diff mbox series

dl2k: Fix potential NULL pointer dereference in receive_packet()

Message ID 20240213200900.41722-1-rand.sec96@gmail.com (mailing list archive)
State Changes Requested
Delegated to: Netdev Maintainers
Headers show
Series dl2k: Fix potential NULL pointer dereference in receive_packet() | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 990 this patch: 990
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers warning 3 maintainers not CCed: pabeni@redhat.com andriy.shevchenko@linux.intel.com edumazet@google.com
netdev/build_clang success Errors and warnings before: 1006 this patch: 1006
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 1007 this patch: 1007
netdev/checkpatch warning CHECK: Comparison to NULL could be written "!skb" WARNING: Prefer [subsystem eg: netdev]_info([subsystem]dev, ... then dev_info(dev, ... then pr_info(... to printk(KERN_INFO ... WARNING: Prefer using '"%s...", __func__' to using 'receive_packet', this function's name, in a string WARNING: quoted string split across lines WARNING: space prohibited between function name and open parenthesis '('
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-02-15--00-00 (tests: 1443)

Commit Message

Rand Deeb Feb. 13, 2024, 8:09 p.m. UTC 
This patch addresses a potential NULL pointer dereference issue in the
receive_packet() function of the dl2k network driver. Previously, there was
a possibility of dereferencing a NULL pointer when the pointer 'skb'
returned from the function 'netdev_alloc_skb_ip_align()' was not checked
before being used. To resolve this issue, the patch introduces a check to
ensure that 'skb' is not NULL before dereferencing it.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Rand Deeb <rand.sec96@gmail.com>
---
 drivers/net/ethernet/dlink/dl2k.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Comments

Jacob Keller Feb. 14, 2024, 9:56 p.m. UTC | #1 
On 2/13/2024 12:09 PM, Rand Deeb wrote:
The subject doesn't indicate which tree for netdev it would target, but
this seems like an obvious bug fix for net.

> @@ -972,6 +972,14 @@ receive_packet (struct net_device *dev)
>  							   np->rx_buf_sz,
>  							   DMA_FROM_DEVICE);
>  			}
> +			if (skb == NULL) {
> +				np->rx_ring[entry].fraginfo = 0;
> +				printk (KERN_INFO
> +				       "%s: receive_packet: "
> +				       "Unable to re-allocate Rx skbuff.#%d\n",
> +				       dev->name, entry);

You could use netdev_warn here instead of printk, which would include
the device information. I checked a couple other drivers and none of
them appear to log any message when this fails. A handful increment a
driver count of how many allocation failures occurred. I'm not sure how
helpful this print would be in practice.

With or without changes to the printed warning message:

Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Jakub Kicinski Feb. 15, 2024, 1:02 a.m. UTC | #2 
On Tue, 13 Feb 2024 23:09:00 +0300 Rand Deeb wrote:
> +			if (skb == NULL) {

if (!skb) is more common

> +				np->rx_ring[entry].fraginfo = 0;
> +				printk (KERN_INFO
> +				       "%s: receive_packet: "
> +				       "Unable to re-allocate Rx skbuff.#%d\n",
> +				       dev->name, entry);

no prints on allocation failure, please, there logs will include OOM
splats already. A counter as suggested by Jake would be better.
Rand Deeb Feb. 15, 2024, 11:32 p.m. UTC | #3 
On Thu, Feb 15, 2024 at 4:02 AM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Tue, 13 Feb 2024 23:09:00 +0300 Rand Deeb wrote:
> > +                     if (skb == NULL) {
>
> if (!skb) is more common
>
> > +                             np->rx_ring[entry].fraginfo = 0;
> > +                             printk (KERN_INFO
> > +                                    "%s: receive_packet: "
> > +                                    "Unable to re-allocate Rx skbuff.#%d\n",
> > +                                    dev->name, entry);
>
> no prints on allocation failure, please, there logs will include OOM
> splats already. A counter as suggested by Jake would be better.
> --
> pw-bot: cr

Dear Jakub,
Thank you for your feedback and suggestions.

Regarding your comment on using `(!skb)` instead of `(skb == NULL)`, I
understand that `(!skb)` is more common and is also recommended by `
checkpatch.pl`. However, I chose to keep the original code style and logic
to maintain consistency and avoid confusion, especially for other
developers who might be familiar with the existing format. The same
applies to the `printk` statement. In the same function, there is an exact
block of code used; should I fix it too?
Jakub Kicinski Feb. 16, 2024, 12:18 a.m. UTC | #4 
On Fri, 16 Feb 2024 02:32:54 +0300 Rand Deeb wrote:
> Regarding your comment on using `(!skb)` instead of `(skb == NULL)`, I
> understand that `(!skb)` is more common and is also recommended by `
> checkpatch.pl`. However, I chose to keep the original code style and logic
> to maintain consistency and avoid confusion, especially for other
> developers who might be familiar with the existing format. The same
> applies to the `printk` statement. In the same function, there is an exact
> block of code used; should I fix it too?

Don't worry about surrounding code if it's written in a clearly
outdated style.

If the style is different intentionally, that's different, but
for old code using more modern style helps bring the code base
forward little by little.
diff mbox series

Patch

diff --git a/drivers/net/ethernet/dlink/dl2k.c b/drivers/net/ethernet/dlink/dl2k.c
index 734acb834c98..9cee510247e1 100644
--- a/drivers/net/ethernet/dlink/dl2k.c
+++ b/drivers/net/ethernet/dlink/dl2k.c
@@ -972,6 +972,14 @@  receive_packet (struct net_device *dev)
 							   np->rx_buf_sz,
 							   DMA_FROM_DEVICE);
 			}
+			if (skb == NULL) {
+				np->rx_ring[entry].fraginfo = 0;
+				printk (KERN_INFO
+				       "%s: receive_packet: "
+				       "Unable to re-allocate Rx skbuff.#%d\n",
+				       dev->name, entry);
+				break;
+			}
 			skb->protocol = eth_type_trans (skb, dev);
 #if 0
 			/* Checksum done by hw, but csum value unavailable. */