vxlan: test dev->flags & IFF_UP before accessing vxlan->dev->dev_addr

vxlan_rcv was crashing either in eth_type_trans or
ether_addr_equal(eth_hdr(skb)->h_source, vxlan->dev->dev_addr)
due to NULL pointer dereference.

Same reason as the one explained in upstream commit 4179cb5a4c92
("vxlan: test dev->flags & IFF_UP before calling netif_rx()")

Orabug: 29710939

Reviewed-by: Rama Nichanamatlu <rama.nichanamatlu@oracle.com>
Signed-off-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>

diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index 766a11198ca7898a6c020ff5a97cd50a7d2e2f9a..15f9698cb8fad88748a931f14ed075d42d32ca82 100644 (file)
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -1268,13 +1268,26 @@ static void vxlan_rcv(struct vxlan_sock *vs, struct sk_buff *skb,
 
        remote_ip = &vxlan->default_dst.remote_ip;
        skb_reset_mac_header(skb);
+
+       rcu_read_lock();
+
+       if (unlikely(!(vxlan->dev->flags & IFF_UP))) {
+               rcu_read_unlock();
+               atomic_long_inc(&vxlan->dev->rx_dropped);
+               goto drop;
+       }
+
        skb_scrub_packet(skb, !net_eq(vxlan->net, dev_net(vxlan->dev)));
        skb->protocol = eth_type_trans(skb, vxlan->dev);
        skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN);
 
        /* Ignore packet loops (and multicast echo) */
-       if (ether_addr_equal(eth_hdr(skb)->h_source, vxlan->dev->dev_addr))
+       if (ether_addr_equal(eth_hdr(skb)->h_source, vxlan->dev->dev_addr)) {
+               rcu_read_unlock();
                goto drop;
+       }
+
+       rcu_read_unlock();
 
        /* Re-examine inner Ethernet packet */
        if (remote_ip->sa.sa_family == AF_INET) {