lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <91ee0772-b166-4556-9c9e-e12fa0262088@bootlin.com>
Date: Wed, 12 Nov 2025 08:44:06 +0100
From: Bastien Curutchet <bastien.curutchet@...tlin.com>
To: Jakub Kicinski <kuba@...nel.org>
Cc: Woojung Huh <woojung.huh@...rochip.com>, UNGLinuxDriver@...rochip.com,
 Andrew Lunn <andrew@...n.ch>, Vladimir Oltean <olteanv@...il.com>,
 "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
 Paolo Abeni <pabeni@...hat.com>, Richard Cochran <richardcochran@...il.com>,
 Arun Ramadoss <arun.ramadoss@...rochip.com>,
 Pascal Eberhard <pascal.eberhard@...com>,
 Miquèl Raynal <miquel.raynal@...tlin.com>,
 Thomas Petazzoni <thomas.petazzoni@...tlin.com>, netdev@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH net v2 3/4] net: dsa: microchip: Ensure a ksz_irq is
 initialized before freeing it

Hi Jakub,

On 11/11/25 3:28 AM, Jakub Kicinski wrote:
> On Thu, 06 Nov 2025 13:53:10 +0100 Bastien Curutchet (Schneider
> Electric) wrote:
>> diff --git a/drivers/net/dsa/microchip/ksz_common.c b/drivers/net/dsa/microchip/ksz_common.c
>> index 3a4516d32aa5f99109853ed400e64f8f7e2d8016..4f5e2024442692adefc69d47e82381a3c3bda184 100644
>> --- a/drivers/net/dsa/microchip/ksz_common.c
>> +++ b/drivers/net/dsa/microchip/ksz_common.c
>> @@ -2858,14 +2858,16 @@ static void ksz_irq_free(struct ksz_irq *kirq)
>>   {
>>   	int irq, virq;
>>   
>> -	free_irq(kirq->irq_num, kirq);
>> +	if (kirq->irq_num)
>> +		free_irq(kirq->irq_num, kirq);
>>   
>>   	for (irq = 0; irq < kirq->nirqs; irq++) {
> 
> if the domain may not be registered is it okay to try to find mappings
> in it? From the init path it seems that kirq->nirqs is set to the port
> count before registration so it will not be 0 if domain is NULL.
> 

I first thought it was fine because __irq_resolve_mapping() inside 
irq_find_mapping() verifies that the domain isn't NULL, then 
irq_find_mapping() returns 0 when it doesn't find an IRQ, and finally,
irq_dispose_mapping() returns immediately when virq is 0.

However, after taking a closer look at __irq_resolve_mapping(), I 
noticed that there is a global irq_default_domain that is used by some 
architectures (mainly MIPS and PowerPC) as a fallback when 
__irq_resolve_mapping() is given a NULL domain. In that case, it seems 
possible for the function to return a non-zero virq that has nothing to 
do with us, and which would then be incorrectly released afterward by 
irq_dispose_mapping().

This second case shouldn't occur often but I can move the for loop 
behind the `if (kirq->domain)` check to be safe.


>>   		virq = irq_find_mapping(kirq->domain, irq);
>>   		irq_dispose_mapping(virq);
>>   	}
>>   
>> -	irq_domain_remove(kirq->domain);
>> +	if (kirq->domain)
>> +		irq_domain_remove(kirq->domain);

Best regards,
Bastien

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ