| Message ID | 20240724080524.2734499-1-leitao@debian.org (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [net] net: mediatek: Fix potential NULL pointer dereference in dummy net_device handling | expand |
On Wed, Jul 24, 2024 at 01:05:23AM -0700, Breno Leitao wrote: > Move the freeing of the dummy net_device from mtk_free_dev() to > mtk_remove(). > > Previously, if alloc_netdev_dummy() failed in mtk_probe(), > eth->dummy_dev would be NULL. The error path would then call > mtk_free_dev(), which in turn called free_netdev() assuming dummy_dev > was allocated (but it was not), potentially causing a NULL pointer > dereference. > > By moving free_netdev() to mtk_remove(), we ensure it's only called when > mtk_probe() has succeeded and dummy_dev is fully allocated. This > addresses a potential NULL pointer dereference detected by Smatch[1]. > > Fixes: b209bd6d0bff ("net: mediatek: mtk_eth_sock: allocate dummy net_device dynamically") > Reported-by: Dan Carpenter <dan.carpenter@linaro.org> > Closes: https://lore.kernel.org/all/4160f4e0-cbef-4a22-8b5d-42c4d399e1f7@stanley.mountain/ [1] > Suggested-by: Dan Carpenter <dan.carpenter@linaro.org> > Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org> > Signed-off-by: Breno Leitao <leitao@debian.org> Reviewed-by: Simon Horman <horms@kernel.org> ...
Hello: This patch was applied to netdev/net.git (main) by Paolo Abeni <pabeni@redhat.com>: On Wed, 24 Jul 2024 01:05:23 -0700 you wrote: > Move the freeing of the dummy net_device from mtk_free_dev() to > mtk_remove(). > > Previously, if alloc_netdev_dummy() failed in mtk_probe(), > eth->dummy_dev would be NULL. The error path would then call > mtk_free_dev(), which in turn called free_netdev() assuming dummy_dev > was allocated (but it was not), potentially causing a NULL pointer > dereference. > > [...] Here is the summary with links: - [net] net: mediatek: Fix potential NULL pointer dereference in dummy net_device handling https://git.kernel.org/netdev/net/c/16f3a28cf5f8 You are awesome, thank you!
diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c index 0cc2dd85652f..16ca427cf4c3 100644 --- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c +++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c @@ -4223,8 +4223,6 @@ static int mtk_free_dev(struct mtk_eth *eth) metadata_dst_free(eth->dsa_meta[i]); } - free_netdev(eth->dummy_dev); - return 0; } @@ -5090,6 +5088,7 @@ static void mtk_remove(struct platform_device *pdev) netif_napi_del(ð->tx_napi); netif_napi_del(ð->rx_napi); mtk_cleanup(eth); + free_netdev(eth->dummy_dev); mtk_mdio_cleanup(eth); }
Move the freeing of the dummy net_device from mtk_free_dev() to mtk_remove(). Previously, if alloc_netdev_dummy() failed in mtk_probe(), eth->dummy_dev would be NULL. The error path would then call mtk_free_dev(), which in turn called free_netdev() assuming dummy_dev was allocated (but it was not), potentially causing a NULL pointer dereference. By moving free_netdev() to mtk_remove(), we ensure it's only called when mtk_probe() has succeeded and dummy_dev is fully allocated. This addresses a potential NULL pointer dereference detected by Smatch[1]. Fixes: b209bd6d0bff ("net: mediatek: mtk_eth_sock: allocate dummy net_device dynamically") Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Closes: https://lore.kernel.org/all/4160f4e0-cbef-4a22-8b5d-42c4d399e1f7@stanley.mountain/ [1] Suggested-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org> Signed-off-by: Breno Leitao <leitao@debian.org> --- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)