diff mbox series

[v2] net: ethernet: fix NULL dereference in nixge_recv()

Message ID 20241217110731.2925254-1-make_ruc2021@163.com (mailing list archive)
State Changes Requested
Delegated to: Netdev Maintainers
Headers show
Series [v2] net: ethernet: fix NULL dereference in nixge_recv() | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 8 of 8 maintainers
netdev/build_clang success Errors and warnings before: 6 this patch: 6
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 9 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest fail net-next-2024-12-17--21-00 (tests: 883)

Commit Message

Ma Ke Dec. 17, 2024, 11:07 a.m. UTC 
Due to the failure of allocating the variable 'priv' in
netdev_priv(ndev), this could result in 'priv->rx_bd_v' not being set
during the allocation process of netdev_priv(ndev), which could lead
to a null pointer dereference.

Move while() loop with 'priv->rx_bd_v' dereference after the check 
for its validity.

Found by code review.

Cc: stable@vger.kernel.org
Fixes: 492caffa8a1a ("net: ethernet: nixge: Add support for National Instruments XGE netdev")
Signed-off-by: Ma Ke <make_ruc2021@163.com>
---
Changes in v2:
- modified the bug description as suggestions;
- modified the patch as the code style suggested.
---
 drivers/net/ethernet/ni/nixge.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Eric Dumazet Dec. 17, 2024, 12:40 p.m. UTC | #1 
On Tue, Dec 17, 2024 at 12:25 PM Ma Ke <make_ruc2021@163.com> wrote:
>
> Due to the failure of allocating the variable 'priv' in
> netdev_priv(ndev), this could result in 'priv->rx_bd_v' not being set
> during the allocation process of netdev_priv(ndev), which could lead
> to a null pointer dereference.
>
> Move while() loop with 'priv->rx_bd_v' dereference after the check
> for its validity.
>
> Found by code review.
>
> Cc: stable@vger.kernel.org
> Fixes: 492caffa8a1a ("net: ethernet: nixge: Add support for National Instruments XGE netdev")
> Signed-off-by: Ma Ke <make_ruc2021@163.com>
> ---
> Changes in v2:
> - modified the bug description as suggestions;
> - modified the patch as the code style suggested.

I really do not understand this patch.

if priv->rx_bd_v allocation failed, surely the device is not
operational, because nixge_hw_dma_bd_init() returns -ENOMEM
diff mbox series

Patch

diff --git a/drivers/net/ethernet/ni/nixge.c b/drivers/net/ethernet/ni/nixge.c
index 230d5ff99dd7..41acce878af0 100644
--- a/drivers/net/ethernet/ni/nixge.c
+++ b/drivers/net/ethernet/ni/nixge.c
@@ -604,6 +604,9 @@  static int nixge_recv(struct net_device *ndev, int budget)
 
 	cur_p = &priv->rx_bd_v[priv->rx_bd_ci];
 
+	if (!priv->rx_bd_v)
+		return 0;
+
 	while ((cur_p->status & XAXIDMA_BD_STS_COMPLETE_MASK &&
 		budget > packets)) {
 		tail_p = priv->rx_bd_p + sizeof(*priv->rx_bd_v) *