Re: [PATCH net-next v4 08/16] net: ethernet: oa_tc6: Remove FCS size in RX frame

Devicetree
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Selvamani Rajagopal via B4 Relay"
	<devnull+Selvamani.Rajagopal.onsemi.com@kernel.org>
Cc: conor+dt@kernel.org, devicetree@vger.kernel.org, robh@kernel.org
Subject: Re: [PATCH net-next v4 08/16] net: ethernet: oa_tc6: Remove FCS size in RX frame
Date: Sun, 07 Jun 2026 05:42:57 +0000	[thread overview]
Message-ID: <20260607054257.CFE481F00898@smtp.kernel.org> (raw)
In-Reply-To: <20260605-s2500-mac-phy-support-v4-8-de0fbc13c6d8@onsemi.com>

Thank you for your contribution! Sashiko AI review found 5 potential issue(s) to consider:

New issues:
- [High] Missing length validation before pulling headers from the received packet can lead to out-of-bounds reads and integer underflow on `skb->len`.
- [High] Dereferencing `skb->data` as a 32-bit integer causes unaligned memory accesses, leading to alignment faults on some architectures.

Pre-existing issues:
- [High] Missing bounds check on `skb_put()` during RX chunk processing allows a malfunctioning MAC-PHY to cause a kernel panic via `skb_over_panic()`.
- [High] A transient memory allocation failure permanently kills the driver's SPI worker thread, rendering the interface permanently unusable.
- [High] Processing intermediate or end-only RX chunks when no SKB is allocated causes a NULL pointer dereference.
--

commit 84d3033631dd42f209b8cf8f2057dce10291f539
Author: Selvamani Rajagopal <Selvamani.Rajagopal@onsemi.com>

net: ethernet: oa_tc6: Remove FCS size in RX frame

This commit modifies the RX path to strip the Ethernet FCS from incoming
frames before passing them to the networking stack. The stripping is skipped
if the user has requested to keep the FCS via NETIF_F_RXFCS.

> diff --git a/drivers/net/ethernet/oa_tc6/oa_tc6.c b/drivers/net/ethernet/oa_tc6/oa_tc6.c
> index 2f9ace655e81c..26033373f16fc 100644
> --- a/drivers/net/ethernet/oa_tc6/oa_tc6.c
> +++ b/drivers/net/ethernet/oa_tc6/oa_tc6.c
> @@ -782,12 +782,22 @@ static void oa_tc6_submit_rx_skb(struct oa_tc6 *tc6)
>  {
>  	oa_tc6_update_ts_in_rx_skb(tc6);

[Severity: High]
Can an undersized frame cause an integer underflow on skb->len?

Looking at oa_tc6_update_ts_in_rx_skb() in drivers/net/ethernet/oa_tc6/oa_tc6.c:

    ts[0] = be32_to_cpu(*((u32 *)(skb->data)));
    ts[1] = be32_to_cpu(*((u32 *)(skb->data) + 1));
    ...
    skb_pull(skb, sizeof(ts));

This sequence reads 8 bytes from skb->data and pulls them without verifying if
skb->len is at least 8. 

Later, eth_type_trans() will pull ETH_HLEN. If a small or corrupted frame is
received, could these pulls subtract past zero and wrap skb->len to a huge
value, leading to out-of-bounds accesses?

[Severity: High]
Is there a risk of unaligned memory access faults here?

In oa_tc6_update_ts_in_rx_skb():

    ts[0] = be32_to_cpu(*((u32 *)(skb->data)));

The receive SKB is typically allocated with netdev_alloc_skb_ip_align(), which
offsets skb->data by 2 bytes to align the IP header. Casting this unaligned
pointer to a 32-bit integer and dereferencing it can trigger alignment faults
on architectures lacking hardware support for unaligned accesses. 

Would using get_unaligned_be32(skb->data) prevent this issue?

> +	/* MAC-PHY delivers each frame with its Ethernet FCS attached.
[ ... ]
> +	if (!(tc6->netdev->features & NETIF_F_RXFCS) &&
> +			tc6->rx_skb->len > ETH_FCS_LEN)
> +		skb_trim(tc6->rx_skb, tc6->rx_skb->len - ETH_FCS_LEN);
> +
>  	tc6->rx_skb->protocol = eth_type_trans(tc6->rx_skb, tc6->netdev);
>  	tc6->netdev->stats.rx_packets++;
[ ... ]

Looking at oa_tc6_update_rx_skb() in drivers/net/ethernet/oa_tc6/oa_tc6.c:

    memcpy(skb_put(tc6->rx_skb, length), payload, length);

[Severity: High]
This is a pre-existing issue, but does this skb_put() call need a bounds
check?

If a malfunctioning MAC-PHY sends an unexpectedly large frame or continuously
sends intermediate chunks (where start_valid and end_valid are false), the
accumulated length could exceed the allocated SKB buffer size. 

Will this trigger skb_over_panic() and crash the kernel?

Looking at the interaction between oa_tc6_allocate_rx_skb() and
oa_tc6_spi_thread_handler() in drivers/net/ethernet/oa_tc6/oa_tc6.c:

oa_tc6_allocate_rx_skb():
    if (!tc6->rx_skb) {
        tc6->netdev->stats.rx_dropped++;
        return -ENOMEM;
    }

oa_tc6_spi_thread_handler():
    ret = oa_tc6_try_spi_transfer(tc6);
    if (ret)
        return ret;

[Severity: High]
This is a pre-existing issue, but how does the driver recover if memory
allocation fails?

If oa_tc6_allocate_rx_skb() returns -ENOMEM, the error propagates through
oa_tc6_try_spi_transfer() to oa_tc6_spi_thread_handler(), which then exits
its loop and terminates the kthread. 

Since this thread handles all communication with the MAC-PHY, does a transient
out-of-memory condition cause a permanent denial of service for the interface
until the module is reloaded?

Looking at oa_tc6_prcs_ongoing_rx_frame() and oa_tc6_update_rx_skb() in
drivers/net/ethernet/oa_tc6/oa_tc6.c:

oa_tc6_prcs_ongoing_rx_frame():
    oa_tc6_update_rx_skb(tc6, payload, OA_TC6_CHUNK_PAYLOAD_SIZE);

oa_tc6_update_rx_skb():
    memcpy(skb_put(tc6->rx_skb, length), payload, length);

[Severity: High]
This is a pre-existing issue, but what happens if an intermediate or end-only
RX chunk arrives when no SKB is allocated?

If a chunk arrives with start_valid=false (for example, due to dropped
previous chunks or an SPI transport error) and tc6->rx_skb is NULL, the driver
unconditionally calls oa_tc6_update_rx_skb(). 

Could calling skb_put() on a NULL tc6->rx_skb result in an immediate kernel
panic?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260605-s2500-mac-phy-support-v4-0-de0fbc13c6d8@onsemi.com?part=8

next prev parent reply	other threads:[~2026-06-07  5:42 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-06  5:42 [PATCH net-next v4 00/16] Support for onsemi's S2500 10Base-T1S MAC-PHY Selvamani Rajagopal via B4 Relay
2026-06-06  5:42 ` [PATCH net-next v4 01/16] net: phy: Helper to read and write through C45 without lock Selvamani Rajagopal via B4 Relay
2026-06-06  5:42 ` [PATCH net-next v4 02/16] net: phy: Helper to modify PHY loopback mode only Selvamani Rajagopal via B4 Relay
2026-06-06  5:42 ` [PATCH net-next v4 03/16] net: ethernet: oa_tc6: Move oa_tc6.c to its own directory Selvamani Rajagopal via B4 Relay
2026-06-07  5:42   ` sashiko-bot
2026-06-06  5:42 ` [PATCH net-next v4 04/16] net: phy: microchip_t1s: Use generic APIs for C45 read and write Selvamani Rajagopal via B4 Relay
2026-06-06  5:42 ` [PATCH net-next v4 05/16] net: ethernet: oa_tc6: Move constant definitions to header file Selvamani Rajagopal via B4 Relay
2026-06-06  5:42 ` [PATCH net-next v4 06/16] net: ethernet: oa_tc6: Support for hardware timestamp Selvamani Rajagopal via B4 Relay
2026-06-07  5:42   ` sashiko-bot
2026-06-06  5:42 ` [PATCH net-next v4 07/16] net: ethernet: oa_tc6: Support for vendor specific MMS Selvamani Rajagopal via B4 Relay
2026-06-07  5:42   ` sashiko-bot
2026-06-06  5:42 ` [PATCH net-next v4 08/16] net: ethernet: oa_tc6: Remove FCS size in RX frame Selvamani Rajagopal via B4 Relay
2026-06-07  5:42   ` sashiko-bot [this message]
2026-06-06  5:42 ` [PATCH net-next v4 09/16] net: ethernet: oa_tc6: read, write interface with MMS option Selvamani Rajagopal via B4 Relay
2026-06-07  5:43   ` sashiko-bot
2026-06-06  5:42 ` [PATCH net-next v4 10/16] net: phy: ncn26000: Support for onsemi's S2500 internal phy Selvamani Rajagopal via B4 Relay
2026-06-06  5:42 ` [PATCH net-next v4 11/16] net: phy: ncn26000: Enable enhanced noise immunity Selvamani Rajagopal via B4 Relay
2026-06-06  5:42 ` [PATCH net-next v4 12/16] net: phy: ncn26000: Support for loopback support Selvamani Rajagopal via B4 Relay
2026-06-07  5:43   ` sashiko-bot
2026-06-06  5:42 ` [PATCH net-next v4 13/16] onsemi: s2500: Add driver support for TS2500 MAC-PHY Selvamani Rajagopal via B4 Relay
2026-06-07  5:43   ` sashiko-bot
2026-06-07  5:56   ` Randy Dunlap
2026-06-06  5:42 ` [PATCH net-next v4 14/16] onsemi: s2500: Added selftest support to onsemi's S2500 driver Selvamani Rajagopal via B4 Relay
2026-06-07  5:43   ` sashiko-bot
2026-06-06  5:42 ` [PATCH net-next v4 15/16] dt-bindings: net: add onsemi's S2500 Selvamani Rajagopal via B4 Relay
2026-06-07  5:43   ` sashiko-bot
2026-06-06  5:42 ` [PATCH net-next v4 16/16] Documentation: networking: Add timestamp related APIs to OA TC6 framework Selvamani Rajagopal via B4 Relay
2026-06-07  5:43   ` sashiko-bot
2026-06-07  5:49   ` Randy Dunlap

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260607054257.CFE481F00898@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=devnull+Selvamani.Rajagopal.onsemi.com@kernel.org \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox