Re: [PATCH v5 2/6] net/nfb: fix bad pointer access in queue stats

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Hemminger <stephen@networkplumber.org>
To: spinler@cesnet.cz
Cc: dev@dpdk.org, stable@dpdk.org
Subject: Re: [PATCH v5 2/6] net/nfb: fix bad pointer access in queue stats
Date: Mon, 9 Feb 2026 16:51:09 -0800	[thread overview]
Message-ID: <20260209165109.3d7d17b7@phoenix.local> (raw)
In-Reply-To: <20260202193330.3324681-3-spinler@cesnet.cz>

On Mon,  2 Feb 2026 20:33:26 +0100
spinler@cesnet.cz wrote:

> From: Martin Spinler <spinler@cesnet.cz>
> 
> The driver code has dereferenced the dev->data->rx_queues pointer
> without checking for its validity.
> Pointer invalidation can occur when the eth_dev_rx_queue_config
> is called with set to 0, for example.
> 
> Moreover, an array of pointers (to a structure) was used like array
> of structures (which worked with early dereference just for one queue).
> 
> Fixes: 6435f9a0ac22 ("net/nfb: add new netcope driver")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Martin Spinler <spinler@cesnet.cz>
> ---

AI found this potential issue:

ERRORS (Must Fix)
Patch 26: net/nfb: fix bad pointer access in queue stats

NULL pointer dereference risk

In nfb_eth_stats_get() and nfb_eth_stats_reset(), the patch correctly fixes the array-of-pointers vs array-of-structures bug, but introduces a new issue: it dereferences dev->data->rx_queues[i] and dev->data->tx_queues[i] without NULL checks.

The queues array can contain NULL pointers if a queue is not configured. The original buggy code had an early dereference that would have caught this, but the fixed version will crash on the first access to rx_queue->rx_pkts if the queue pointer is NULL.

I added a simple check, since fixing it takes less time than another patch cycle...

next prev parent reply	other threads:[~2026-02-10  0:51 UTC|newest]

Thread overview: 58+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-01-15 14:01 [PATCH 0/6] spinler
2026-01-15 14:01 ` [PATCH 1/6] net/nfb: use constant values for max Rx/Tx queues count spinler
2026-01-15 14:01 ` [PATCH 2/6] net/nfb: fix bad pointer access in queue stats spinler
2026-01-15 14:01 ` [PATCH 3/6] net/nfb: update timestamp calculation to meaningful value spinler
2026-01-15 14:01 ` [PATCH 4/6] net/nfb: use process private variable for internal data spinler
2026-01-15 14:01 ` [PATCH 5/6] net/nfb: release allocated resources correctly spinler
2026-01-15 14:01 ` [PATCH 6/6] net/nfb: stop only started queues in fail path spinler
2026-01-15 14:40 ` [PATCH v2 0/6] net/nfb: code cleanup spinler
2026-01-15 14:40   ` [PATCH v2 1/6] net/nfb: use constant values for max Rx/Tx queues count spinler
2026-01-15 14:40   ` [PATCH v2 2/6] net/nfb: fix bad pointer access in queue stats spinler
2026-01-15 14:40   ` [PATCH v2 3/6] net/nfb: update timestamp calculation to meaningful value spinler
2026-01-15 14:40   ` [PATCH v2 4/6] net/nfb: use process private variable for internal data spinler
2026-01-15 14:40   ` [PATCH v2 5/6] net/nfb: release allocated resources correctly spinler
2026-01-15 14:40   ` [PATCH v2 6/6] net/nfb: stop only started queues in fail path spinler
2026-01-16  5:48   ` [PATCH v2 0/6] net/nfb: code cleanup Stephen Hemminger
2026-01-16  9:42     ` Martin Spinler
2026-01-16 17:39       ` Stephen Hemminger
2026-01-16 15:20 ` spinler
2026-01-16 15:20   ` [PATCH v3 1/6] net/nfb: use constant values for max Rx/Tx queues count spinler
2026-02-02 17:47     ` Stephen Hemminger
2026-02-02 18:58       ` Martin Špinler
2026-01-16 15:20   ` [PATCH v3 2/6] net/nfb: fix bad pointer access in queue stats spinler
2026-01-16 15:20   ` [PATCH v3 3/6] net/nfb: update timestamp calculation to meaningful value spinler
2026-01-16 15:20   ` [PATCH v3 4/6] net/nfb: use process private variable for internal data spinler
2026-01-20  0:13     ` Stephen Hemminger
2026-01-20 14:13       ` Martin Spinler
2026-01-20 16:11         ` Stephen Hemminger
2026-01-16 15:20   ` [PATCH v3 5/6] net/nfb: release allocated resources correctly spinler
2026-01-20  0:10     ` Stephen Hemminger
2026-01-20 14:14       ` Martin Spinler
2026-01-16 15:20   ` [PATCH v3 6/6] net/nfb: stop only started queues in fail path spinler
2026-01-20  0:09     ` Stephen Hemminger
2026-01-20 14:14       ` Martin Spinler
2026-01-16 15:22 ` [PATCH v3 0/6] net/nfb: code cleanup spinler
2026-01-21  4:57   ` Stephen Hemminger
2026-01-21 17:01 ` [PATCH v4 " spinler
2026-01-21 17:01   ` [PATCH v4 1/6] net/nfb: use constant values for max Rx/Tx queues count spinler
2026-01-21 17:01   ` [PATCH v4 2/6] net/nfb: fix bad pointer access in queue stats spinler
2026-01-21 17:01   ` [PATCH v4 3/6] net/nfb: update timestamp calculation to meaningful value spinler
2026-01-21 17:33     ` Stephen Hemminger
2026-01-27  8:12       ` Martin Spinler
2026-01-27  0:34     ` Stephen Hemminger
2026-01-27  8:16       ` Martin Spinler
2026-01-21 17:01   ` [PATCH v4 4/6] net/nfb: use process private variable for internal data spinler
2026-01-21 17:01   ` [PATCH v4 5/6] net/nfb: release allocated resources correctly spinler
2026-01-21 17:01   ` [PATCH v4 6/6] net/nfb: stop only started queues in fail path spinler
2026-01-21 17:35   ` [PATCH v4 0/6] net/nfb: code cleanup Stephen Hemminger
2026-02-02 19:33 ` [PATCH v5 " spinler
2026-02-02 19:33   ` [PATCH v5 1/6] net/nfb: use constant values for max Rx/Tx queues count spinler
2026-02-02 19:33   ` [PATCH v5 2/6] net/nfb: fix bad pointer access in queue stats spinler
2026-02-10  0:51     ` Stephen Hemminger [this message]
2026-02-02 19:33   ` [PATCH v5 3/6] net/nfb: update timestamp calculation to meaningful value spinler
2026-02-02 19:33   ` [PATCH v5 4/6] net/nfb: use process private variable for internal data spinler
2026-02-02 19:33   ` [PATCH v5 5/6] net/nfb: release allocated resources correctly spinler
2026-02-10  0:52     ` Stephen Hemminger
2026-02-02 19:33   ` [PATCH v5 6/6] net/nfb: stop only started queues in fail path spinler
2026-02-03  1:50   ` [PATCH v5 0/6] net/nfb: code cleanup Stephen Hemminger
2026-02-03  6:36     ` Martin Spinler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260209165109.3d7d17b7@phoenix.local \
    --to=stephen@networkplumber.org \
    --cc=dev@dpdk.org \
    --cc=spinler@cesnet.cz \
    --cc=stable@dpdk.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.