From patchwork Mon Jul  9 02:26:20 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jianbo Liu <jianbol@mellanox.com>
X-Patchwork-Id: 941082
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=mellanox.com
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 41P8NX3rbpz9s19
	for <patchwork-incoming-netdev@ozlabs.org>;
	Mon,  9 Jul 2018 12:26:52 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754368AbeGIC0p (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Sun, 8 Jul 2018 22:26:45 -0400
Received: from mail-il-dmz.mellanox.com ([193.47.165.129]:49965 "EHLO
	mellanox.co.il" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
	with ESMTP id S1754317AbeGIC0o (ORCPT
	<rfc822;netdev@vger.kernel.org>); Sun, 8 Jul 2018 22:26:44 -0400
Received: from Internal Mail-Server by MTLPINE1 (envelope-from
	jianbol@mellanox.com)
	with ESMTPS (AES256-SHA encrypted); 9 Jul 2018 05:29:35 +0300
Received: from r-vrt-24-1.mtr.labs.mlnx. (r-vrt-24-1.mtr.labs.mlnx
	[10.213.24.1])
	by labmailer.mlnx (8.13.8/8.13.8) with ESMTP id w692QeYM008645;
	Mon, 9 Jul 2018 05:26:40 +0300
From: Jianbo Liu <jianbol@mellanox.com>
To: netdev@vger.kernel.org, davem@davemloft.net, jiri@resnulli.us,
	zahari.doychev@intel.com
Cc: Jianbo Liu <jianbol@mellanox.com>, Jamal Hadi Salim <jhs@mojatatu.com>,
	Cong Wang <xiyou.wangcong@gmail.com>
Subject: [PATCH net-next] net/sched: flower: Fix null pointer dereference
	when run tc vlan command
Date: Mon,  9 Jul 2018 02:26:20 +0000
Message-Id: <20180709022620.22168-1-jianbol@mellanox.com>
X-Mailer: git-send-email 2.9.5
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Zahari issued tc vlan command without setting vlan_ethtype, which will
crash kernel. To avoid this, we must check tb[TCA_FLOWER_KEY_VLAN_ETH_TYPE]
is not null before use it.
Also we don't need to dump vlan_ethtype or cvlan_ethtype in this case.

Fixes: d64efd0926ba ('net/sched: flower: Add supprt for matching on QinQ vlan headers')
Signed-off-by: Jianbo Liu <jianbol@mellanox.com>
Reported-by: Zahari Doychev <zahari.doychev@intel.com>
---
 net/sched/cls_flower.c | 48 ++++++++++++++++++++++++++----------------------
 1 file changed, 26 insertions(+), 22 deletions(-)

diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
index 8fda5fa..6712e44 100644
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -590,20 +590,22 @@ static int fl_set_key(struct net *net, struct nlattr **tb,
 					TCA_FLOWER_KEY_VLAN_PRIO, &key->vlan,
 					&mask->vlan);
 
-			ethertype = nla_get_be16(tb[TCA_FLOWER_KEY_VLAN_ETH_TYPE]);
-			if (eth_type_vlan(ethertype)) {
-				fl_set_key_vlan(tb, ethertype,
-						TCA_FLOWER_KEY_CVLAN_ID,
-						TCA_FLOWER_KEY_CVLAN_PRIO,
-						&key->cvlan, &mask->cvlan);
-				fl_set_key_val(tb, &key->basic.n_proto,
-					       TCA_FLOWER_KEY_CVLAN_ETH_TYPE,
-					       &mask->basic.n_proto,
-					       TCA_FLOWER_UNSPEC,
-					       sizeof(key->basic.n_proto));
-			} else {
-				key->basic.n_proto = ethertype;
-				mask->basic.n_proto = cpu_to_be16(~0);
+			if (tb[TCA_FLOWER_KEY_VLAN_ETH_TYPE]) {
+				ethertype = nla_get_be16(tb[TCA_FLOWER_KEY_VLAN_ETH_TYPE]);
+				if (eth_type_vlan(ethertype)) {
+					fl_set_key_vlan(tb, ethertype,
+							TCA_FLOWER_KEY_CVLAN_ID,
+							TCA_FLOWER_KEY_CVLAN_PRIO,
+							&key->cvlan, &mask->cvlan);
+					fl_set_key_val(tb, &key->basic.n_proto,
+						       TCA_FLOWER_KEY_CVLAN_ETH_TYPE,
+						       &mask->basic.n_proto,
+						       TCA_FLOWER_UNSPEC,
+						       sizeof(key->basic.n_proto));
+				} else {
+					key->basic.n_proto = ethertype;
+					mask->basic.n_proto = cpu_to_be16(~0);
+				}
 			}
 		} else {
 			key->basic.n_proto = ethertype;
@@ -1288,14 +1290,16 @@ static int fl_dump(struct net *net, struct tcf_proto *tp, void *fh,
 			 key->cvlan.vlan_tpid)))
 		goto nla_put_failure;
 
-	if (mask->cvlan.vlan_tpid) {
-		if (nla_put_be16(skb, TCA_FLOWER_KEY_CVLAN_ETH_TYPE,
-				 key->basic.n_proto))
-			goto nla_put_failure;
-	} else if (mask->vlan.vlan_tpid) {
-		if (nla_put_be16(skb, TCA_FLOWER_KEY_VLAN_ETH_TYPE,
-				 key->basic.n_proto))
-			goto nla_put_failure;
+	if (mask->basic.n_proto) {
+		if (mask->cvlan.vlan_tpid) {
+			if (nla_put_be16(skb, TCA_FLOWER_KEY_CVLAN_ETH_TYPE,
+					 key->basic.n_proto))
+				goto nla_put_failure;
+		} else if (mask->vlan.vlan_tpid) {
+			if (nla_put_be16(skb, TCA_FLOWER_KEY_VLAN_ETH_TYPE,
+					 key->basic.n_proto))
+				goto nla_put_failure;
+		}
 	}
 
 	if ((key->basic.n_proto == htons(ETH_P_IP) ||