From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4533A2628D for ; Fri, 3 Apr 2026 23:07:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.44 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775257646; cv=none; b=IJSiX9+Praet+zPEgpzRaChQ9c7pyf9Dw3Jtij07TFK+dWCKc71UjsSgjMWB/e71cSh3iNbnxBArhH5E66yIeFHkWxCRxbmuxWpLHsJmSRT4b1VpTExz0SlHxd8B1SDsOjJrNVsiSlx7h/Z5EiAi1U0kq7oVQEvu+KcwlbZrMvg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775257646; c=relaxed/simple; bh=kO50n60u5cKMLMq7RE6Byr6qxzOcZmTtOgxcHMgoYbc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Jo2M2crHdqPlEL4VVCHC6tvmKY/Y3EngThrw8d1+hhQ+7U2VuFvCGYacWE2vZYKumrB6COIei/tGffkBrxLEM/PEp8/akuGFD4VcJ6ULMImpOw3Ychp22hHw+KvvTl6JF7RKmXbkCm3e8HySDO/g6+QMORZZH3yqdaEfPw0MqzU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ln3CJhCC; arc=none smtp.client-ip=209.85.128.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ln3CJhCC" Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-4852a9c6309so20070995e9.0 for ; Fri, 03 Apr 2026 16:07:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775257642; x=1775862442; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=LW4zLdxlBcXiJ8+qk/5YoKQ6P7XuOl6e7flfCk5XlwM=; b=ln3CJhCCKgk9pqt20DmevWCsSeNLu1Zy6CrgB855d0og+kmbm3JYEMOQDUPczGl3fR JR4oHIQ+zyE17zYEdQkCq6Ub8vFWUXCh6Kox64rGDMduNjorbdGZv2Obynv3gibmzJjO Wjyv2wHO9le0BG139R9RewEO8LE9DX1QuIIQSt3jexUL7vY+1OnCyCcxuyZeehV2KKpT o1kvk9z1NDQc9YUAheNTD3sAA99UEnet8h/NJZu5v/qFXz87TKBh+pbXecLrC0xWAPZ8 xu+wON8SQG0mlh00Ql377COha1yv1kkydnVlQ2pKAXtCeGrH6+0nYkxlOoDrNOR4PnGu kpqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775257642; x=1775862442; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=LW4zLdxlBcXiJ8+qk/5YoKQ6P7XuOl6e7flfCk5XlwM=; b=fwfJsdrSD8ZHgSCvNPfGSI/iSwEoTQL3t0io12VfVZz8VX11mqPMPpQI0C+VE0ljlz fhCvhE7EhwrIkxk9ADBLKsHQNWGSQRsM7QT9XN0z5Oj6ZStKYlmcj4aXDtaZUd5MCZVH l85MwPvKQDO0t/q9G4lsb5ARx5dcX/Zgr92oy7XLMrF4GuR54Vc4F3+B5WmAO/CKGVfM WJpcEoyO/lG9G9ShJg8uhvvBLWX5FCwXsgqfTUIJZD4ga+D3sh9aVvNl1S92KTpqlsNS 4WvI0C71j8alItKwhkC/ogk+j4kz1em/1tAQWRGg6hITZVJpC9zP+UV494vNOHeA+GBj PfHg== X-Forwarded-Encrypted: i=1; AJvYcCUXXkooDjfqxpgbMfC9CCidc7xoJ9t3ILMiD9dIA6W5FXp0fSzoV8ylT8LaOB9cny2q1W1v404uKDZgQYY=@vger.kernel.org X-Gm-Message-State: AOJu0YztvvEXNWFX1TkmA2rtAkzO8MCR0e7hRqTvWWw1VUEb7mgx+NLY Jmx3eT5ZP+d+regZDX8mKJA1FNCehQBHttqOSqzvgekaZeOLDLYHs/ex X-Gm-Gg: ATEYQzy51F5A8doHQBlCo/PpaPbzKO/a5atR6JJF7HhhAXWvXupO2kAXaVsMUWUbmBJ yJNtNNl4nUMTTa3DFIwwS8fEAQUL/iUUqft02frQKhtkZBiQ7cjRFrspZyRdYrCFkvF9uqoVUB1 xXh+kNbBq5hKas+5X4eLRUhNQMPEHl5ja1cGHQ2Sa9OUPNFkBFk4Lq5Qyu6SFc7GyGjlSxq7MDy 8mfdKOR0ttygZ1sBHLZdeTVT1qm0yAB2V01YZ5lSoRlzz0UOIyJDZH59l2zVQftv82OpzDmBDSo 1pneUrBMUrbU6tsC6j83/bX0bJiC2DHQE4CyRexm7sSh5CuxiI66n07vgmaKglP/6biZIFiPWhw lhqZQOfLBP/UR8fSCKw9StM6jLFQRqgn66PJZNsPvE73Q1LRENL1KZrjix0x4F+nxv6XD51fNfe zBakZtB41jqjooSSCTYfSSICZ5wFqS3bWqgshm0cFPdJuLKYDYFCcD21Y/u8A6Gb4hFl/0yt9r+ EcbjwAmApjo X-Received: by 2002:a05:600c:1c11:b0:487:e2d:f649 with SMTP id 5b1f17b1804b1-488997c1c46mr62311855e9.26.1775257642481; Fri, 03 Apr 2026 16:07:22 -0700 (PDT) Received: from dohko.chello.ie (188-141-5-72.dynamic.upc.ie. [188.141.5.72]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43d1e2c60a2sm18830924f8f.10.2026.04.03.16.07.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Apr 2026 16:07:22 -0700 (PDT) From: David Carlier To: horatiu.vultur@microchip.com, UNGLinuxDriver@microchip.com, andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org, David Carlier Subject: [PATCH v2 3/3] net: lan966x: fix use-after-free and leak in lan966x_fdma_reload() Date: Sat, 4 Apr 2026 00:07:14 +0100 Message-ID: <20260403230714.10667-3-devnexen@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260403230714.10667-1-devnexen@gmail.com> References: <20260403230714.10667-1-devnexen@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit When lan966x_fdma_reload() fails to allocate new RX buffers, the restore path restarts DMA using old descriptors whose pages were already freed via lan966x_fdma_rx_free_pages(). Since page_pool_put_full_page() can release pages back to the buddy allocator, the hardware may DMA into memory now owned by other kernel subsystems. Additionally, on the restore path, the newly created page pool (if allocation partially succeeded) is overwritten without being destroyed, leaking it. Fix both issues by deferring the release of old pages until after the new allocation succeeds. Save the old page array before the allocation so old pages can be freed on the success path. On the failure path, the old descriptors, pages and page pool are all still valid, making the restore safe. Also ensure the restore path re-enables NAPI and wakes the netdev, matching the success path. Fixes: 89ba464fcf54 ("net: lan966x: refactor buffer reload function") Cc: stable@vger.kernel.org Signed-off-by: David Carlier --- .../ethernet/microchip/lan966x/lan966x_fdma.c | 22 ++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c b/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c index b985ce64bb50..fd6718a23676 100644 --- a/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c +++ b/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c @@ -814,9 +814,16 @@ static int lan966x_qsys_sw_status(struct lan966x *lan966x) static int lan966x_fdma_reload(struct lan966x *lan966x, int new_mtu) { + struct page *(*old_pages)[FDMA_RX_DCB_MAX_DBS]; struct page_pool *page_pool; struct fdma fdma_rx_old; - int err; + int err, i, j; + + old_pages = kmemdup(lan966x->rx.page, sizeof(lan966x->rx.page), + GFP_KERNEL); + + if (!old_pages) + return -ENOMEM; /* Store these for later to free them */ memcpy(&fdma_rx_old, &lan966x->rx.fdma, sizeof(struct fdma)); @@ -827,7 +834,6 @@ static int lan966x_fdma_reload(struct lan966x *lan966x, int new_mtu) lan966x_fdma_stop_netdev(lan966x); lan966x_fdma_rx_disable(&lan966x->rx); - lan966x_fdma_rx_free_pages(&lan966x->rx); lan966x->rx.page_order = round_up(new_mtu, PAGE_SIZE) / PAGE_SIZE - 1; lan966x->rx.max_mtu = new_mtu; err = lan966x_fdma_rx_alloc(&lan966x->rx); @@ -835,6 +841,11 @@ static int lan966x_fdma_reload(struct lan966x *lan966x, int new_mtu) goto restore; lan966x_fdma_rx_start(&lan966x->rx); + for (i = 0; i < fdma_rx_old.n_dcbs; ++i) + for (j = 0; j < fdma_rx_old.n_dbs; ++j) + page_pool_put_full_page(page_pool, + old_pages[i][j], false); + fdma_free_coherent(lan966x->dev, &fdma_rx_old); page_pool_destroy(page_pool); @@ -842,12 +853,17 @@ static int lan966x_fdma_reload(struct lan966x *lan966x, int new_mtu) lan966x_fdma_wakeup_netdev(lan966x); napi_enable(&lan966x->napi); - return err; + kfree(old_pages); + return 0; restore: lan966x->rx.page_pool = page_pool; memcpy(&lan966x->rx.fdma, &fdma_rx_old, sizeof(struct fdma)); lan966x_fdma_rx_start(&lan966x->rx); + lan966x_fdma_wakeup_netdev(lan966x); + napi_enable(&lan966x->napi); + + kfree(old_pages); return err; } -- 2.53.0