Re: [PATCH net-next v4 05/13] net: ethernet: oa_tc6: Export standard defined registers

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Missing bounds check before extending the receive SKB allows a malformed or corrupted hardware response to crash the kernel via `skb_over_panic()` or NULL pointer dereference.
--

commit 0ab8a76f7ac8aad2293bc78260fe46bae8c49cec
Author: Ciprian Regus <ciprian.regus@analog.com>

net: ethernet: oa_tc6: Export standard defined registers
    
This commit moves standard Open Alliance TC6 register addresses and subfields
into the public oa_tc6 header so other ethernet drivers can use them directly.

> diff --git a/drivers/net/ethernet/oa_tc6.c b/drivers/net/ethernet/oa_tc6.c
> index b37e398e30e37..97df38207827d 100644
> --- a/drivers/net/ethernet/oa_tc6.c
> +++ b/drivers/net/ethernet/oa_tc6.c

[Severity: High]
This is a pre-existing issue, but while reviewing the changes in this file,
I noticed a potential issue with SKB bounds checking in the receive path.

In oa_tc6_update_rx_skb(), the code unconditionally extends the SKB tail:

static void oa_tc6_update_rx_skb(struct oa_tc6 *tc6, u8 *payload, u8 length)
{
        memcpy(skb_put(tc6->rx_skb, length), payload, length);
}

This is called repeatedly for continuous chunks lacking an end_valid
marker via oa_tc6_prcs_ongoing_rx_frame().

If the MAC-PHY misbehaves or the SPI data is corrupted such that the
end_valid bit is missing for consecutive chunks exceeding the MTU size,
will this continuously append data to the SKB and eventually exhaust the
tailroom, triggering skb_over_panic()?

Additionally, if an ongoing chunk is received before a start chunk
(e.g., start_valid=0), could tc6->rx_skb be NULL here, leading to an
immediate NULL pointer dereference in skb_put()?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260609-adin1140-driver-v4-0-0753e28ee004@analog.com?part=5