| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 Nov 2022 14:30:54 +0100
From: Maciej Fijalkowski <maciej.fijalkowski@...el.com>
To: Yuri Karpov <YKarpov@...ras.ru>
CC: "David S . Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>, <netdev@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <lvc-project@...uxtesting.org>
Subject: Re: [PATCH] net: ethernet: nixge: fix NULL dereference
On Thu, Nov 24, 2022 at 11:43:03AM +0300, Yuri Karpov wrote:
> In function nixge_hw_dma_bd_release() dereference of NULL pointer
> priv->rx_bd_v is possible for the case of its allocation failure in
> nixge_hw_dma_bd_init().
>
> Move for() loop with priv->rx_bd_v dereference under the check for
> its validity.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 492caffa8a1a ("net: ethernet: nixge: Add support for National Instruments XGE netdev")
> Signed-off-by: Yuri Karpov <YKarpov@...ras.ru>
Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@...el.com>
> ---
> drivers/net/ethernet/ni/nixge.c | 29 +++++++++++++++--------------
> 1 file changed, 15 insertions(+), 14 deletions(-)
>
> diff --git a/drivers/net/ethernet/ni/nixge.c b/drivers/net/ethernet/ni/nixge.c
> index 19d043b593cc..62320be4de5a 100644
> --- a/drivers/net/ethernet/ni/nixge.c
> +++ b/drivers/net/ethernet/ni/nixge.c
> @@ -249,25 +249,26 @@ static void nixge_hw_dma_bd_release(struct net_device *ndev)
> struct sk_buff *skb;
> int i;
>
> - for (i = 0; i < RX_BD_NUM; i++) {
> - phys_addr = nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i],
> - phys);
> -
> - dma_unmap_single(ndev->dev.parent, phys_addr,
> - NIXGE_MAX_JUMBO_FRAME_SIZE,
> - DMA_FROM_DEVICE);
> -
> - skb = (struct sk_buff *)(uintptr_t)
> - nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i],
> - sw_id_offset);
> - dev_kfree_skb(skb);
> - }
> + if (priv->rx_bd_v) {
> + for (i = 0; i < RX_BD_NUM; i++) {
> + phys_addr = nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i],
> + phys);
> +
> + dma_unmap_single(ndev->dev.parent, phys_addr,
> + NIXGE_MAX_JUMBO_FRAME_SIZE,
> + DMA_FROM_DEVICE);
> +
> + skb = (struct sk_buff *)(uintptr_t)
> + nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i],
> + sw_id_offset);
> + dev_kfree_skb(skb);
> + }
>
> - if (priv->rx_bd_v)
> dma_free_coherent(ndev->dev.parent,
> sizeof(*priv->rx_bd_v) * RX_BD_NUM,
> priv->rx_bd_v,
> priv->rx_bd_p);
> + }
>
> if (priv->tx_skb)
> devm_kfree(ndev->dev.parent, priv->tx_skb);
> --
> 2.34.1
>
Powered by blists - more mailing lists