lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID:
 <PAXPR04MB85106420DA87BA00EF755A85887E2@PAXPR04MB8510.eurprd04.prod.outlook.com>
Date: Tue, 8 Oct 2024 09:24:37 +0000
From: Wei Fang <wei.fang@....com>
To: "dillon.minfei@...il.com" <dillon.minfei@...il.com>
CC: "imx@...ts.linux.dev" <imx@...ts.linux.dev>, "netdev@...r.kernel.org"
	<netdev@...r.kernel.org>, "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>, Shenwei Wang <shenwei.wang@....com>, Clark
 Wang <xiaoning.wang@....com>, "davem@...emloft.net" <davem@...emloft.net>,
	"edumazet@...gle.com" <edumazet@...gle.com>, "kuba@...nel.org"
	<kuba@...nel.org>, "pabeni@...hat.com" <pabeni@...hat.com>,
	"u.kleine-koenig@...libre.com" <u.kleine-koenig@...libre.com>,
	"csokas.bence@...lan.hu" <csokas.bence@...lan.hu>
Subject: RE: [PATCH v1] net: ethernet: fix NULL pointer dereference at
 fec_ptp_save_state()

> -----Original Message-----
> From: dillon.minfei@...il.com <dillon.minfei@...il.com>
> Sent: 2024年10月8日 17:18
> To: Wei Fang <wei.fang@....com>; Shenwei Wang <shenwei.wang@....com>;
> Clark Wang <xiaoning.wang@....com>; davem@...emloft.net;
> edumazet@...gle.com; kuba@...nel.org; pabeni@...hat.com;
> u.kleine-koenig@...libre.com; csokas.bence@...lan.hu
> Cc: imx@...ts.linux.dev; netdev@...r.kernel.org; linux-kernel@...r.kernel.org;
> Dillon Min <dillon.minfei@...il.com>
> Subject: [PATCH v1] net: ethernet: fix NULL pointer dereference at
> fec_ptp_save_state()
> 
> From: Dillon Min <dillon.minfei@...il.com>
> 
> fec_ptp_init() called at probe stage when 'bufdesc_ex' is true.
> so, need add 'bufdesc_ex' check before call fec_ptp_save_state(), else
> 'tmreg_lock' will not be init by spin_lock_init().
> 
> run into kernel panic:
> [    5.735628] Hardware name: Freescale MXS (Device Tree)
> [    5.740816] Call trace:
> [    5.740853]  unwind_backtrace from show_stack+0x10/0x14
> [    5.748788]  show_stack from dump_stack_lvl+0x44/0x60
> [    5.753970]  dump_stack_lvl from register_lock_class+0x80c/0x888
> [    5.760098]  register_lock_class from __lock_acquire+0x94/0x2b84
> [    5.766213]  __lock_acquire from lock_acquire+0xe0/0x2e0
> [    5.771630]  lock_acquire from _raw_spin_lock_irqsave+0x5c/0x78
> [    5.777666]  _raw_spin_lock_irqsave from fec_ptp_save_state+0x14/0x68
> [    5.784226]  fec_ptp_save_state from fec_restart+0x2c/0x778
> [    5.789910]  fec_restart from fec_probe+0xc68/0x15e0
> [    5.794977]  fec_probe from platform_probe+0x58/0xb0
> [    5.800059]  platform_probe from really_probe+0xc4/0x2cc
> [    5.805473]  really_probe from __driver_probe_device+0x84/0x19c
> [    5.811482]  __driver_probe_device from
> driver_probe_device+0x30/0x110
> [    5.818103]  driver_probe_device from __driver_attach+0x94/0x18c
> [    5.824200]  __driver_attach from bus_for_each_dev+0x70/0xc4
> [    5.829979]  bus_for_each_dev from bus_add_driver+0xc4/0x1ec
> [    5.835762]  bus_add_driver from driver_register+0x7c/0x114
> [    5.841444]  driver_register from do_one_initcall+0x4c/0x224
> [    5.847205]  do_one_initcall from kernel_init_freeable+0x198/0x224
> [    5.853502]  kernel_init_freeable from kernel_init+0x10/0x108
> [    5.859370]  kernel_init from ret_from_fork+0x14/0x38
> [    5.864524] Exception stack(0xc4819fb0 to 0xc4819ff8)
> [    5.869650] 9fa0:                                     00000000
> 00000000 00000000 00000000
> [    5.877901] 9fc0: 00000000 00000000 00000000 00000000 00000000
> 00000000 00000000 00000000
> [    5.886148] 9fe0: 00000000 00000000 00000000 00000000 00000013
> 00000000
> [    5.892838] 8<--- cut here ---
> [    5.895948] Unable to handle kernel NULL pointer dereference at virtual
> address 00000000 when read
> 
> Fixes: a1477dc87dc4 ("net: fec: Restart PPS after link state change")
> Signed-off-by: Dillon Min <dillon.minfei@...il.com>
> ---
>  drivers/net/ethernet/freescale/fec_main.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/ethernet/freescale/fec_main.c
> b/drivers/net/ethernet/freescale/fec_main.c
> index 60fb54231ead..1b55047c0237 100644
> --- a/drivers/net/ethernet/freescale/fec_main.c
> +++ b/drivers/net/ethernet/freescale/fec_main.c
> @@ -1077,7 +1077,8 @@ fec_restart(struct net_device *ndev)
>  	u32 rcntl = OPT_FRAME_SIZE | 0x04;
>  	u32 ecntl = FEC_ECR_ETHEREN;
> 
> -	fec_ptp_save_state(fep);
> +	if (fep->bufdesc_ex)
> +		fec_ptp_save_state(fep);
> 
>  	/* Whack a reset.  We should wait for this.
>  	 * For i.MX6SX SOC, enet use AXI bus, we use disable MAC @@ -1340,7
> +1341,8 @@ fec_stop(struct net_device *ndev)
>  			netdev_err(ndev, "Graceful transmit stop did not complete!\n");
>  	}
> 
> -	fec_ptp_save_state(fep);
> +	if (fep->bufdesc_ex)
> +		fec_ptp_save_state(fep);
> 
>  	/* Whack a reset.  We should wait for this.
>  	 * For i.MX6SX SOC, enet use AXI bus, we use disable MAC
> --
> 2.25.1

Hi Dillon,

I have sent the same patch this morning.
https://lore.kernel.org/lkml/20241008061153.1977930-1-wei.fang@nxp.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ