* [PATCH] liquidio: avoid NULL pointer dereference in lio_vf_rep_copy_packet()
@ 2022-11-28 10:26 Aleksandr Burakov
2022-11-30 5:23 ` Jakub Kicinski
0 siblings, 1 reply; 2+ messages in thread
From: Aleksandr Burakov @ 2022-11-28 10:26 UTC (permalink / raw)
To: Derek Chickles, Satanand Burla, Felix Manlunas
Cc: Aleksandr Burakov, David S. Miller, Eric Dumazet, netdev,
linux-kernel, lvc-project
lio_vf_rep_copy_packet() passes pg_info->page to skb_add_rx_frag()
that dereferences it without any check. So, it does not make sense
to call skb_add_rx_frag() when pg_info->page is NULL to avoid an segfault.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Aleksandr Burakov <a.burakov@rosalinux.ru>
Fixes: 1f233f327913 ("liquidio: switchdev support for LiquidIO NIC")
---
drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c b/drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c
index 600de587d7a9..e70b9ccca380 100644
--- a/drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c
+++ b/drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c
@@ -272,13 +272,12 @@ lio_vf_rep_copy_packet(struct octeon_device *oct,
pg_info->page_offset;
memcpy(skb->data, va, MIN_SKB_SIZE);
skb_put(skb, MIN_SKB_SIZE);
+ skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
+ pg_info->page,
+ pg_info->page_offset + MIN_SKB_SIZE,
+ len - MIN_SKB_SIZE,
+ LIO_RXBUFFER_SZ);
}
-
- skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
- pg_info->page,
- pg_info->page_offset + MIN_SKB_SIZE,
- len - MIN_SKB_SIZE,
- LIO_RXBUFFER_SZ);
} else {
struct octeon_skb_page_info *pg_info =
((struct octeon_skb_page_info *)(skb->cb));
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] liquidio: avoid NULL pointer dereference in lio_vf_rep_copy_packet()
2022-11-28 10:26 [PATCH] liquidio: avoid NULL pointer dereference in lio_vf_rep_copy_packet() Aleksandr Burakov
@ 2022-11-30 5:23 ` Jakub Kicinski
0 siblings, 0 replies; 2+ messages in thread
From: Jakub Kicinski @ 2022-11-30 5:23 UTC (permalink / raw)
To: Aleksandr Burakov, Derek Chickles, Satanand Burla, Felix Manlunas
Cc: David S. Miller, Eric Dumazet, netdev, linux-kernel, lvc-project
On Mon, 28 Nov 2022 13:26:59 +0300 Aleksandr Burakov wrote:
> --- a/drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c
> +++ b/drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c
> @@ -272,13 +272,12 @@ lio_vf_rep_copy_packet(struct octeon_device *oct,
> pg_info->page_offset;
> memcpy(skb->data, va, MIN_SKB_SIZE);
> skb_put(skb, MIN_SKB_SIZE);
> + skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
> + pg_info->page,
> + pg_info->page_offset + MIN_SKB_SIZE,
> + len - MIN_SKB_SIZE,
> + LIO_RXBUFFER_SZ);
> }
> -
> - skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
> - pg_info->page,
> - pg_info->page_offset + MIN_SKB_SIZE,
> - len - MIN_SKB_SIZE,
> - LIO_RXBUFFER_SZ);
> } else {
> struct octeon_skb_page_info *pg_info =
> ((struct octeon_skb_page_info *)(skb->cb));
The else branch also looks at pg_info and derefs page like there's
no tomorrow. You need to put a bit more effort into the analysis.
Marvell people please chime in and tell us what the intention is here.
Whether page can be NULL here or this is defensive programming and can
be dropped.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-11-30 5:23 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-11-28 10:26 [PATCH] liquidio: avoid NULL pointer dereference in lio_vf_rep_copy_packet() Aleksandr Burakov
2022-11-30 5:23 ` Jakub Kicinski
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).