* [bug report] net: mediatek: mtk_eth_sock: allocate dummy net_device dynamically
@ 2024-07-19 23:52 Dan Carpenter
2024-07-22 9:28 ` Breno Leitao
0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2024-07-19 23:52 UTC (permalink / raw)
To: Breno Leitao; +Cc: linux-mediatek
Hello Breno Leitao,
Commit b209bd6d0bff ("net: mediatek: mtk_eth_sock: allocate dummy
net_device dynamically") from Apr 22, 2024 (linux-next), leads to the
following Smatch static checker warning:
drivers/net/ethernet/mediatek/mtk_eth_soc.c:5061 mtk_probe()
error: we previously assumed 'eth->dummy_dev' could be null (see line 5041)
drivers/net/ethernet/mediatek/mtk_eth_soc.c
5037 /* we run 2 devices on the same DMA ring so we need a dummy device
5038 * for NAPI to work
5039 */
5040 eth->dummy_dev = alloc_netdev_dummy(0);
5041 if (!eth->dummy_dev) {
^^^^^^^^^^^^^^
->dummy_dev is the last allocation
5042 err = -ENOMEM;
5043 dev_err(eth->dev, "failed to allocated dummy device\n");
5044 goto err_unreg_netdev;
5045 }
5046 netif_napi_add(eth->dummy_dev, ð->tx_napi, mtk_napi_tx);
5047 netif_napi_add(eth->dummy_dev, ð->rx_napi, mtk_napi_rx);
5048
5049 platform_set_drvdata(pdev, eth);
5050 schedule_delayed_work(ð->reset.monitor_work,
5051 MTK_DMA_MONITOR_TIMEOUT);
5052
5053 return 0;
5054
5055 err_unreg_netdev:
5056 mtk_unreg_dev(eth);
5057 err_deinit_ppe:
5058 mtk_ppe_deinit(eth);
5059 mtk_mdio_cleanup(eth);
5060 err_free_dev:
--> 5061 mtk_free_dev(eth);
^^^
But it's free here. (NULL dereference). I really would suggest moving the
free_netdev() to the release function. The probe and release function are
easier to read if they're in mirrored order where every allocation has a
matching free.
5062 err_deinit_hw:
5063 mtk_hw_deinit(eth);
5064 err_wed_exit:
5065 mtk_wed_exit();
5066 err_destroy_sgmii:
5067 mtk_sgmii_destroy(eth);
5068
5069 return err;
5070 }
regards,
dan carpenter
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [bug report] net: mediatek: mtk_eth_sock: allocate dummy net_device dynamically
2024-07-19 23:52 [bug report] net: mediatek: mtk_eth_sock: allocate dummy net_device dynamically Dan Carpenter
@ 2024-07-22 9:28 ` Breno Leitao
2024-07-23 15:59 ` Dan Carpenter
0 siblings, 1 reply; 3+ messages in thread
From: Breno Leitao @ 2024-07-22 9:28 UTC (permalink / raw)
To: Dan Carpenter; +Cc: linux-mediatek
Hello Dan,
On Fri, Jul 19, 2024 at 06:52:50PM -0500, Dan Carpenter wrote:
> But it's free here. (NULL dereference). I really would suggest moving the
> free_netdev() to the release function. The probe and release function are
> easier to read if they're in mirrored order where every allocation has a
> matching free.
Thanks for reporting it. It seems a real problem at the error path,
indeed.
I've hacked a patch with your suggestion. how does it look like?
Author: Breno Leitao <leitao@debian.org>
Date: Mon Jul 22 02:14:19 2024 -0700
net: mediatek: Fix potential NULL pointer dereference in dummy net_device handling
Move the freeing of the dummy net_device from mtk_free_dev() to mtk_remove().
Previously, if alloc_netdev_dummy() failed in mtk_probe(), eth->dummy_dev
would be NULL. The error path would then call mtk_free_dev(), which in turn
called free_netdev() assuming dummy_dev was allocated (but it was not),
potentially causing a NULL pointer dereference.
By moving free_netdev() to mtk_remove(), we ensure it's only called when
mtk_probe() has succeeded and dummy_dev is fully allocated. This addresses
a potential NULL pointer dereference detected by Smatch[1].
Link: https://lore.kernel.org/all/4160f4e0-cbef-4a22-8b5d-42c4d399e1f7@stanley.mountain/ [1]
Fixes: b209bd6d0bff ("net: mediatek: mtk_eth_sock: allocate dummy net_device dynamically")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Suggested-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Breno Leitao <leitao@debian.org>
diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
index 0cc2dd85652f..16ca427cf4c3 100644
--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
@@ -4223,8 +4223,6 @@ static int mtk_free_dev(struct mtk_eth *eth)
metadata_dst_free(eth->dsa_meta[i]);
}
- free_netdev(eth->dummy_dev);
-
return 0;
}
@@ -5090,6 +5088,7 @@ static void mtk_remove(struct platform_device *pdev)
netif_napi_del(ð->tx_napi);
netif_napi_del(ð->rx_napi);
mtk_cleanup(eth);
+ free_netdev(eth->dummy_dev);
mtk_mdio_cleanup(eth);
}
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [bug report] net: mediatek: mtk_eth_sock: allocate dummy net_device dynamically
2024-07-22 9:28 ` Breno Leitao
@ 2024-07-23 15:59 ` Dan Carpenter
0 siblings, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2024-07-23 15:59 UTC (permalink / raw)
To: Breno Leitao; +Cc: linux-mediatek
On Mon, Jul 22, 2024 at 02:28:08AM -0700, Breno Leitao wrote:
> Hello Dan,
>
> On Fri, Jul 19, 2024 at 06:52:50PM -0500, Dan Carpenter wrote:
> > But it's free here. (NULL dereference). I really would suggest moving the
> > free_netdev() to the release function. The probe and release function are
> > easier to read if they're in mirrored order where every allocation has a
> > matching free.
>
> Thanks for reporting it. It seems a real problem at the error path,
> indeed.
>
> I've hacked a patch with your suggestion. how does it look like?
>
Looks great, thanks!
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
regards,
dan carpenter
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-07-23 16:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-19 23:52 [bug report] net: mediatek: mtk_eth_sock: allocate dummy net_device dynamically Dan Carpenter
2024-07-22 9:28 ` Breno Leitao
2024-07-23 15:59 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).