Re: [PATCH net v5 2/4] net: mvpp2: limit XDP frame size to the RX buffer

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Changing MTU to a value > 1664 silently disables per-CPU pools while leaving XDP programs attached, leading to a NULL pointer dereference when XDP drops or redirects packets.
--

commit de2e76bdbee6c2ad0c3dc5a24f4854767f944f85
Author: Til Kaiser <mail@tk154.de>

net: mvpp2: limit XDP frame size to the RX buffer

mvpp2 has short and long BM pools, and short pool buffers can be smaller
than PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with
PAGE_SIZE as frame size.

> diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
> index 92a701f4fe3f5..3372ed27cc8d6 100644
> --- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
> +++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
> @@ -3979,7 +3979,7 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
>  			else
>  				xdp_rxq = &rxq->xdp_rxq_long;
>  
> -			xdp_init_buff(&xdp, PAGE_SIZE, xdp_rxq);
> +			xdp_init_buff(&xdp, bm_pool->frag_size, xdp_rxq);
>  			xdp_prepare_buff(&xdp, data,
>  					 MVPP2_MH_SIZE + MVPP2_SKB_HEADROOM,
>  					 rx_bytes, true);

[Severity: High]
This isn't a bug introduced by this patch, but could this lead to a NULL
pointer dereference in the XDP path?

If the MTU is changed to a value > 1664 on another port, mvpp2_change_mtu()
globally disables per-CPU pools:

drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c:mvpp2_change_mtu() {
    ...
	if (priv->percpu_pools) {
		netdev_warn(dev, "mtu %d too high, switching to shared buffers", mtu);
		mvpp2_bm_switch_buffers(priv, false);
	}
    ...
}

This leaves other ports with their XDP programs still attached but without
per-CPU pools. When a packet arrives, mvpp2_rx() leaves pp as NULL:

drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c:mvpp2_rx() {
    ...
		if (port->priv->percpu_pools) {
			pp = port->priv->page_pool[pool];
			dma_dir = page_pool_get_dma_dir(pp);
		} else {
			dma_dir = DMA_FROM_DEVICE;
		}
    ...
}

Shortly after xdp_prepare_buff() in mvpp2_rx(), mvpp2_run_xdp() is called
with the NULL pp. If the XDP program drops or redirects the packet, does
mvpp2_run_xdp() pass the NULL pp to page_pool_put_page(), causing a panic?

drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c:mvpp2_run_xdp() {
    ...
	case XDP_DROP:
		ret = MVPP2_XDP_DROPPED;
		page = virt_to_head_page(xdp->data);
		page_pool_put_page(pp, page, sync, true);
    ...
}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260607134943.21996-1-mail@tk154.de?part=2