From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4C746369991 for ; Sun, 5 Apr 2026 05:52:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.42 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775368378; cv=none; b=pufcT4qZdUlFWo4ac7cjHn+T8I7peclVATWSBppLckI2S8uWvi347fbl8qF03gyueNF5qAskbHaf/joW3J28jvsYmfyRAzBMTmuNBfZgXPNf6PNmvgO+KyrrSNaaw4TUvErLV4KEvK2OM2lY8kwc0BieQUFCyl18Y5KQKaio8L0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775368378; c=relaxed/simple; bh=rjyhxTLjD4oM7GV53cCusNScFU3+tGRuTXJymOhoLO8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sea59SKTdZy58IkuKot9rfM/Lcr/t69kJvhmLqx7rYCkSB0AhjHWKISbVrnb3N7+7jV8hLidesPg+JFT8/3f13vUkoJRzUqkBELvnR9k7I4GFjI/4nNNbT4sDaGMegvCh9ra3UxtWflFSVhBCuyXtv45B3iRrMLs6kTHI7dzg9Y= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mIJ6u8AF; arc=none smtp.client-ip=209.85.128.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mIJ6u8AF" Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-4838c15e3cbso23252855e9.3 for ; Sat, 04 Apr 2026 22:52:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775368371; x=1775973171; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=eiLiRH4idOnGI7FfnG4m23MwzysNfORwXalUz3M3yBI=; b=mIJ6u8AFGN1tBEGIiMWaOKLOlUOiK35cXSqT4YoLzfugh9j7iCJs+MD8So4l3T2nTh xniZ1Fi2ufpVZPNzOiiBgoDGlk/S5RL4SjVKbfUXGu1ZmHMhTfm3zdoJdSRcqeL+QYjf iATzwgKiDIBbzBVe5/1BErZsyu78zAcoD9lQybUK6963hOKM0IHidQSDmi/Dd0esXNIX YYppJYJdAZb+knhKXa+BL0kWzDGfhViMrn3zqs1Vna0fp9N4eGZfZ0D9KS1ffpMobkFI A9EXAlBbvii2lsDUoo/6hf++nwpdax3VPwFUQVxnaqx+yXWY1shB9KXI+PRxw7tfyOJo NZxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775368371; x=1775973171; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=eiLiRH4idOnGI7FfnG4m23MwzysNfORwXalUz3M3yBI=; b=QS5liPFbbaH/XdoqBRPQg1GiSCCmNLjU5VeBgGKQv1OpRhIcHqJL2L2qaod3RaRBUd M8MjdehX4yNhHYZNHlQkMFUOhjkDxLmj7hLWoSMUNQIrS/4OKK4VDS86XhujPtQKZb/S FSVawEdcocuyzShwjKmTbrboVUE3h8BGFQPsZnoOj81a8rvCsBKM06m+r+FJ+k8BADj4 dJCEH0gX4yckcB4GJFofImPe8dDhQW02+K4/bmj0pH/Qgp9Y9HE8D4K5Hnk6CTRkKtOt mYXBYL50hzJwogwCgA8WQnqN98xyaHJmqgeTFjcUwj+9ZMqRJGvHeNUnm5iHzNHQYjje 8FJQ== X-Forwarded-Encrypted: i=1; AJvYcCXFWumzvhhwhLuB3uvo+hoRxhnn4VsnYnH6LynaCp7QtfNZ9geyr5ZxLFRE7as9SMzqb4ZIXRQXcA9fG80=@vger.kernel.org X-Gm-Message-State: AOJu0YyaWCK7cFV/8EgsoaT1GvkdvCrERcZ4eq/DrpuoZscET22y9lkT wUqcYQobOI9tua88SWWXjgyU8Z7wOHCWGTYzngLFViV/diFj8Ys6xwaAptXDVD8fPHI1sg== X-Gm-Gg: AeBDievmjs0Vdd1t9t98O0T/1SwR2uPMoY3xI+/880d/On4Vnr1bACua1kaOrE7lYj9 C8PEs3KuOkVbpmaz3t+yEzops+0OQ5f9zBwOGAsmPmJlnMQt+6IUVwJxdWLGpmIlDYxgROcb9Ym OvxGB/ESksSlit1rZ14CghwC3iSjXLeXUp1vVgso2mHoawX/dDzKigbJ9Nmba+8os0BiuKA0fGy wqJiF2bnBB4yqG7JSbPFWewELKNMs+y3W0OE2ivfI/ZRVgq4TIAL96RmXwLjVbse0CQInOBv5vk r1h8S9PuAM3j1IHYZMYzxVfwb39vdCJcprIZlhFdNeo4wSbqTcznNx+xSHDOmLv3+wb7sLzxKcZ X+PWsezEH2h02eIoU5skHBxk7saTjw3ESWav95NnNZhi8eJUOVDYWccMtJ1B/nBLkPgvlYsUTjS 0fmY/cx4sCXufdlDDtjDgRwra6pKUxpO63LxDaFsE1yKI1feE7Ps4ww3pzRamlKMP5zsUBlHRvz IlfG6Zu+G/k X-Received: by 2002:a05:600c:4e86:b0:480:4a8f:2d5c with SMTP id 5b1f17b1804b1-488997c9b69mr114746685e9.29.1775368370586; Sat, 04 Apr 2026 22:52:50 -0700 (PDT) Received: from dohko.chello.ie (188-141-5-72.dynamic.upc.ie. [188.141.5.72]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48899e960a7sm55847465e9.27.2026.04.04.22.52.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Apr 2026 22:52:50 -0700 (PDT) From: David Carlier To: horatiu.vultur@microchip.com, UNGLinuxDriver@microchip.com, andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org, David Carlier Subject: [PATCH net v3 v3 3/3] net: lan966x: fix use-after-free and leak in lan966x_fdma_reload() Date: Sun, 5 Apr 2026 06:52:41 +0100 Message-ID: <20260405055241.35767-4-devnexen@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260405055241.35767-1-devnexen@gmail.com> References: <20260405055241.35767-1-devnexen@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit When lan966x_fdma_reload() fails to allocate new RX buffers, the restore path restarts DMA using old descriptors whose pages were already freed via lan966x_fdma_rx_free_pages(). Since page_pool_put_full_page() can release pages back to the buddy allocator, the hardware may DMA into memory now owned by other kernel subsystems. Additionally, on the restore path, the newly created page pool (if allocation partially succeeded) is overwritten without being destroyed, leaking it. Fix both issues by deferring the release of old pages until after the new allocation succeeds. Save the old page array before the allocation so old pages can be freed on the success path. On the failure path, the old descriptors, pages and page pool are all still valid, making the restore safe. Also ensure the restore path re-enables NAPI and wakes the netdev, matching the success path. Fixes: 89ba464fcf54 ("net: lan966x: refactor buffer reload function") Cc: stable@vger.kernel.org Signed-off-by: David Carlier --- .../ethernet/microchip/lan966x/lan966x_fdma.c | 21 ++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c b/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c index 10773fe93d4d..f8ce735a7fc0 100644 --- a/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c +++ b/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c @@ -812,9 +812,15 @@ static int lan966x_qsys_sw_status(struct lan966x *lan966x) static int lan966x_fdma_reload(struct lan966x *lan966x, int new_mtu) { + struct page *(*old_pages)[FDMA_RX_DCB_MAX_DBS]; struct page_pool *page_pool; struct fdma fdma_rx_old; - int err; + int err, i, j; + + old_pages = kmemdup(lan966x->rx.page, sizeof(lan966x->rx.page), + GFP_KERNEL); + if (!old_pages) + return -ENOMEM; /* Store these for later to free them */ memcpy(&fdma_rx_old, &lan966x->rx.fdma, sizeof(struct fdma)); @@ -825,7 +831,6 @@ static int lan966x_fdma_reload(struct lan966x *lan966x, int new_mtu) lan966x_fdma_stop_netdev(lan966x); lan966x_fdma_rx_disable(&lan966x->rx); - lan966x_fdma_rx_free_pages(&lan966x->rx); lan966x->rx.page_order = round_up(new_mtu, PAGE_SIZE) / PAGE_SIZE - 1; lan966x->rx.max_mtu = new_mtu; err = lan966x_fdma_rx_alloc(&lan966x->rx); @@ -833,6 +838,11 @@ static int lan966x_fdma_reload(struct lan966x *lan966x, int new_mtu) goto restore; lan966x_fdma_rx_start(&lan966x->rx); + for (i = 0; i < fdma_rx_old.n_dcbs; ++i) + for (j = 0; j < fdma_rx_old.n_dbs; ++j) + page_pool_put_full_page(page_pool, + old_pages[i][j], false); + fdma_free_coherent(lan966x->dev, &fdma_rx_old); page_pool_destroy(page_pool); @@ -840,12 +850,17 @@ static int lan966x_fdma_reload(struct lan966x *lan966x, int new_mtu) lan966x_fdma_wakeup_netdev(lan966x); napi_enable(&lan966x->napi); - return err; + kfree(old_pages); + return 0; restore: lan966x->rx.page_pool = page_pool; memcpy(&lan966x->rx.fdma, &fdma_rx_old, sizeof(struct fdma)); lan966x_fdma_rx_start(&lan966x->rx); + lan966x_fdma_wakeup_netdev(lan966x); + napi_enable(&lan966x->napi); + + kfree(old_pages); return err; } -- 2.53.0