Bug#255406: kernel-source-2.4.26: Kernel crash when removing interface from wrong bridge group

[Horms <horms@debian.org>]

On Sun, Jun 20, 2004 at 07:56:26PM +0200, Erich Schubert wrote:
> Package: kernel-source-2.4.26
> Severity: normal
> 
> Some time ago i found a kernel crash in 2.4.x and reported it to LKML.
> Unfortunately i never recieved a reply, and i didn't see it in recent
> pre-releases of the 2.4.x kernel.
> 
> To verify your system is vulnerable (need bridge support):
> $ brctl addbr br0
> $ brctl addbr br1
> $ brctl addif br0 eth0
> $ brctl delif br1 eth0
> (note br1 in last line, not br0! Deleting from the wrong bridge triggers
> the kernel crash.)
> 
> This is a 1:1 backport (100% copy&paste) from 2.6.5 of the fix.
> Verify yourself, grab the file from 2.6.5, go to the function, copy the
> code, paste it and the issue is done. Returns "einval" on invalid
> requests instead of causing an inconsistency and a panic.
> 
> (fixed sometime in 2.5.x it seems; it might be worth looking at when
> this was fixed - it might contain other fixes, too.)

Did you try sending this to netdev@oss.sgi.com and CCing the relevant
maintainer, Stephen Hemminger <shemminger@osdl.org> I believe?

> --- net/bridge/br_if.c.2.4.21   2004-05-20 14:34:50.000000000 +0200
> +++ net/bridge/br_if.c  2004-05-20 14:37:22.000000000 +0200
> @@ -254,6 +254,10 @@
>  int br_del_if(struct net_bridge *br, struct net_device *dev)
>  {
>         int retval;
> +       struct net_bridge_port *p;
> +
> +       if ((p = dev->br_port) == NULL || p->br != br)
> +               return -EINVAL;
>  
>         br_write_lock_bh(BR_NETPROTO_LOCK);
>         write_lock(&br->lock);
> 
> 
> -- System Information:
> Debian Release: testing/unstable
>   APT prefers unstable
>   APT policy: (500, 'unstable'), (1, 'experimental')
> Architecture: i386 (i686)
> Kernel: Linux 2.6.6
> Locale: LANG=de_DE.UTF-8@euro, LC_CTYPE=de_DE.UTF-8@euro

-- 
Horms