diff mbox series

[net] rtnetlink: catch error pointer for rtnl_link_get_net()

Message ID 20241129063112.763095-1-xiyou.wangcong@gmail.com (mailing list archive)
State New
Delegated to: Netdev Maintainers
Headers show
Series [net] rtnetlink: catch error pointer for rtnl_link_get_net() | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 3 this patch: 3
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers fail 3 blamed authors not CCed: kuba@kernel.org razor@blackwall.org edumazet@google.com; 11 maintainers not CCed: kuba@kernel.org bpf@vger.kernel.org mailhol.vincent@wanadoo.fr daniel@iogearbox.net mkl@pengutronix.de andrew+netdev@lunn.ch razor@blackwall.org horms@kernel.org pabeni@redhat.com edumazet@google.com linux-can@vger.kernel.org
netdev/build_clang success Errors and warnings before: 3 this patch: 3
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 308 this patch: 308
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 45 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 5 this patch: 5
netdev/source_inline success Was 0 now: 0
netdev/contest pending net-next-2024-11-29--09-00 (tests: 0)

Commit Message

Cong Wang Nov. 29, 2024, 6:31 a.m. UTC 
From: Cong Wang <cong.wang@bytedance.com>

Currently all callers of rtnl_link_get_net() assume that it always
returns a valid netns pointer, when rtnl_link_get_net_ifla() fails,
it uses 'src_net' as a fallback.

This is not true, because rtnl_link_get_net_ifla() can return an
error pointer too, we need to handle this error case and propagate
the error code to its callers.

Add a comment to better document its return value.

Reported-by: syzbot+21ba4d5adff0b6a7cfc6@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=21ba4d5adff0b6a7cfc6
Fixes: 0eb87b02a705 ("veth: Set VETH_INFO_PEER to veth_link_ops.peer_type.")
Fixes: 6b84e558e95d ("vxcan: Set VXCAN_INFO_PEER to vxcan_link_ops.peer_type.")
Fixes: fefd5d082172 ("netkit: Set IFLA_NETKIT_PEER_INFO to netkit_link_ops.peer_type.")
Cc: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
---
 drivers/net/can/vxcan.c |  3 +++
 drivers/net/netkit.c    |  3 +++
 drivers/net/veth.c      |  3 +++
 net/core/rtnetlink.c    | 12 ++++++++++++
 4 files changed, 21 insertions(+)

Comments

Kuniyuki Iwashima Nov. 29, 2024, 7:36 a.m. UTC | #1 
From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Thu, 28 Nov 2024 22:31:12 -0800
> From: Cong Wang <cong.wang@bytedance.com>
> 
> Currently all callers of rtnl_link_get_net() assume that it always
> returns a valid netns pointer,

because I assume it's always tested in rtnl_add_peer_net()...


> when rtnl_link_get_net_ifla() fails,
> it uses 'src_net' as a fallback.
> 
> This is not true,

because rtnl_link_get_net_ifla() isn't called if (!data ||
!data[ops->peer_type]),

so the correct fix is:

---8<---
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index dd142f444659..c1f4aaa40823 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -3815,6 +3815,10 @@ static int rtnl_add_peer_net(struct rtnl_nets *rtnl_nets,
 	struct net *net;
 	int err;
 
+	net = rtnl_link_get_net_ifla(tb);
+	if (IS_ERR(net))
+		return PTR_ERR(net);
+
 	if (!data || !data[ops->peer_type])
 		return 0;
 
@@ -3828,9 +3832,6 @@ static int rtnl_add_peer_net(struct rtnl_nets *rtnl_nets,
 			return err;
 	}
 
-	net = rtnl_link_get_net_ifla(tb);
-	if (IS_ERR(net))
-		return PTR_ERR(net);
 	if (net)
 		rtnl_nets_add(rtnl_nets, net);
 
---8<---


> because rtnl_link_get_net_ifla() can return an
> error pointer too, we need to handle this error case and propagate
> the error code to its callers.
> 
> Add a comment to better document its return value.
diff mbox series

Patch

diff --git a/drivers/net/can/vxcan.c b/drivers/net/can/vxcan.c
index da7c72105fb6..6d03a5314034 100644
--- a/drivers/net/can/vxcan.c
+++ b/drivers/net/can/vxcan.c
@@ -204,6 +204,9 @@  static int vxcan_newlink(struct net *net, struct net_device *dev,
 	}
 
 	peer_net = rtnl_link_get_net(net, tbp);
+	if (IS_ERR(peer_net))
+		return PTR_ERR(peer_net);
+
 	peer = rtnl_create_link(peer_net, ifname, name_assign_type,
 				&vxcan_link_ops, tbp, extack);
 	if (IS_ERR(peer)) {
diff --git a/drivers/net/netkit.c b/drivers/net/netkit.c
index bb07725d1c72..44fe99a82ac3 100644
--- a/drivers/net/netkit.c
+++ b/drivers/net/netkit.c
@@ -386,6 +386,9 @@  static int netkit_new_link(struct net *src_net, struct net_device *dev,
 		return -EOPNOTSUPP;
 
 	net = rtnl_link_get_net(src_net, tbp);
+	if (IS_ERR(net))
+		return PTR_ERR(net);
+
 	peer = rtnl_create_link(net, ifname, ifname_assign_type,
 				&netkit_link_ops, tbp, extack);
 	if (IS_ERR(peer)) {
diff --git a/drivers/net/veth.c b/drivers/net/veth.c
index 0d6d0d749d44..3a42a982c638 100644
--- a/drivers/net/veth.c
+++ b/drivers/net/veth.c
@@ -1801,6 +1801,9 @@  static int veth_newlink(struct net *src_net, struct net_device *dev,
 	}
 
 	net = rtnl_link_get_net(src_net, tbp);
+	if (IS_ERR(net))
+		return PTR_ERR(net);
+
 	peer = rtnl_create_link(net, ifname, name_assign_type,
 				&veth_link_ops, tbp, extack);
 	if (IS_ERR(peer)) {
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index dd142f444659..6a4363276117 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2527,6 +2527,18 @@  static struct net *rtnl_link_get_net_ifla(struct nlattr *tb[])
 	return net;
 }
 
+/**
+ * rtnl_link_get_net - Get the network namespace from the netlink attributes
+ * or just @src_net.
+ *
+ * @src_net: the source network namespace
+ * @tb: the netlink attributes
+ *
+ * Returns:
+ *   The network namespace specified in the netlink attributes,
+ *   in case of error, an error pointer is returned.
+ *   Or, @src_net if no netns attributes were passed.
+ */
 struct net *rtnl_link_get_net(struct net *src_net, struct nlattr *tb[])
 {
 	struct net *net = rtnl_link_get_net_ifla(tb);