lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aNpYjvpr8xixDUM6@horms.kernel.org>
Date: Mon, 29 Sep 2025 10:59:42 +0100
From: Simon Horman <horms@...nel.org>
To: Siddharth Vadapalli <s-vadapalli@...com>
Cc: Nishanth Menon <nm@...com>,
	Uwe Kleine-König <u.kleine-koenig@...libre.com>,
	Paolo Abeni <pabeni@...hat.com>, Jakub Kicinski <kuba@...nel.org>,
	Eric Dumazet <edumazet@...gle.com>,
	"David S. Miller" <davem@...emloft.net>,
	Andrew Lunn <andrew+netdev@...n.ch>, linux-kernel@...r.kernel.org,
	netdev@...r.kernel.org
Subject: Re: [PATCH] net: netcp: Fix crash in error path when DMA channel
 open fails

On Fri, Sep 26, 2025 at 10:28:47PM +0530, Siddharth Vadapalli wrote:
> On 26/09/25 10:12 PM, Simon Horman wrote:
> > On Fri, Sep 26, 2025 at 09:57:02PM +0530, Siddharth Vadapalli wrote:
> > > On 26/09/25 9:43 PM, Simon Horman wrote:
> > > > On Fri, Sep 26, 2025 at 10:08:53AM -0500, Nishanth Menon wrote:
> > > > > When knav_dma_open_channel() fails in netcp_setup_navigator_resources(),
> > > > > the rx_channel field is set to an ERR_PTR value. Later, when
> > > > > netcp_free_navigator_resources() is called in the error path, it attempts
> > > > > to close this invalid channel pointer, causing a crash.
> > > > > 
> > > > > Add a check for ERR values to handle the failure scenario.
> > > > > 
> > > > > Fixes: 84640e27f230 ("net: netcp: Add Keystone NetCP core driver")
> > > > > Signed-off-by: Nishanth Menon <nm@...com>
> > > > > ---
> > > > > 
> > > > > Seen on kci log for k2hk: https://dashboard.kernelci.org/log-viewer?itemId=ti%3A2eb55ed935eb42c292e02f59&org=ti&type=test&url=http%3A%2F%2Ffiles.kernelci.org%2F%2Fti%2Fmainline%2Fmaster%2Fv6.17-rc7-59-gbf40f4b87761%2Farm%2Fmulti_v7_defconfig%2BCONFIG_EFI%3Dy%2BCONFIG_ARM_LPAE%3Dy%2Bdebug%2Bkselftest%2Btinyconfig%2Fgcc-12%2Fbaseline-nfs-boot.nfs-k2hk-evm.txt.gz
> > > > > 
> > > > >    drivers/net/ethernet/ti/netcp_core.c | 2 +-
> > > > >    1 file changed, 1 insertion(+), 1 deletion(-)
> > > > > 
> > > > > diff --git a/drivers/net/ethernet/ti/netcp_core.c b/drivers/net/ethernet/ti/netcp_core.c
> > > > > index 857820657bac..4ff17fd6caae 100644
> > > > > --- a/drivers/net/ethernet/ti/netcp_core.c
> > > > > +++ b/drivers/net/ethernet/ti/netcp_core.c
> > > > > @@ -1549,7 +1549,7 @@ static void netcp_free_navigator_resources(struct netcp_intf *netcp)
> > > > >    {
> > > > >    	int i;
> > > > > -	if (netcp->rx_channel) {
> > > > > +	if (!IS_ERR(netcp->rx_channel)) {
> > > > >    		knav_dma_close_channel(netcp->rx_channel);
> > > > >    		netcp->rx_channel = NULL;
> > > > >    	}
> > > > 
> > > > Hi Nishanth,
> > > > 
> > > > Thanks for your patch.
> > > > 
> > > > I expect that netcp_txpipe_close() has a similar problem too.
> > > > 
> > > > But I also think that using IS_ERR is not correct, because it seems to me
> > > > that there are also cases where rx_channel can be NULL.
> > > 
> > > Could you please clarify where rx_channel is NULL? rx_channel is set by
> > > invoking knav_dma_open_channel().
> > 
> > Hi Siddharth,
> > 
> > I am assuming that when netcp_setup_navigator_resources() is called, at
> > least for the first time, that netcp->rx_channel is NULL. So any of the
> > occurrence of 'goto fail' in that function before the call to
> > knav_dma_open_channel().
> 
> I missed this. Thank you for pointing this out.

No problem. These error paths are tricking things.

> > > Also, please refer to:
> > > https://github.com/torvalds/linux/commit/5b6cb43b4d62
> > > which specifically points out that knav_dma_open_channel() will not return
> > > NULL so the check for NULL isn't required.
> > > > 
> > > > I see that on error knav_dma_open_channel() always returns ERR_PTR(-EINVAL)
> > > > (open coded as (void *)-EINVAL) on error. So I think a better approach
> > > > would be to change knav_dma_open_channel() to return NULL, and update callers
> > > > accordingly.
> > > 
> > > The commit referred to above made changes to the driver specifically due to
> > > the observation that knav_dma_open_channel() never returns NULL. Modifying
> > > knav_dma_open_channel() to return NULL will effectively result in having to
> > > undo the changes made by the commit.
> > 
> > I wasn't aware of that patch. But my observation is that the return value
> > of knav_dma_open_channel() is still not handled correctly. E.g. the bug
> > your patch is fixing.  And I'm proposing an alternate approach which I feel
> > will be less error-prone.
> 
> Ok. If I understand correctly, you are proposing that the 'error codes'
> returned by knav_dma_open_channel() should be turned into a dev_err() print
> for the user and knav_dma_open_channel() should always return NULL in case
> of failure and a pointer to the channel in case of success. Is that right?

I'm ambivalent regarding the dev_err() part. Because the error is always
the same. And I'm not really sure that logging it adds anything. But if you
do go that way, please consider using %pe.  consider using

Regarding knav_dma_open_channel(0 always returning NULL, yes, that is my
suggestion. Of course the callers and anything else that uses that
return value need to be audited and updated as appropriate.

Thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ