From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pandora.armlinux.org.uk (pandora.armlinux.org.uk [78.32.30.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 47B393DC4A0; Wed, 15 Apr 2026 16:28:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=78.32.30.218 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776270525; cv=none; b=G35JM+QmxvTGXK3eGkztQDgTi9FQRtUd/U1TjmAX6ZcO2yR7MDDZjQOFGfnUZ34EOfjAX7s7V/J8ejiQTXZGE5mdw1A6L6yr+OuFUmcYw6+Hp/DCzdZYzzrGz9PEHHFdO3xtznIXS49z/W5oaAtQlEbaFqAi9GBsiNeai/6Uma8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776270525; c=relaxed/simple; bh=aof32GZdYa8Oryjhe9ylzBwFzjJaPRLNrDRXmz9WUpI=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=htRdWMJoiaQfABLHpHP6X8Qy3htbmtPBlgB722rza13uuVdWDidzZbgYorPyulXaqjVgh1aCMHkPhQcc8wRGAoB8wXAeMoskt1Unmju1UrmZTtIfvSJG/25xMaXeHV+dQRzxojPuyPz3pEADbFjjH6HT+OYD4IgduweLal4bCM4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=armlinux.org.uk; spf=none smtp.mailfrom=armlinux.org.uk; dkim=pass (2048-bit key) header.d=armlinux.org.uk header.i=@armlinux.org.uk header.b=nMR9rhZH; arc=none smtp.client-ip=78.32.30.218 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=armlinux.org.uk Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=armlinux.org.uk Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=armlinux.org.uk header.i=@armlinux.org.uk header.b="nMR9rhZH" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=armlinux.org.uk; s=pandora-2019; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=xpnoSDDGsBCL+2BDd4JTT1XxKpjuL1ghLwvkFgcvTjA=; b=nMR9rhZHp02XU3aSVh1bIewT7H Xgo9Jdkgy1fEEb7SgxTiqMZO5/IOYh6iOuPqlHM7P0qcFq/Cz5ZxKt7zQ+rlZMaI2TBw2UgXBMHU5 HriC4AedygCY5+7VjHUYQUGcYOgcZXIRjZNYjCWAejcjmNe2GFDZZfIeUopiIIMIb9xmOjMtea/Cc IZyVMbecLSxdYh7dmwr7LDrDAJ6VDKEZ4GLZ2nIEA0nmHkUBCudEyk/VgNCDISD6yOKZAFxxa7Bjg ofArRRTshrucwsaKkGej5QQ6qcRl0a/6wOM8tgCs5b+wJSZ76Nvbz+8BuOD1D10HLy984fUXXb+0P RXVJsO5A==; Received: from shell.armlinux.org.uk ([fd8f:7570:feb6:1:5054:ff:fe00:4ec]:60524) by pandora.armlinux.org.uk with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wD36N-000000002I9-1yPN; Wed, 15 Apr 2026 17:28:31 +0100 Received: from linux by shell.armlinux.org.uk with local (Exim 4.98.2) (envelope-from ) id 1wD36J-000000002LW-20lB; Wed, 15 Apr 2026 17:28:27 +0100 Date: Wed, 15 Apr 2026 17:28:27 +0100 From: "Russell King (Oracle)" To: Sam Edwards Cc: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Maxime Coquelin , Alexandre Torgue , Maxime Chevallier , Ovidiu Panait , Vladimir Oltean , Baruch Siach , Serge Semin , Giuseppe Cavallaro , netdev@vger.kernel.org, linux-stm32@st-md-mailman.stormreply.com, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH net v5] net: stmmac: Prevent NULL deref when RX memory exhausted Message-ID: References: <20260415023947.7627-1-CFSworks@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: Russell King (Oracle) On Wed, Apr 15, 2026 at 01:56:32PM +0100, Russell King (Oracle) wrote: > On Tue, Apr 14, 2026 at 07:39:47PM -0700, Sam Edwards wrote: > > The CPU receives frames from the MAC through conventional DMA: the CPU > > allocates buffers for the MAC, then the MAC fills them and returns > > ownership to the CPU. For each hardware RX queue, the CPU and MAC > > coordinate through a shared ring array of DMA descriptors: one > > descriptor per DMA buffer. Each descriptor includes the buffer's > > physical address and a status flag ("OWN") indicating which side owns > > the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set > > the flag and the MAC is only allowed to clear it, and both must move > > through the ring in sequence: thus the ring is used for both > > "submissions" and "completions." > > > > In the stmmac driver, stmmac_rx() bookmarks its position in the ring > > with the `cur_rx` index. The main receive loop in that function checks > > for rx_descs[cur_rx].own=0, gives the corresponding buffer to the > > network stack (NULLing the pointer), and increments `cur_rx` modulo the > > ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its > > position with `dirty_rx`, allocates fresh buffers and rearms the > > descriptors (setting OWN=1). If it fails any allocation, it simply stops > > early (leaving OWN=0) and will retry where it left off when next called. > > > > This means descriptors have a three-stage lifecycle (terms my own): > > - `empty` (OWN=1, buffer valid) > > - `full` (OWN=0, buffer valid and populated) > > - `dirty` (OWN=0, buffer NULL) > > > > But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In > > the past (see 'Fixes:'), there was a bug where the loop could cycle > > `cur_rx` all the way back to the first descriptor it dirtied, resulting > > in a NULL dereference when mistaken for `full`. The aforementioned > > commit resolved that *specific* failure by capping the loop's iteration > > limit at `dma_rx_size - 1`, but this is only a partial fix: if the > > previous stmmac_rx_refill() didn't complete, then there are leftover > > `dirty` descriptors that the loop might encounter without needing to > > cycle fully around. The current code therefore panics (see 'Closes:') > > when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to > > catch up to `dirty_rx`. > > > > Fix this by further tightening the clamp from `dma_rx_size - 1` to > > `dma_rx_size - stmmac_rx_dirty() - 1`, subtracting any remnant dirty > > entries and limiting the loop so that `cur_rx` cannot catch back up to > > `dirty_rx`. This carries no risk of arithmetic underflow: since the > > maximum possible return value of stmmac_rx_dirty() is `dma_rx_size - 1`, > > the worst the clamp can do is prevent the loop from running at all. > > > > Fixes: b6cb4541853c7 ("net: stmmac: avoid rx queue overrun") > > Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221010 > > Cc: stable@vger.kernel.org > > Signed-off-by: Sam Edwards > > Locally, while debugging my issues, I used this to prevent cur_rx > catching up with dirty_rx: > > status = stmmac_rx_status(priv, &priv->xstats, p); > /* check if managed by the DMA otherwise go ahead */ > if (unlikely(status & dma_own)) > break; > > next_entry = STMMAC_NEXT_ENTRY(rx_q->cur_rx, > priv->dma_conf.dma_rx_size); > if (unlikely(next_entry == rx_q->dirty_rx)) > break; > > rx_q->cur_rx = next_entry; > > If we care about the cost of reloading rx_q->dirty_rx on every > iteration, then I'd suggest that the cost we already incur reading and > writing rx_q->cur_rx is something that should be addressed, and > eliminating that would counter the cost of reading rx_q->dirty_rx. I > suspect, however, that the cost is minimal, as cur_tx and dirty_rx are > likely in the same cache line. > > It looks like any fix to stmmac_rx() will also need a corresponding > fix for stmmac_rx_zc(). I have some further information, but a new curveball has just been chucked... and I've no idea what this will mean at this stage. Just take it that I won't be responding for a while. -- RMK's Patch system: https://www.armlinux.org.uk/developer/patches/ FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!