From: sashiko-bot@kernel.org
To: "Wei Fang" <wei.fang@nxp.com>
Cc: krzk+dt@kernel.org, conor+dt@kernel.org, Frank.Li@kernel.org,
robh@kernel.org, devicetree@vger.kernel.org, imx@lists.linux.dev
Subject: Re: [PATCH v7 net-next 09/15] net: dsa: add NETC switch tag support
Date: Thu, 14 May 2026 05:22:02 +0000 [thread overview]
Message-ID: <20260514052203.57A35C2BCB7@smtp.kernel.org> (raw)
In-Reply-To: <20260513030454.1666570-10-wei.fang@nxp.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] The `netc_flow_dissect` function accesses `skb->data` out-of-bounds without verifying the SKB's linear length.
--
commit 93fb7c6739d18313bc6426f6ff8df23c472a2795
Author: Wei Fang <wei.fang@nxp.com>
net: dsa: add NETC switch tag support
This commit adds support for the NXP NETC switch tag, a proprietary header
added to frames after the source MAC address. It implements the Forward tag,
SubType 0 of the To_Port tag, and Subtype 0 of the To_Host tag.
> diff --git a/net/dsa/tag_netc.c b/net/dsa/tag_netc.c
> new file mode 100644
> index 0000000000000..07684e0ff0647
> --- /dev/null
> +++ b/net/dsa/tag_netc.c
[ ... ]
> +static void netc_flow_dissect(const struct sk_buff *skb, __be16 *proto,
> + int *offset)
> +{
> + struct netc_tag_cmn *tag_cmn = (struct netc_tag_cmn *)(skb->data - 2);
> + int subtype = FIELD_GET(NETC_TAG_SUBTYPE, tag_cmn->type);
Is it safe to access skb->data directly here without validating the linear
length of the skb?
While the comment below notes that hardware-received frames will have
sufficient linear data, skb_flow_dissect() can also be invoked on locally
injected packets (for example, via AF_PACKET sockets, bpf_prog_test_run,
or tc hooks). For these locally generated packets, skb_headlen(skb) might
be extremely small or even zero.
Could this lead to an out-of-bounds read and kernel panic if the skb is
fragmented? Would it be better to use skb_header_pointer() or validate that
skb_headlen(skb) is large enough before dereferencing?
> + int type = FIELD_GET(NETC_TAG_TYPE, tag_cmn->type);
> + int tag_len = netc_get_rx_tag_len(type, subtype);
> +
> + /* The RX minimum frame length of the NETC switch port is 64 bytes,
> + * and the frame is received by the ENETC driver. From the hardware
> + * perspective, the receive buffer of RX BD is at least 128 bytes,
> + * so the switch tag header is guaranteed to be in the linear region
> + * of the skb.
> + */
> + *offset = tag_len;
> + *proto = ((__be16 *)skb->data)[(tag_len / 2) - 1];
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260513030454.1666570-1-wei.fang@nxp.com?part=9
next prev parent reply other threads:[~2026-05-14 5:22 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-13 3:04 [PATCH v7 net-next 00/15] Add preliminary NETC switch support for i.MX94 Wei Fang
2026-05-13 3:04 ` [PATCH v7 net-next 01/15] dt-bindings: net: dsa: update the description of 'dsa,member' property Wei Fang
2026-05-13 3:04 ` [PATCH v7 net-next 02/15] dt-bindings: net: dsa: add NETC switch Wei Fang
2026-05-13 3:04 ` [PATCH v7 net-next 03/15] net: enetc: add pre-boot initialization for i.MX94 switch Wei Fang
2026-05-13 3:04 ` [PATCH v7 net-next 04/15] net: enetc: add basic operations to the FDB table Wei Fang
2026-05-13 3:04 ` [PATCH v7 net-next 05/15] net: enetc: add support for the "Add" operation to VLAN filter table Wei Fang
2026-05-13 3:04 ` [PATCH v7 net-next 06/15] net: enetc: add support for the "Update" operation to buffer pool table Wei Fang
2026-05-13 3:04 ` [PATCH v7 net-next 07/15] net: enetc: add support for "Add" and "Delete" operations to IPFT Wei Fang
2026-05-13 3:04 ` [PATCH v7 net-next 08/15] net: enetc: add multiple command BD rings support Wei Fang
2026-05-13 3:04 ` [PATCH v7 net-next 09/15] net: dsa: add NETC switch tag support Wei Fang
2026-05-14 5:22 ` sashiko-bot [this message]
2026-05-15 2:55 ` Wei Fang
2026-05-13 3:04 ` [PATCH v7 net-next 10/15] net: dsa: netc: introduce NXP NETC switch driver for i.MX94 Wei Fang
2026-05-14 5:57 ` sashiko-bot
2026-05-15 3:36 ` Wei Fang
2026-05-13 3:04 ` [PATCH v7 net-next 11/15] net: dsa: netc: add phylink MAC operations Wei Fang
2026-05-13 3:04 ` [PATCH v7 net-next 12/15] net: dsa: netc: add FDB, STP, MTU, port setup and host flooding support Wei Fang
2026-05-14 8:21 ` sashiko-bot
2026-05-13 3:04 ` [PATCH v7 net-next 13/15] net: dsa: netc: initialize buffer pool table and implement flow-control Wei Fang
2026-05-14 8:51 ` sashiko-bot
2026-05-13 3:04 ` [PATCH v7 net-next 14/15] net: dsa: netc: add support for the standardized counters Wei Fang
2026-05-13 3:04 ` [PATCH v7 net-next 15/15] net: dsa: netc: add support for ethtool private statistics Wei Fang
2026-05-14 10:27 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260514052203.57A35C2BCB7@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=imx@lists.linux.dev \
--cc=krzk+dt@kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=wei.fang@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.