lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 Nov 2022 14:30:54 +0100 From: Maciej Fijalkowski <maciej.fijalkowski@...el.com> To: Yuri Karpov <YKarpov@...ras.ru> CC: "David S . Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, <netdev@...r.kernel.org>, <linux-kernel@...r.kernel.org>, <lvc-project@...uxtesting.org> Subject: Re: [PATCH] net: ethernet: nixge: fix NULL dereference On Thu, Nov 24, 2022 at 11:43:03AM +0300, Yuri Karpov wrote: > In function nixge_hw_dma_bd_release() dereference of NULL pointer > priv->rx_bd_v is possible for the case of its allocation failure in > nixge_hw_dma_bd_init(). > > Move for() loop with priv->rx_bd_v dereference under the check for > its validity. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: 492caffa8a1a ("net: ethernet: nixge: Add support for National Instruments XGE netdev") > Signed-off-by: Yuri Karpov <YKarpov@...ras.ru> Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@...el.com> > --- > drivers/net/ethernet/ni/nixge.c | 29 +++++++++++++++-------------- > 1 file changed, 15 insertions(+), 14 deletions(-) > > diff --git a/drivers/net/ethernet/ni/nixge.c b/drivers/net/ethernet/ni/nixge.c > index 19d043b593cc..62320be4de5a 100644 > --- a/drivers/net/ethernet/ni/nixge.c > +++ b/drivers/net/ethernet/ni/nixge.c > @@ -249,25 +249,26 @@ static void nixge_hw_dma_bd_release(struct net_device *ndev) > struct sk_buff *skb; > int i; > > - for (i = 0; i < RX_BD_NUM; i++) { > - phys_addr = nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i], > - phys); > - > - dma_unmap_single(ndev->dev.parent, phys_addr, > - NIXGE_MAX_JUMBO_FRAME_SIZE, > - DMA_FROM_DEVICE); > - > - skb = (struct sk_buff *)(uintptr_t) > - nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i], > - sw_id_offset); > - dev_kfree_skb(skb); > - } > + if (priv->rx_bd_v) { > + for (i = 0; i < RX_BD_NUM; i++) { > + phys_addr = nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i], > + phys); > + > + dma_unmap_single(ndev->dev.parent, phys_addr, > + NIXGE_MAX_JUMBO_FRAME_SIZE, > + DMA_FROM_DEVICE); > + > + skb = (struct sk_buff *)(uintptr_t) > + nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i], > + sw_id_offset); > + dev_kfree_skb(skb); > + } > > - if (priv->rx_bd_v) > dma_free_coherent(ndev->dev.parent, > sizeof(*priv->rx_bd_v) * RX_BD_NUM, > priv->rx_bd_v, > priv->rx_bd_p); > + } > > if (priv->tx_skb) > devm_kfree(ndev->dev.parent, priv->tx_skb); > -- > 2.34.1 >
Powered by blists - more mailing lists