* [PATCH net] net: dsa: sja1105: fix NULL pointer dereference in sja1105_reload_cbs()
@ 2021-06-24 15:52 Vladimir Oltean
2021-06-24 22:50 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 2+ messages in thread
From: Vladimir Oltean @ 2021-06-24 15:52 UTC (permalink / raw)
To: Jakub Kicinski, David S. Miller, netdev
Cc: Florian Fainelli, Andrew Lunn, Vivien Didelot, Vladimir Oltean
From: Vladimir Oltean <vladimir.oltean@nxp.com>
priv->cbs is an array of priv->info->num_cbs_shapers elements of type
struct sja1105_cbs_entry which only get allocated if CONFIG_NET_SCH_CBS
is enabled.
However, sja1105_reload_cbs() is called from sja1105_static_config_reload()
which in turn is called for any of the items in sja1105_reset_reasons,
therefore during the normal runtime of the driver and not just from a
code path which can be triggered by the tc-cbs offload.
The sja1105_reload_cbs() function does not contain a check whether the
priv->cbs array is NULL or not, it just assumes it isn't and proceeds to
iterate through the credit-based shaper elements. This leads to a NULL
pointer dereference.
The solution is to return success if the priv->cbs array has not been
allocated, since sja1105_reload_cbs() has nothing to do.
Fixes: 4d7525085a9b ("net: dsa: sja1105: offload the Credit-Based Shaper qdisc")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
---
drivers/net/dsa/sja1105/sja1105_main.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
index a9777eb564c6..4f0545605f6b 100644
--- a/drivers/net/dsa/sja1105/sja1105_main.c
+++ b/drivers/net/dsa/sja1105/sja1105_main.c
@@ -1818,6 +1818,12 @@ static int sja1105_reload_cbs(struct sja1105_private *priv)
{
int rc = 0, i;
+ /* The credit based shapers are only allocated if
+ * CONFIG_NET_SCH_CBS is enabled.
+ */
+ if (!priv->cbs)
+ return 0;
+
for (i = 0; i < priv->info->num_cbs_shapers; i++) {
struct sja1105_cbs_entry *cbs = &priv->cbs[i];
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net] net: dsa: sja1105: fix NULL pointer dereference in sja1105_reload_cbs()
2021-06-24 15:52 [PATCH net] net: dsa: sja1105: fix NULL pointer dereference in sja1105_reload_cbs() Vladimir Oltean
@ 2021-06-24 22:50 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-06-24 22:50 UTC (permalink / raw)
To: Vladimir Oltean
Cc: kuba, davem, netdev, f.fainelli, andrew, vivien.didelot, vladimir.oltean
Hello:
This patch was applied to netdev/net.git (refs/heads/master):
On Thu, 24 Jun 2021 18:52:07 +0300 you wrote:
> From: Vladimir Oltean <vladimir.oltean@nxp.com>
>
> priv->cbs is an array of priv->info->num_cbs_shapers elements of type
> struct sja1105_cbs_entry which only get allocated if CONFIG_NET_SCH_CBS
> is enabled.
>
> However, sja1105_reload_cbs() is called from sja1105_static_config_reload()
> which in turn is called for any of the items in sja1105_reset_reasons,
> therefore during the normal runtime of the driver and not just from a
> code path which can be triggered by the tc-cbs offload.
>
> [...]
Here is the summary with links:
- [net] net: dsa: sja1105: fix NULL pointer dereference in sja1105_reload_cbs()
https://git.kernel.org/netdev/net/c/be7f62eebaff
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-06-24 22:50 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-24 15:52 [PATCH net] net: dsa: sja1105: fix NULL pointer dereference in sja1105_reload_cbs() Vladimir Oltean
2021-06-24 22:50 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).