| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3e91e070-24a2-4dab-bca5-157fea921bf0@redhat.com>
Date: Tue, 6 May 2025 13:23:21 +0200
From: Paolo Abeni <pabeni@...hat.com>
To: Lukasz Majewski <lukma@...x.de>
Cc: Andrew Lunn <andrew+netdev@...n.ch>, davem@...emloft.net,
Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>,
Rob Herring <robh@...nel.org>, Krzysztof Kozlowski <krzk+dt@...nel.org>,
Conor Dooley <conor+dt@...nel.org>, Shawn Guo <shawnguo@...nel.org>,
Sascha Hauer <s.hauer@...gutronix.de>,
Pengutronix Kernel Team <kernel@...gutronix.de>,
Fabio Estevam <festevam@...il.com>,
Richard Cochran <richardcochran@...il.com>, netdev@...r.kernel.org,
devicetree@...r.kernel.org, linux-kernel@...r.kernel.org,
imx@...ts.linux.dev, linux-arm-kernel@...ts.infradead.org,
Stefan Wahren <wahrenst@....net>, Simon Horman <horms@...nel.org>,
Andrew Lunn <andrew@...n.ch>
Subject: Re: [net-next v11 4/7] net: mtip: The L2 switch driver for imx287
On 5/6/25 1:04 PM, Lukasz Majewski wrote:
>> On 5/4/25 4:55 PM, Lukasz Majewski wrote:
>>> + /* This does 16 byte alignment, exactly what we
>>> need.
>>> + * The packet length includes FCS, but we don't
>>> want to
>>> + * include that when passing upstream as it messes
>>> up
>>> + * bridging applications.
>>> + */
>>> + skb = netdev_alloc_skb(pndev, pkt_len +
>>> NET_IP_ALIGN);
>>> + if (unlikely(!skb)) {
>>> + dev_dbg(&fep->pdev->dev,
>>> + "%s: Memory squeeze, dropping
>>> packet.\n",
>>> + pndev->name);
>>> + pndev->stats.rx_dropped++;
>>> + goto err_mem;
>>> + } else {
>>> + skb_reserve(skb, NET_IP_ALIGN);
>>> + skb_put(skb, pkt_len); /* Make room */
>>> + skb_copy_to_linear_data(skb, data,
>>> pkt_len);
>>> + skb->protocol = eth_type_trans(skb, pndev);
>>> + napi_gro_receive(&fep->napi, skb);
>>> + }
>>> +
>>> + bdp->cbd_bufaddr = dma_map_single(&fep->pdev->dev,
>>> data,
>>> + bdp->cbd_datlen,
>>> + DMA_FROM_DEVICE);
>>> + if (unlikely(dma_mapping_error(&fep->pdev->dev,
>>> + bdp->cbd_bufaddr)))
>>> {
>>> + dev_err(&fep->pdev->dev,
>>> + "Failed to map descriptor rx
>>> buffer\n");
>>> + pndev->stats.rx_errors++;
>>> + pndev->stats.rx_dropped++;
>>> + dev_kfree_skb_any(skb);
>>> + goto err_mem;
>>> + }
>>
>> This is doing the mapping and ev. dropping the skb _after_ pushing the
>> skb up the stack, you must attempt the mapping first.
>>
>>> +static void mtip_free_buffers(struct net_device *dev)
>>> +{
>>> + struct mtip_ndev_priv *priv = netdev_priv(dev);
>>> + struct switch_enet_private *fep = priv->fep;
>>> + struct sk_buff *skb;
>>> + struct cbd_t *bdp;
>>> + int i;
>>> +
>>> + bdp = fep->rx_bd_base;
>>> + for (i = 0; i < RX_RING_SIZE; i++) {
>>> + skb = fep->rx_skbuff[i];
>>> +
>>> + if (bdp->cbd_bufaddr)
>>> + dma_unmap_single(&fep->pdev->dev,
>>> bdp->cbd_bufaddr,
>>> + MTIP_SWITCH_RX_FRSIZE,
>>> + DMA_FROM_DEVICE);
>>> + if (skb)
>>> + dev_kfree_skb(skb);
>>
>> I suspect that on error paths mtip_free_buffers() can be invoked
>> multiple consecutive times with any successful allocation in between:
>> skb will be freed twice. Likely you need to clear fep->rx_skbuff[i]
>> here.
>
> I don't know what I shall say now.... really...
I suspect my email was not clear. AFAICS the current code contains at
least 2 serious issues, possibly more not yet discovered due to the
patch size. You need to submit (at least) a new revision coping with the
provided feedback.
Thanks,
Paolo
Powered by blists - more mailing lists