From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ot1-f50.google.com (mail-ot1-f50.google.com [209.85.210.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 633A9325495 for ; Wed, 15 Apr 2026 02:39:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.50 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776220794; cv=none; b=TL8mmvECIq8qOC0eOEQ7F0zyiXU84DOSo2OSLXkoxECnRt3MYrQSLJHXv7TkGQYPCVnwXztYMigBkrCQb2pyNv/HnjFwol8vjcY1USK+J2lpmeAaiV9SyiPIfonYbmlQx8WTx2/j5vuDsKtb3ltBDwIEgNv1tjP3QNHBM3v6nHg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776220794; c=relaxed/simple; bh=318sjCWYvNQGpSzDuO5m9LBM2Spar7kIKnblAHp1PYE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=eZwWIMYtQEUgCidkvEhEMr9dpSUnpWLwSV3UW7xkNXB3siAHyd4OAiJe7g8A/Q2FRGNfdldgALI/cPuB05uJpXVWj25ffN3YwtmaeJAlPbPtDen6uWrV2w5qgtZPUPrW2fNpB4LFiNisFLcbWPC4bUiVeSjqRgwfgjjMEBok4dE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=UUNtMEqU; arc=none smtp.client-ip=209.85.210.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="UUNtMEqU" Received: by mail-ot1-f50.google.com with SMTP id 46e09a7af769-7dbb6c072f1so5794239a34.2 for ; Tue, 14 Apr 2026 19:39:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776220792; x=1776825592; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=/4pZEJvuS7ozDbMvLtLQ4Yf4fNz+jgNzCYp57Or0UAE=; b=UUNtMEqUMmD6Ab7d6mD9od9BdNeXUkUCo40wkdQmEYAQeqbBvZXpf/kq0Qlp6/VGrq yHEkvDm5dIQTfw7jGIMOfsMhJf48PMJgGTImG5DQzecuZFu2hv7aYIkZ0VgkY3UsjQSu w4v3bVe43uL0Q6lwq/zlcf6CcZsVCzkw03GKu2VuYg6n1v2FprM8wpPvcTIsA3FBweBm jNfhjAcgRh1NpSiss+riOlbIvdmaZ5yMY0+p6wEd9+qAmFRtZ/o8UNJv0G6py6OEX2kf sGrT4wnTrP9gAauNRn1sjP4I1ViFULYlXBz275m/yh3xQtr1TmeP2bh8YOcFf+ffjYUK gq0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776220792; x=1776825592; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=/4pZEJvuS7ozDbMvLtLQ4Yf4fNz+jgNzCYp57Or0UAE=; b=TlZK8uDbk1Vx1yNDZWUAmic0VRKVfr0Y/oXr+SzvG4smh5qmhSm7IrCHcUtySwQ5EP /Nk+r7oo5fuVtnVfNldGj3/eWcwevvsAGK8mGnw23APrRsNDwHqqYrbazo34dJcORqLD 5rnoKHJWT0DzX79WzLdHLINd3ReIe5tq17vrmcFghl6pJOLXOc6jc6Wa29q/NnxPmD+c k6WcS9sNJAo2xZKo10VvLN007aq5XAOXlDHVEap6BX+7s53qh28ie5DKXEMD9I37OL0E 2KZP56vE7izLA6+/Mk6C6MfuI9k2oFHY768Sn/m1tu8ifEQVRS7xVcUIoz5gnC2jVq5u ehPQ== X-Forwarded-Encrypted: i=1; AFNElJ+NUBzr7nbU8EehZWWDYWuIMF153SMTxDjEBstOF2yKdF2EkpRY4VRc3s2WeW+noJ09XKh63QTkBW1sPks=@vger.kernel.org X-Gm-Message-State: AOJu0YwocQbowjQBD7FBIFQSjWj1nNwnhXMTH9myz+jmjOxk+jelvIt/ OlMTQFM2Ob3oNYcqFdWNav3Eit1i3cPePkAl8pNRaCsUgB7W8NKoSe2O X-Gm-Gg: AeBDiesLASKofThyACNKIVQaReNnQi2X5bqhuWK0p+Bs0kQ74fsMvGFsPAJE9MBOZfi XyH34b0FWveluYuTkzOB9BubIdAE1gPLmSQwU0a/oP9yjsohe2Za+5Jjru1r1RlRgZDvhl+BX9H kiGPNiboWCQkEq5aidx96fR/ZsOepM9Fjjt6Sq4f7Z9dkjFB0phos8YycK2hKrReT14ZHW0F+/S IFUfZFNT0nARry3xCaNxmfngabjj0rTF5aK/7N7r/Vct5echJYfhD6buLCDF1b/aZe0iME2O9E7 m2vqWswcq5tgZo4Hx3vHusagQyxBZbhjgjhqN24PLABxhpCwADiIqVr54XrxHqnrcMJ2X/2MfgN MqPTCBVVYipvef8lFkNS18tPSSniS7xpt2AGbMrfNvOYRB9EK2bqVNh5hiAVRWOUw9Z/ToegdA+ duSdM6/n59jWvurXAHoyHoHVMfB/ipLhJxYLEqPZjDaG36QVFZR46N35HX8552RcHDOn/LVw== X-Received: by 2002:a05:6830:25c5:b0:7d9:f50f:96cf with SMTP id 46e09a7af769-7dc27c6632amr11719357a34.6.1776220792258; Tue, 14 Apr 2026 19:39:52 -0700 (PDT) Received: from localhost (static-23-234-115-121.cust.tzulo.com. [23.234.115.121]) by smtp.gmail.com with UTF8SMTPSA id 46e09a7af769-7dc76a333e8sm406838a34.8.2026.04.14.19.39.50 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 14 Apr 2026 19:39:51 -0700 (PDT) From: Sam Edwards X-Google-Original-From: Sam Edwards To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni Cc: Maxime Coquelin , Alexandre Torgue , "Russell King (Oracle)" , Maxime Chevallier , Ovidiu Panait , Vladimir Oltean , Baruch Siach , Serge Semin , Giuseppe Cavallaro , netdev@vger.kernel.org, linux-stm32@st-md-mailman.stormreply.com, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Sam Edwards , stable@vger.kernel.org Subject: [PATCH net v5] net: stmmac: Prevent NULL deref when RX memory exhausted Date: Tue, 14 Apr 2026 19:39:47 -0700 Message-ID: <20260415023947.7627-1-CFSworks@gmail.com> X-Mailer: git-send-email 2.52.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag ("OWN") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both "submissions" and "completions." In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called. This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL) But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`. Fix this by further tightening the clamp from `dma_rx_size - 1` to `dma_rx_size - stmmac_rx_dirty() - 1`, subtracting any remnant dirty entries and limiting the loop so that `cur_rx` cannot catch back up to `dirty_rx`. This carries no risk of arithmetic underflow: since the maximum possible return value of stmmac_rx_dirty() is `dma_rx_size - 1`, the worst the clamp can do is prevent the loop from running at all. Fixes: b6cb4541853c7 ("net: stmmac: avoid rx queue overrun") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221010 Cc: stable@vger.kernel.org Signed-off-by: Sam Edwards --- Hi list, This is a single patch broken out of [1]. The second patch in that series, which proactively refills the RX ring buffer when memory is low, still has some unresolved feedback: it should use a timer to avoid nuisance polling while the system is suffering OOM. Further discussion makes me wonder whether that second patch should even be threshold-triggered at all, or if it should be a handler for the RBU ("Receive Buffer Unavailable") interrupt instead. So, while that patch is back at the drawing board, I am submitting this one (which is higher-priority as it resolves a *panic*) separately. Regards, Sam [1] https://lore.kernel.org/all/20260401041929.12392-1-CFSworks@gmail.com/ --- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c index 13d3cac056be..fc11f75f7dc0 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c @@ -5609,7 +5609,8 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) dma_dir = page_pool_get_dma_dir(rx_q->page_pool); bufsz = DIV_ROUND_UP(priv->dma_conf.dma_buf_sz, PAGE_SIZE) * PAGE_SIZE; - limit = min(priv->dma_conf.dma_rx_size - 1, (unsigned int)limit); + limit = min(priv->dma_conf.dma_rx_size - stmmac_rx_dirty(priv, queue) - 1, + (unsigned int)limit); if (netif_msg_rx_status(priv)) { void *rx_head; -- 2.52.0