Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[patch] hamradio: avoid null deref

0 views
Skip to first unread message

Dan Carpenter

unread,
Dec 23, 2009, 8:30:02 AM12/23/09
to
If dev == NULL we shouldn't dereference it.

Signed-off-by: Dan Carpenter <err...@gmail.com>

--- orig/drivers/net/hamradio/bpqether.c 2009-12-22 23:58:56.000000000 +0200
+++ devel/drivers/net/hamradio/bpqether.c 2009-12-22 23:59:46.000000000 +0200
@@ -283,7 +283,6 @@ static netdev_tx_t bpq_xmit(struct sk_bu
bpq = netdev_priv(dev);

if ((dev = bpq_get_ether_dev(dev)) == NULL) {
- dev->stats.tx_dropped++;
kfree_skb(skb);
return NETDEV_TX_OK;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majo...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Jarek Poplawski

unread,
Dec 23, 2009, 12:50:01 PM12/23/09
to
Dan Carpenter wrote, On 12/23/2009 02:25 PM:

> If dev == NULL we shouldn't dereference it.
>
> Signed-off-by: Dan Carpenter <err...@gmail.com>
>
> --- orig/drivers/net/hamradio/bpqether.c 2009-12-22 23:58:56.000000000 +0200
> +++ devel/drivers/net/hamradio/bpqether.c 2009-12-22 23:59:46.000000000 +0200
> @@ -283,7 +283,6 @@ static netdev_tx_t bpq_xmit(struct sk_bu
> bpq = netdev_priv(dev);
>
> if ((dev = bpq_get_ether_dev(dev)) == NULL) {
> - dev->stats.tx_dropped++;

Why not use a separate variable for another dev? This stat
should be helpful for debugging.

Jarek P.

David Miller

unread,
Dec 23, 2009, 4:40:02 PM12/23/09
to
From: Jarek Poplawski <jar...@gmail.com>
Date: Wed, 23 Dec 2009 18:47:46 +0100

> Dan Carpenter wrote, On 12/23/2009 02:25 PM:
>
>> If dev == NULL we shouldn't dereference it.
>>
>> Signed-off-by: Dan Carpenter <err...@gmail.com>
>>
>> --- orig/drivers/net/hamradio/bpqether.c 2009-12-22 23:58:56.000000000 +0200
>> +++ devel/drivers/net/hamradio/bpqether.c 2009-12-22 23:59:46.000000000 +0200
>> @@ -283,7 +283,6 @@ static netdev_tx_t bpq_xmit(struct sk_bu
>> bpq = netdev_priv(dev);
>>
>> if ((dev = bpq_get_ether_dev(dev)) == NULL) {
>> - dev->stats.tx_dropped++;
>
> Why not use a separate variable for another dev? This stat
> should be helpful for debugging.

And that is definitely the intent of the code here, to
bump the statistic in the original device object.

Dan Carpenter

unread,
Dec 26, 2009, 7:40:01 AM12/26/09
to
Bump the stats on the original dev not on the newly assigned NULL version of
dev.

Signed-off-by: Dan Carpenter <err...@gmail.com>

--- orig/drivers/net/hamradio/bpqether.c 2009-12-22 23:58:56.000000000 +0200

+++ devel/drivers/net/hamradio/bpqether.c 2009-12-25 19:49:05.000000000 +0200
@@ -282,11 +282,12 @@ static netdev_tx_t bpq_xmit(struct sk_bu

bpq = netdev_priv(dev);

- if ((dev = bpq_get_ether_dev(dev)) == NULL) {
+ if (!bpq->ethdev) {


dev->stats.tx_dropped++;
kfree_skb(skb);
return NETDEV_TX_OK;
}

+ dev = bpq_get_ether_dev(dev);

skb->protocol = ax25_type_trans(skb, dev);
skb_reset_network_header(skb);

David Miller

unread,
Dec 26, 2009, 11:20:02 PM12/26/09
to
From: Dan Carpenter <err...@gmail.com>
Date: Sat, 26 Dec 2009 14:38:12 +0200

> Bump the stats on the original dev not on the newly assigned NULL version of
> dev.
>
> Signed-off-by: Dan Carpenter <err...@gmail.com>

This doesn't look real nice.

The bpq_get_ether_dev() abstraction exists so that the details of
bpq->this and bpq->that are hidden behind it.

Exposing those details inline just to fix this bug makes the
abstraction significantly less useful, and the code more ugly.

Please just create an "orig_dev" pointer to save the original device
in, and use it to fix this problem properly.

That way you only fetch the bpq ether device pointer via the
abstraction interface.

And BTW, this is how other reviewers told you to implement this
fix. :-)

Thanks.

Dan Carpenter

unread,
Dec 28, 2009, 12:00:02 PM12/28/09
to
This should address the problems in version 1 (lazy) and version 2 (ugly).

Bump the stats on orig_dev not on the newly assigned NULL dev variable.

Signed-off-by: Dan Carpenter <err...@gmail.com>

--- orig/drivers/net/hamradio/bpqether.c 2009-12-22 23:58:56.000000000 +0200

+++ devel/drivers/net/hamradio/bpqether.c 2009-12-28 00:12:48.000000000 +0200
@@ -248,6 +248,7 @@ static netdev_tx_t bpq_xmit(struct sk_bu
{
unsigned char *ptr;
struct bpqdev *bpq;
+ struct net_device *orig_dev;
int size;

/*
@@ -282,8 +283,9 @@ static netdev_tx_t bpq_xmit(struct sk_bu

bpq = netdev_priv(dev);

+ orig_dev = dev;


if ((dev = bpq_get_ether_dev(dev)) == NULL) {

- dev->stats.tx_dropped++;
+ orig_dev->stats.tx_dropped++;
kfree_skb(skb);
return NETDEV_TX_OK;

David Miller

unread,
Jan 4, 2010, 12:50:02 AM1/4/10
to
From: Dan Carpenter <err...@gmail.com>
Date: Mon, 28 Dec 2009 18:54:55 +0200

> This should address the problems in version 1 (lazy) and version 2 (ugly).
>
> Bump the stats on orig_dev not on the newly assigned NULL dev variable.
>
> Signed-off-by: Dan Carpenter <err...@gmail.com>

Applied.

0 new messages