From: Jakub Kicinski <kuba@kernel.org>
To: Raju.Rangoju@amd.com
Cc: Jakub Kicinski <kuba@kernel.org>, netdev@vger.kernel.org
Subject: Re: [2/3] net: amd-xgbe: add ARP offload ethtool self-test
Date: Mon, 2 Feb 2026 18:37:13 -0800 [thread overview]
Message-ID: <20260203023713.896262-1-kuba@kernel.org> (raw)
In-Reply-To: <20260202153542.1727429-3-Raju.Rangoju@amd.com>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
---
net: amd-xgbe: add ARP offload ethtool self-test
This patch adds an ethtool self-test to verify the hardware ARP offload
functionality. The test creates an ARP request, enables ARP offload, and
verifies the hardware responds with an ARP reply.
> diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-selftest.c b/drivers/net/ethernet/amd/xgbe/xgbe-selftest.c
> --- a/drivers/net/ethernet/amd/xgbe/xgbe-selftest.c
> +++ b/drivers/net/ethernet/amd/xgbe/xgbe-selftest.c
[ ... ]
> +static int xgbe_test_arpoffload(struct xgbe_prv_data *pdata)
> +{
[ ... ]
> + tdata->pt.type = htons(ETH_P_ARP);
> + tdata->pt.func = xgbe_test_arp_validate;
> + tdata->pt.dev = pdata->netdev;
> + tdata->pt.af_packet_priv = tdata;
> + tdata->packet = &attr;
> + dev_add_pack(&tdata->pt);
[ ... ]
> + /* Create ARP request packet */
> + skb = arp_create(ARPOP_REQUEST, ETH_P_ARP, htonl(dst_ip),
> + pdata->netdev, htonl(src_ip), NULL, src, bcast);
> + if (!skb) {
> + ret = -ENOMEM;
> + goto free;
> + }
Can this cause a use-after-free? The packet handler is registered via
dev_add_pack() before arp_create() is called. When arp_create() fails,
'goto free' jumps directly to kfree(tdata) without calling
dev_remove_pack(&tdata->pt).
This leaves the packet handler registered with a dangling pointer
(tdata->pt.af_packet_priv = tdata). When any ARP packet subsequently
arrives, xgbe_test_arp_validate() is called and dereferences freed memory:
struct net_test_priv *tdata = pt->af_packet_priv;
...
if (!ether_addr_equal_unaligned(eth_hdr->h_dest, tdata->packet->src))
Should 'goto free' be changed to 'goto cleanup' here to ensure
dev_remove_pack() is called?
--
pw-bot: cr
next prev parent reply other threads:[~2026-02-03 2:37 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-02 15:35 [PATCH 0/3] net: amd-xgbe: add ARP offload and RSS self-tests Raju Rangoju
2026-02-02 15:35 ` [PATCH 1/3] net: amd-xgbe: add hardware ARP offload support Raju Rangoju
2026-02-02 15:35 ` [PATCH 2/3] net: amd-xgbe: add ARP offload ethtool self-test Raju Rangoju
2026-02-03 2:00 ` kernel test robot
2026-02-03 2:37 ` Jakub Kicinski [this message]
2026-02-02 15:35 ` [PATCH 3/3] net: amd-xgbe: add RSS " Raju Rangoju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260203023713.896262-1-kuba@kernel.org \
--to=kuba@kernel.org \
--cc=Raju.Rangoju@amd.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.