lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <373ae7ef7ff20aa6dccefcb40e2312e9510132b3.camel@siemens.com>
Date: Tue, 11 Mar 2025 15:25:36 +0000
From: "Sverdlin, Alexander" <alexander.sverdlin@...mens.com>
To: "s-vadapalli@...com" <s-vadapalli@...com>
CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "srk@...com"
	<srk@...com>
Subject: Re: [PATCH net v2] net: ethernet: ti: am65-cpsw: Fix NAPI
 registration sequence

Hi Siddharth!

On Tue, 2025-03-11 at 20:48 +0530, s-vadapalli@...com wrote:
> > > Registering the interrupts for TX or RX DMA Channels prior to registering
> > > their respective NAPI callbacks can result in a NULL pointer dereference.
> > > This is seen in practice as a random occurrence since it depends on the
> > > randomness associated with the generation of traffic by Linux and the
> > > reception of traffic from the wire.
> > > 
> > > Fixes: 681eb2beb3ef ("net: ethernet: ti: am65-cpsw: ensure proper channel cleanup in error path")
> > > Signed-off-by: Vignesh Raghavendra <vigneshr@...com>
> > > Co-developed-by: Siddharth Vadapalli <s-vadapalli@...com>
> > > Signed-off-by: Siddharth Vadapalli <s-vadapalli@...com>
> > 
> > ...
> > 
> > 
> > > @@ -2590,10 +2591,11 @@ static int am65_cpsw_nuss_init_rx_chns(struct am65_cpsw_common *common)
> > >  	return 0;
> > >  
> > >  err_flow:
> > > -	for (--i; i >= 0 ; i--) {
> > > +	netif_napi_del(&flow->napi_rx);
> > 
> > There are totally 3 "goto err_flow;" instances, so if k3_udma_glue_rx_flow_init() or
> > k3_udma_glue_rx_get_irq() would fail on the first iteration, we would come here without
> > a single call to netif_napi_add().
> 
> The following should address this right?

Looks good to me!

> ------------------------------------------------------------------------------------------------
> diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
> index b88edf2dd8f4..bef734c6e5c2 100644
> --- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c
> +++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
> @@ -2581,7 +2581,7 @@ static int am65_cpsw_nuss_init_rx_chns(struct am65_cpsw_common *common)
>                         dev_err(dev, "failure requesting rx %d irq %u, %d\n",
>                                 i, flow->irq, ret);
>                         flow->irq = -EINVAL;
> -                       goto err_flow;
> +                       goto err_request_irq;
>                 }
>         }
> 
> @@ -2590,8 +2590,10 @@ static int am65_cpsw_nuss_init_rx_chns(struct am65_cpsw_common *common)
> 
>         return 0;
> 
> -err_flow:
> +err_request_irq:
>         netif_napi_del(&flow->napi_rx);
> +
> +err_flow:
>         for (--i; i >= 0; i--) {
>                 flow = &rx_chn->flows[i];
>                 devm_free_irq(dev, flow->irq, flow);
> ------------------------------------------------------------------------------------------------
> 
> err_request_irq => We have an extra netif_napi_add() which needs to be
> cleaned up.
> err_flow => Equal count of netif_napi_add() and devm_request_irq() that
> should be cleaned up.

-- 
Alexander Sverdlin
Siemens AG
www.siemens.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ