| Message ID | 20241008091817.977999-1-dillon.minfei@gmail.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [v1] net: ethernet: fix NULL pointer dereference at fec_ptp_save_state() | expand |
> -----Original Message----- > From: dillon.minfei@gmail.com <dillon.minfei@gmail.com> > Sent: 2024年10月8日 17:18 > To: Wei Fang <wei.fang@nxp.com>; Shenwei Wang <shenwei.wang@nxp.com>; > Clark Wang <xiaoning.wang@nxp.com>; davem@davemloft.net; > edumazet@google.com; kuba@kernel.org; pabeni@redhat.com; > u.kleine-koenig@baylibre.com; csokas.bence@prolan.hu > Cc: imx@lists.linux.dev; netdev@vger.kernel.org; linux-kernel@vger.kernel.org; > Dillon Min <dillon.minfei@gmail.com> > Subject: [PATCH v1] net: ethernet: fix NULL pointer dereference at > fec_ptp_save_state() > > From: Dillon Min <dillon.minfei@gmail.com> > > fec_ptp_init() called at probe stage when 'bufdesc_ex' is true. > so, need add 'bufdesc_ex' check before call fec_ptp_save_state(), else > 'tmreg_lock' will not be init by spin_lock_init(). > > run into kernel panic: > [ 5.735628] Hardware name: Freescale MXS (Device Tree) > [ 5.740816] Call trace: > [ 5.740853] unwind_backtrace from show_stack+0x10/0x14 > [ 5.748788] show_stack from dump_stack_lvl+0x44/0x60 > [ 5.753970] dump_stack_lvl from register_lock_class+0x80c/0x888 > [ 5.760098] register_lock_class from __lock_acquire+0x94/0x2b84 > [ 5.766213] __lock_acquire from lock_acquire+0xe0/0x2e0 > [ 5.771630] lock_acquire from _raw_spin_lock_irqsave+0x5c/0x78 > [ 5.777666] _raw_spin_lock_irqsave from fec_ptp_save_state+0x14/0x68 > [ 5.784226] fec_ptp_save_state from fec_restart+0x2c/0x778 > [ 5.789910] fec_restart from fec_probe+0xc68/0x15e0 > [ 5.794977] fec_probe from platform_probe+0x58/0xb0 > [ 5.800059] platform_probe from really_probe+0xc4/0x2cc > [ 5.805473] really_probe from __driver_probe_device+0x84/0x19c > [ 5.811482] __driver_probe_device from > driver_probe_device+0x30/0x110 > [ 5.818103] driver_probe_device from __driver_attach+0x94/0x18c > [ 5.824200] __driver_attach from bus_for_each_dev+0x70/0xc4 > [ 5.829979] bus_for_each_dev from bus_add_driver+0xc4/0x1ec > [ 5.835762] bus_add_driver from driver_register+0x7c/0x114 > [ 5.841444] driver_register from do_one_initcall+0x4c/0x224 > [ 5.847205] do_one_initcall from kernel_init_freeable+0x198/0x224 > [ 5.853502] kernel_init_freeable from kernel_init+0x10/0x108 > [ 5.859370] kernel_init from ret_from_fork+0x14/0x38 > [ 5.864524] Exception stack(0xc4819fb0 to 0xc4819ff8) > [ 5.869650] 9fa0: 00000000 > 00000000 00000000 00000000 > [ 5.877901] 9fc0: 00000000 00000000 00000000 00000000 00000000 > 00000000 00000000 00000000 > [ 5.886148] 9fe0: 00000000 00000000 00000000 00000000 00000013 > 00000000 > [ 5.892838] 8<--- cut here --- > [ 5.895948] Unable to handle kernel NULL pointer dereference at virtual > address 00000000 when read > > Fixes: a1477dc87dc4 ("net: fec: Restart PPS after link state change") > Signed-off-by: Dillon Min <dillon.minfei@gmail.com> > --- > drivers/net/ethernet/freescale/fec_main.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/ethernet/freescale/fec_main.c > b/drivers/net/ethernet/freescale/fec_main.c > index 60fb54231ead..1b55047c0237 100644 > --- a/drivers/net/ethernet/freescale/fec_main.c > +++ b/drivers/net/ethernet/freescale/fec_main.c > @@ -1077,7 +1077,8 @@ fec_restart(struct net_device *ndev) > u32 rcntl = OPT_FRAME_SIZE | 0x04; > u32 ecntl = FEC_ECR_ETHEREN; > > - fec_ptp_save_state(fep); > + if (fep->bufdesc_ex) > + fec_ptp_save_state(fep); > > /* Whack a reset. We should wait for this. > * For i.MX6SX SOC, enet use AXI bus, we use disable MAC @@ -1340,7 > +1341,8 @@ fec_stop(struct net_device *ndev) > netdev_err(ndev, "Graceful transmit stop did not complete!\n"); > } > > - fec_ptp_save_state(fep); > + if (fep->bufdesc_ex) > + fec_ptp_save_state(fep); > > /* Whack a reset. We should wait for this. > * For i.MX6SX SOC, enet use AXI bus, we use disable MAC > -- > 2.25.1 Hi Dillon, I have sent the same patch this morning. https://lore.kernel.org/lkml/20241008061153.1977930-1-wei.fang@nxp.com/
Hi Wei Ok, Thanks, just ignore this patch. Br. On Tue, 8 Oct 2024 at 17:24, Wei Fang <wei.fang@nxp.com> wrote: > > > -----Original Message----- > > From: dillon.minfei@gmail.com <dillon.minfei@gmail.com> > > Sent: 2024年10月8日 17:18 > > To: Wei Fang <wei.fang@nxp.com>; Shenwei Wang <shenwei.wang@nxp.com>; > > Clark Wang <xiaoning.wang@nxp.com>; davem@davemloft.net; > > edumazet@google.com; kuba@kernel.org; pabeni@redhat.com; > > u.kleine-koenig@baylibre.com; csokas.bence@prolan.hu > > Cc: imx@lists.linux.dev; netdev@vger.kernel.org; linux-kernel@vger.kernel.org; > > Dillon Min <dillon.minfei@gmail.com> > > Subject: [PATCH v1] net: ethernet: fix NULL pointer dereference at > > fec_ptp_save_state() > > > > From: Dillon Min <dillon.minfei@gmail.com> > > > > fec_ptp_init() called at probe stage when 'bufdesc_ex' is true. > > so, need add 'bufdesc_ex' check before call fec_ptp_save_state(), else > > 'tmreg_lock' will not be init by spin_lock_init(). > > > > run into kernel panic: > > [ 5.735628] Hardware name: Freescale MXS (Device Tree) > > [ 5.740816] Call trace: > > [ 5.740853] unwind_backtrace from show_stack+0x10/0x14 > > [ 5.748788] show_stack from dump_stack_lvl+0x44/0x60 > > [ 5.753970] dump_stack_lvl from register_lock_class+0x80c/0x888 > > [ 5.760098] register_lock_class from __lock_acquire+0x94/0x2b84 > > [ 5.766213] __lock_acquire from lock_acquire+0xe0/0x2e0 > > [ 5.771630] lock_acquire from _raw_spin_lock_irqsave+0x5c/0x78 > > [ 5.777666] _raw_spin_lock_irqsave from fec_ptp_save_state+0x14/0x68 > > [ 5.784226] fec_ptp_save_state from fec_restart+0x2c/0x778 > > [ 5.789910] fec_restart from fec_probe+0xc68/0x15e0 > > [ 5.794977] fec_probe from platform_probe+0x58/0xb0 > > [ 5.800059] platform_probe from really_probe+0xc4/0x2cc > > [ 5.805473] really_probe from __driver_probe_device+0x84/0x19c > > [ 5.811482] __driver_probe_device from > > driver_probe_device+0x30/0x110 > > [ 5.818103] driver_probe_device from __driver_attach+0x94/0x18c > > [ 5.824200] __driver_attach from bus_for_each_dev+0x70/0xc4 > > [ 5.829979] bus_for_each_dev from bus_add_driver+0xc4/0x1ec > > [ 5.835762] bus_add_driver from driver_register+0x7c/0x114 > > [ 5.841444] driver_register from do_one_initcall+0x4c/0x224 > > [ 5.847205] do_one_initcall from kernel_init_freeable+0x198/0x224 > > [ 5.853502] kernel_init_freeable from kernel_init+0x10/0x108 > > [ 5.859370] kernel_init from ret_from_fork+0x14/0x38 > > [ 5.864524] Exception stack(0xc4819fb0 to 0xc4819ff8) > > [ 5.869650] 9fa0: 00000000 > > 00000000 00000000 00000000 > > [ 5.877901] 9fc0: 00000000 00000000 00000000 00000000 00000000 > > 00000000 00000000 00000000 > > [ 5.886148] 9fe0: 00000000 00000000 00000000 00000000 00000013 > > 00000000 > > [ 5.892838] 8<--- cut here --- > > [ 5.895948] Unable to handle kernel NULL pointer dereference at virtual > > address 00000000 when read > > > > Fixes: a1477dc87dc4 ("net: fec: Restart PPS after link state change") > > Signed-off-by: Dillon Min <dillon.minfei@gmail.com> > > --- > > drivers/net/ethernet/freescale/fec_main.c | 6 ++++-- > > 1 file changed, 4 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/net/ethernet/freescale/fec_main.c > > b/drivers/net/ethernet/freescale/fec_main.c > > index 60fb54231ead..1b55047c0237 100644 > > --- a/drivers/net/ethernet/freescale/fec_main.c > > +++ b/drivers/net/ethernet/freescale/fec_main.c > > @@ -1077,7 +1077,8 @@ fec_restart(struct net_device *ndev) > > u32 rcntl = OPT_FRAME_SIZE | 0x04; > > u32 ecntl = FEC_ECR_ETHEREN; > > > > - fec_ptp_save_state(fep); > > + if (fep->bufdesc_ex) > > + fec_ptp_save_state(fep); > > > > /* Whack a reset. We should wait for this. > > * For i.MX6SX SOC, enet use AXI bus, we use disable MAC @@ -1340,7 > > +1341,8 @@ fec_stop(struct net_device *ndev) > > netdev_err(ndev, "Graceful transmit stop did not complete!\n"); > > } > > > > - fec_ptp_save_state(fep); > > + if (fep->bufdesc_ex) > > + fec_ptp_save_state(fep); > > > > /* Whack a reset. We should wait for this. > > * For i.MX6SX SOC, enet use AXI bus, we use disable MAC > > -- > > 2.25.1 > > Hi Dillon, > > I have sent the same patch this morning. > https://lore.kernel.org/lkml/20241008061153.1977930-1-wei.fang@nxp.com/
diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c index 60fb54231ead..1b55047c0237 100644 --- a/drivers/net/ethernet/freescale/fec_main.c +++ b/drivers/net/ethernet/freescale/fec_main.c @@ -1077,7 +1077,8 @@ fec_restart(struct net_device *ndev) u32 rcntl = OPT_FRAME_SIZE | 0x04; u32 ecntl = FEC_ECR_ETHEREN; - fec_ptp_save_state(fep); + if (fep->bufdesc_ex) + fec_ptp_save_state(fep); /* Whack a reset. We should wait for this. * For i.MX6SX SOC, enet use AXI bus, we use disable MAC @@ -1340,7 +1341,8 @@ fec_stop(struct net_device *ndev) netdev_err(ndev, "Graceful transmit stop did not complete!\n"); } - fec_ptp_save_state(fep); + if (fep->bufdesc_ex) + fec_ptp_save_state(fep); /* Whack a reset. We should wait for this. * For i.MX6SX SOC, enet use AXI bus, we use disable MAC