From: Breno Leitao <leitao@debian.org>
To: Dan Carpenter <dan.carpenter@linaro.org>
Cc: linux-mediatek@lists.infradead.org
Subject: Re: [bug report] net: mediatek: mtk_eth_sock: allocate dummy net_device dynamically
Date: Mon, 22 Jul 2024 02:28:08 -0700 [thread overview]
Message-ID: <Zp4mKL/X1HSrjufq@gmail.com> (raw)
In-Reply-To: <4160f4e0-cbef-4a22-8b5d-42c4d399e1f7@stanley.mountain>
Hello Dan,
On Fri, Jul 19, 2024 at 06:52:50PM -0500, Dan Carpenter wrote:
> But it's free here. (NULL dereference). I really would suggest moving the
> free_netdev() to the release function. The probe and release function are
> easier to read if they're in mirrored order where every allocation has a
> matching free.
Thanks for reporting it. It seems a real problem at the error path,
indeed.
I've hacked a patch with your suggestion. how does it look like?
Author: Breno Leitao <leitao@debian.org>
Date: Mon Jul 22 02:14:19 2024 -0700
net: mediatek: Fix potential NULL pointer dereference in dummy net_device handling
Move the freeing of the dummy net_device from mtk_free_dev() to mtk_remove().
Previously, if alloc_netdev_dummy() failed in mtk_probe(), eth->dummy_dev
would be NULL. The error path would then call mtk_free_dev(), which in turn
called free_netdev() assuming dummy_dev was allocated (but it was not),
potentially causing a NULL pointer dereference.
By moving free_netdev() to mtk_remove(), we ensure it's only called when
mtk_probe() has succeeded and dummy_dev is fully allocated. This addresses
a potential NULL pointer dereference detected by Smatch[1].
Link: https://lore.kernel.org/all/4160f4e0-cbef-4a22-8b5d-42c4d399e1f7@stanley.mountain/ [1]
Fixes: b209bd6d0bff ("net: mediatek: mtk_eth_sock: allocate dummy net_device dynamically")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Suggested-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Breno Leitao <leitao@debian.org>
diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
index 0cc2dd85652f..16ca427cf4c3 100644
--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
@@ -4223,8 +4223,6 @@ static int mtk_free_dev(struct mtk_eth *eth)
metadata_dst_free(eth->dsa_meta[i]);
}
- free_netdev(eth->dummy_dev);
-
return 0;
}
@@ -5090,6 +5088,7 @@ static void mtk_remove(struct platform_device *pdev)
netif_napi_del(ð->tx_napi);
netif_napi_del(ð->rx_napi);
mtk_cleanup(eth);
+ free_netdev(eth->dummy_dev);
mtk_mdio_cleanup(eth);
}
next prev parent reply other threads:[~2024-07-22 9:28 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-19 23:52 [bug report] net: mediatek: mtk_eth_sock: allocate dummy net_device dynamically Dan Carpenter
2024-07-22 9:28 ` Breno Leitao [this message]
2024-07-23 15:59 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zp4mKL/X1HSrjufq@gmail.com \
--to=leitao@debian.org \
--cc=dan.carpenter@linaro.org \
--cc=linux-mediatek@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.