From: sashiko-bot@kernel.org
To: "Wei Fang" <wei.fang@nxp.com>
Cc: imx@lists.linux.dev, devicetree@vger.kernel.org,
Frank.Li@kernel.org, robh@kernel.org, conor+dt@kernel.org,
krzk+dt@kernel.org
Subject: Re: [PATCH v6 net-next 09/15] net: dsa: add NETC switch tag support
Date: Sun, 10 May 2026 10:48:35 +0000 [thread overview]
Message-ID: <20260510104835.E0009C2BCB8@smtp.kernel.org> (raw)
In-Reply-To: <20260509102954.4116624-10-wei.fang@nxp.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Out-of-bounds memory read in `netc_flow_dissect()` due to missing SKB header linearization.
--
commit 497c9819ff3bedb82e4e40b92e407f5f3d81f984
Author: Wei Fang <wei.fang@nxp.com>
net: dsa: add NETC switch tag support
This commit adds support for the NXP NETC proprietary switch tag to the
DSA subsystem. It defines the NETC tag formats and implements the transmit,
receive, and flow dissection operations for the new tag protocol.
> diff --git a/net/dsa/tag_netc.c b/net/dsa/tag_netc.c
> new file mode 100644
> index 0000000000000..b29aa54b19881
> --- /dev/null
> +++ b/net/dsa/tag_netc.c
[ ... ]
> +static void netc_flow_dissect(const struct sk_buff *skb, __be16 *proto,
> + int *offset)
> +{
> + struct netc_tag_cmn *tag_cmn = (struct netc_tag_cmn *)(skb->data - 2);
> + int tag_len = netc_get_rx_tag_len(tag_cmn->type);
> +
> + *offset = tag_len;
> + *proto = ((__be16 *)skb->data)[(tag_len / 2) - 1];
Is it possible for the packet headers to span paged fragments when this is
called?
Since flow_dissect takes a const struct sk_buff pointer and can be invoked
on untrusted or non-linear SKBs (for example, those injected via AF_PACKET
on the egress path), the linear portion of the buffer might be smaller
than the expected tag length.
If tag_len reaches up to 14 bytes, these direct accesses to skb->data
could read past the linear boundary and trigger a page fault or read
uninitialized memory.
Would it be safer to use skb_header_pointer() here to reliably extract the
tag and protocol fields instead of relying on direct pointer arithmetic?
> +}
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260509102954.4116624-1-wei.fang@nxp.com?part=9
next prev parent reply other threads:[~2026-05-10 10:48 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-09 10:29 [PATCH v6 net-next 00/15] Add preliminary NETC switch support for i.MX94 Wei Fang
2026-05-09 10:29 ` [PATCH v6 net-next 01/15] dt-bindings: net: dsa: update the description of 'dsa,member' property Wei Fang
2026-05-09 10:29 ` [PATCH v6 net-next 02/15] dt-bindings: net: dsa: add NETC switch Wei Fang
2026-05-10 10:48 ` sashiko-bot
2026-05-09 10:29 ` [PATCH v6 net-next 03/15] net: enetc: add pre-boot initialization for i.MX94 switch Wei Fang
2026-05-09 10:29 ` [PATCH v6 net-next 04/15] net: enetc: add basic operations to the FDB table Wei Fang
2026-05-09 10:29 ` [PATCH v6 net-next 05/15] net: enetc: add support for the "Add" operation to VLAN filter table Wei Fang
2026-05-10 10:48 ` sashiko-bot
2026-05-11 2:05 ` Wei Fang
2026-05-11 2:21 ` Wei Fang
2026-05-09 10:29 ` [PATCH v6 net-next 06/15] net: enetc: add support for the "Update" operation to buffer pool table Wei Fang
2026-05-10 10:48 ` sashiko-bot
2026-05-11 2:01 ` Wei Fang
2026-05-11 2:22 ` Wei Fang
2026-05-09 10:29 ` [PATCH v6 net-next 07/15] net: enetc: add support for "Add" and "Delete" operations to IPFT Wei Fang
2026-05-10 10:48 ` sashiko-bot
2026-05-11 2:11 ` Wei Fang
2026-05-11 2:21 ` Wei Fang
2026-05-09 10:29 ` [PATCH v6 net-next 08/15] net: enetc: add multiple command BD rings support Wei Fang
2026-05-09 10:29 ` [PATCH v6 net-next 09/15] net: dsa: add NETC switch tag support Wei Fang
2026-05-10 10:48 ` sashiko-bot [this message]
2026-05-11 2:18 ` Wei Fang
2026-05-09 10:29 ` [PATCH v6 net-next 10/15] net: dsa: netc: introduce NXP NETC switch driver for i.MX94 Wei Fang
2026-05-10 10:48 ` sashiko-bot
2026-05-09 10:29 ` [PATCH v6 net-next 11/15] net: dsa: netc: add phylink MAC operations Wei Fang
2026-05-10 10:48 ` sashiko-bot
2026-05-11 2:17 ` Wei Fang
2026-05-09 10:29 ` [PATCH v6 net-next 12/15] net: dsa: netc: add FDB, STP, MTU, port setup and host flooding support Wei Fang
2026-05-10 10:48 ` sashiko-bot
2026-05-09 10:29 ` [PATCH v6 net-next 13/15] net: dsa: netc: initialize buffer pool table and implement flow-control Wei Fang
2026-05-10 10:48 ` sashiko-bot
2026-05-09 10:29 ` [PATCH v6 net-next 14/15] net: dsa: netc: add support for the standardized counters Wei Fang
2026-05-10 10:48 ` sashiko-bot
2026-05-09 10:29 ` [PATCH v6 net-next 15/15] net: dsa: netc: add support for ethtool private statistics Wei Fang
2026-05-10 10:48 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260510104835.E0009C2BCB8@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=imx@lists.linux.dev \
--cc=krzk+dt@kernel.org \
--cc=robh@kernel.org \
--cc=sashiko@lists.linux.dev \
--cc=wei.fang@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox