* [PATCH net v2 0/2] net: spacemit: A few error handling fixes
@ 2026-03-05 6:39 Vivian Wang
2026-03-05 6:39 ` [PATCH net v2 1/2] net: spacemit: Fix error handling in emac_alloc_rx_desc_buffers() Vivian Wang
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Vivian Wang @ 2026-03-05 6:39 UTC (permalink / raw)
To: Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Yixun Lan, Maxime Chevallier, Vadim Fedorenko,
Troy Mitchell, Vivian Wang
Cc: netdev, linux-riscv, spacemit, linux-kernel
Recently a user reported a supposed UAF/double-free in this driver. It
turned out to be a false positive (ugh) from a bug with riscv's
kfence_protect_page() [1], but it did also prompt me to review the
driver code yet again. These are some fixes for error handling problems
that I've found.
[1]: https://lore.kernel.org/r/20260303-handle-kfence-protect-spurious-fault-v2-0-f80d8354d79d@iscas.ac.cn/
---
Changes in v2:
- Retarget to net (Andrew, Jakub)
- Drop what was patch 1 and patch 4 for now, since they are code cleanup
only and can't affect users (Andrew, Jakub)
- Reworded cover letter
- Link to v1: https://lore.kernel.org/r/20260303-k1-ethernet-more-fixes-v1-0-0ab0122fdd14@iscas.ac.cn
---
Vivian Wang (2):
net: spacemit: Fix error handling in emac_alloc_rx_desc_buffers()
net: spacemit: Fix error handling in emac_tx_mem_map()
drivers/net/ethernet/spacemit/k1_emac.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
---
base-commit: 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f
change-id: 20260303-k1-ethernet-more-fixes-1829c3717cfe
Best regards,
--
Vivian "dramforever" Wang
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH net v2 1/2] net: spacemit: Fix error handling in emac_alloc_rx_desc_buffers()
2026-03-05 6:39 [PATCH net v2 0/2] net: spacemit: A few error handling fixes Vivian Wang
@ 2026-03-05 6:39 ` Vivian Wang
2026-03-05 6:39 ` [PATCH net v2 2/2] net: spacemit: Fix error handling in emac_tx_mem_map() Vivian Wang
2026-03-07 3:10 ` [PATCH net v2 0/2] net: spacemit: A few error handling fixes patchwork-bot+netdevbpf
2 siblings, 0 replies; 4+ messages in thread
From: Vivian Wang @ 2026-03-05 6:39 UTC (permalink / raw)
To: Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Yixun Lan, Maxime Chevallier, Vadim Fedorenko,
Troy Mitchell, Vivian Wang
Cc: netdev, linux-riscv, spacemit, linux-kernel
Even if we get a dma_mapping_error() while mapping an RX buffer, we
should still update rx_ring->head to ensure that the buffers we were
able to allocate and map are used. Fix this by breaking out to the
existing code after the loop, analogous to the existing handling for skb
allocation failure.
Fixes: bfec6d7f2001 ("net: spacemit: Add K1 Ethernet MAC")
Signed-off-by: Vivian Wang <wangruikang@iscas.ac.cn>
---
drivers/net/ethernet/spacemit/k1_emac.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/spacemit/k1_emac.c b/drivers/net/ethernet/spacemit/k1_emac.c
index 338a2637b1da..5a5cb61be08c 100644
--- a/drivers/net/ethernet/spacemit/k1_emac.c
+++ b/drivers/net/ethernet/spacemit/k1_emac.c
@@ -565,7 +565,9 @@ static void emac_alloc_rx_desc_buffers(struct emac_priv *priv)
DMA_FROM_DEVICE);
if (dma_mapping_error(&priv->pdev->dev, rx_buf->dma_addr)) {
dev_err_ratelimited(&ndev->dev, "Mapping skb failed\n");
- goto err_free_skb;
+ dev_kfree_skb_any(skb);
+ rx_buf->skb = NULL;
+ break;
}
rx_desc_addr = &((struct emac_desc *)rx_ring->desc_addr)[i];
@@ -590,10 +592,6 @@ static void emac_alloc_rx_desc_buffers(struct emac_priv *priv)
rx_ring->head = i;
return;
-
-err_free_skb:
- dev_kfree_skb_any(skb);
- rx_buf->skb = NULL;
}
/* Returns number of packets received */
--
2.53.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH net v2 2/2] net: spacemit: Fix error handling in emac_tx_mem_map()
2026-03-05 6:39 [PATCH net v2 0/2] net: spacemit: A few error handling fixes Vivian Wang
2026-03-05 6:39 ` [PATCH net v2 1/2] net: spacemit: Fix error handling in emac_alloc_rx_desc_buffers() Vivian Wang
@ 2026-03-05 6:39 ` Vivian Wang
2026-03-07 3:10 ` [PATCH net v2 0/2] net: spacemit: A few error handling fixes patchwork-bot+netdevbpf
2 siblings, 0 replies; 4+ messages in thread
From: Vivian Wang @ 2026-03-05 6:39 UTC (permalink / raw)
To: Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Yixun Lan, Maxime Chevallier, Vadim Fedorenko,
Troy Mitchell, Vivian Wang
Cc: netdev, linux-riscv, spacemit, linux-kernel
The DMA mappings were leaked on mapping error. Free them with the
existing emac_free_tx_buf() function.
Fixes: bfec6d7f2001 ("net: spacemit: Add K1 Ethernet MAC")
Signed-off-by: Vivian Wang <wangruikang@iscas.ac.cn>
---
drivers/net/ethernet/spacemit/k1_emac.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/spacemit/k1_emac.c b/drivers/net/ethernet/spacemit/k1_emac.c
index 5a5cb61be08c..15d43e4a748b 100644
--- a/drivers/net/ethernet/spacemit/k1_emac.c
+++ b/drivers/net/ethernet/spacemit/k1_emac.c
@@ -733,7 +733,7 @@ static void emac_tx_mem_map(struct emac_priv *priv, struct sk_buff *skb)
struct emac_desc tx_desc, *tx_desc_addr;
struct device *dev = &priv->pdev->dev;
struct emac_tx_desc_buffer *tx_buf;
- u32 head, old_head, frag_num, f;
+ u32 head, old_head, frag_num, f, i;
bool buf_idx;
frag_num = skb_shinfo(skb)->nr_frags;
@@ -801,6 +801,15 @@ static void emac_tx_mem_map(struct emac_priv *priv, struct sk_buff *skb)
err_free_skb:
dev_dstats_tx_dropped(priv->ndev);
+
+ i = old_head;
+ while (i != head) {
+ emac_free_tx_buf(priv, i);
+
+ if (++i == tx_ring->total_cnt)
+ i = 0;
+ }
+
dev_kfree_skb_any(skb);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH net v2 0/2] net: spacemit: A few error handling fixes
2026-03-05 6:39 [PATCH net v2 0/2] net: spacemit: A few error handling fixes Vivian Wang
2026-03-05 6:39 ` [PATCH net v2 1/2] net: spacemit: Fix error handling in emac_alloc_rx_desc_buffers() Vivian Wang
2026-03-05 6:39 ` [PATCH net v2 2/2] net: spacemit: Fix error handling in emac_tx_mem_map() Vivian Wang
@ 2026-03-07 3:10 ` patchwork-bot+netdevbpf
2 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-03-07 3:10 UTC (permalink / raw)
To: Vivian Wang
Cc: andrew+netdev, davem, edumazet, kuba, pabeni, dlan,
maxime.chevallier, vadim.fedorenko, troy.mitchell, netdev,
linux-riscv, spacemit, linux-kernel
Hello:
This series was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Thu, 05 Mar 2026 14:39:37 +0800 you wrote:
> Recently a user reported a supposed UAF/double-free in this driver. It
> turned out to be a false positive (ugh) from a bug with riscv's
> kfence_protect_page() [1], but it did also prompt me to review the
> driver code yet again. These are some fixes for error handling problems
> that I've found.
>
> [1]: https://lore.kernel.org/r/20260303-handle-kfence-protect-spurious-fault-v2-0-f80d8354d79d@iscas.ac.cn/
>
> [...]
Here is the summary with links:
- [net,v2,1/2] net: spacemit: Fix error handling in emac_alloc_rx_desc_buffers()
https://git.kernel.org/netdev/net/c/3aa1417803c1
- [net,v2,2/2] net: spacemit: Fix error handling in emac_tx_mem_map()
https://git.kernel.org/netdev/net/c/86292155bea5
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-07 3:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-05 6:39 [PATCH net v2 0/2] net: spacemit: A few error handling fixes Vivian Wang
2026-03-05 6:39 ` [PATCH net v2 1/2] net: spacemit: Fix error handling in emac_alloc_rx_desc_buffers() Vivian Wang
2026-03-05 6:39 ` [PATCH net v2 2/2] net: spacemit: Fix error handling in emac_tx_mem_map() Vivian Wang
2026-03-07 3:10 ` [PATCH net v2 0/2] net: spacemit: A few error handling fixes patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox