_get_return_address+0x5f/0xa0 [ 79.747974][ T923] ? create_prof_cpu_mask+0x20/0x20 [ 79.748635][ T923] ? arch_stack_walk+0x83/0xb0 [ 79.749238][ T923] ? stack_trace_save+0x82/0xb0 [ 79.749850][ T923] ? stack_trace_consume_entry+0x160/0x160 [ 79.750574][ T923] ? deactivate_slab.isra.78+0x2c5/0x800 [ 79.751306][ T923] ? kasan_unpoison_shadow+0x30/0x40 [ 79.751971][ T923] ? kmem_cache_alloc_trace+0x135/0x350 [ 79.752671][ T923] ? rtnl_newlink+0x4c/0x90 [ 79.753239][ T923] rtnl_newlink+0x65/0x90 [ ... ] Fixes: ceed73a ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation") Signed-off-by: Taehee Yoo <ap420073@gmail.com>
diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
@@ -135,6 +135,11 @@ static int rmnet_newlink(struct net *src_net, struct net_device *dev,
 	int err = 0;
 	u16 mux_id;
 
+	if (!tb[IFLA_LINK]) {
+		NL_SET_ERR_MSG_MOD(extack, "link not specified");
+		return -EINVAL;
+	}
+
 	real_dev = __dev_get_by_index(src_net, nla_get_u32(tb[IFLA_LINK]));
 	if (!real_dev || !dev)
 		return -ENODEV;
