| Message ID | 3c1262464d215faa8acebfc08869798c81c96f4a.1702827359.git.lorenzo@kernel.org (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 7cb8cd4daacfea646cf8b5925ca2c66c98b18480 |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net] net: ethernet: mtk_wed: fix possible NULL pointer dereference in mtk_wed_wo_queue_tx_clean() | expand |
On Sun, Dec 17, 2023 at 04:37:40PM +0100, Lorenzo Bianconi wrote: > In order to avoid a NULL pointer dereference, check entry->buf pointer before running > skb_free_frag in mtk_wed_wo_queue_tx_clean routine. > > Fixes: 799684448e3e ("net: ethernet: mtk_wed: introduce wed wo support") > Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Hi Lorenzo, can I clarify that this can actually happen? What I am getting at, is that if not, it might be net-next material. In either case, I have no objection to the change itself. Reviewed-by: Simon Horman <horms@kernel.org>
> On Sun, Dec 17, 2023 at 04:37:40PM +0100, Lorenzo Bianconi wrote: > > In order to avoid a NULL pointer dereference, check entry->buf pointer before running > > skb_free_frag in mtk_wed_wo_queue_tx_clean routine. > > > > Fixes: 799684448e3e ("net: ethernet: mtk_wed: introduce wed wo support") > > Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> > > Hi Lorenzo, Hi Simon, > > can I clarify that this can actually happen? I was able to trigger the crash on a real device (Banana Pi BPI-R4) but with a wrong swiotlb configuration. I do not have a strong opinion, I am fine to target net-next instead. What do you prefer? Regards, Lorenzo > What I am getting at, is that if not, it might be net-next material. > In either case, I have no objection to the change itself. > > Reviewed-by: Simon Horman <horms@kernel.org>
On Mon, Dec 18, 2023 at 10:16:11PM +0100, Lorenzo Bianconi wrote: > > On Sun, Dec 17, 2023 at 04:37:40PM +0100, Lorenzo Bianconi wrote: > > > In order to avoid a NULL pointer dereference, check entry->buf pointer before running > > > skb_free_frag in mtk_wed_wo_queue_tx_clean routine. > > > > > > Fixes: 799684448e3e ("net: ethernet: mtk_wed: introduce wed wo support") > > > Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> > > > > Hi Lorenzo, > > Hi Simon, > > > > > can I clarify that this can actually happen? > > I was able to trigger the crash on a real device (Banana Pi BPI-R4) but > with a wrong swiotlb configuration. I do not have a strong opinion, I am > fine to target net-next instead. What do you prefer? I also don't have a strong opinion here. But lean towards 'net' if you were able to trigger a crash. > > Regards, > Lorenzo > > > What I am getting at, is that if not, it might be net-next material. > > In either case, I have no objection to the change itself. > > > > Reviewed-by: Simon Horman <horms@kernel.org>
Hello: This patch was applied to netdev/net.git (main) by Paolo Abeni <pabeni@redhat.com>: On Sun, 17 Dec 2023 16:37:40 +0100 you wrote: > In order to avoid a NULL pointer dereference, check entry->buf pointer before running > skb_free_frag in mtk_wed_wo_queue_tx_clean routine. > > Fixes: 799684448e3e ("net: ethernet: mtk_wed: introduce wed wo support") > Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> > --- > drivers/net/ethernet/mediatek/mtk_wed_wo.c | 3 +++ > 1 file changed, 3 insertions(+) Here is the summary with links: - [net] net: ethernet: mtk_wed: fix possible NULL pointer dereference in mtk_wed_wo_queue_tx_clean() https://git.kernel.org/netdev/net/c/7cb8cd4daacf You are awesome, thank you!
diff --git a/drivers/net/ethernet/mediatek/mtk_wed_wo.c b/drivers/net/ethernet/mediatek/mtk_wed_wo.c index 3bd51a3d6650..ae44ad5f8ce8 100644 --- a/drivers/net/ethernet/mediatek/mtk_wed_wo.c +++ b/drivers/net/ethernet/mediatek/mtk_wed_wo.c @@ -291,6 +291,9 @@ mtk_wed_wo_queue_tx_clean(struct mtk_wed_wo *wo, struct mtk_wed_wo_queue *q) for (i = 0; i < q->n_desc; i++) { struct mtk_wed_wo_queue_entry *entry = &q->entry[i]; + if (!entry->buf) + continue; + dma_unmap_single(wo->hw->dev, entry->addr, entry->len, DMA_TO_DEVICE); skb_free_frag(entry->buf);
In order to avoid a NULL pointer dereference, check entry->buf pointer before running skb_free_frag in mtk_wed_wo_queue_tx_clean routine. Fixes: 799684448e3e ("net: ethernet: mtk_wed: introduce wed wo support") Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> --- drivers/net/ethernet/mediatek/mtk_wed_wo.c | 3 +++ 1 file changed, 3 insertions(+)