From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pandora.armlinux.org.uk (pandora.armlinux.org.uk [78.32.30.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C76962DB798; Wed, 15 Apr 2026 12:56:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=78.32.30.218 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776257810; cv=none; b=ndt+v5/IKaj95/XoJC9h4qhSv7uXuEK0PLfsXpAWEG/AHrF+1GsmikcZcpHJITrtTnfL7DDGImnIkgXT29CQEpNCIi+typ1tsrtSpLOii0odIlWC5ITFXSViv4DkinkqtSFPAZ+5Q7fmzF0uvDa+vi7XW6gRCgCGvgv2zi4j4gY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776257810; c=relaxed/simple; bh=eu56QO+aU75GkJi+3Jj4dxoptXqLCr4h1YHqsaoC9sg=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=JvXNqFVV3kbBuqF5ME4ySO+wZxI6Zej3nnRT0uecrIMcWxVZnAM9DHttDV+d6z3si7pPwSLN19j4aNJE12ho+23AY70re3NrVaHnj73NULJj2dF3MA3raT2WvMWPtxGXstPE+hIxyTqC+kfcPXjWqoJwDKFdpNn5XwTgR4+vewo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=armlinux.org.uk; spf=none smtp.mailfrom=armlinux.org.uk; dkim=pass (2048-bit key) header.d=armlinux.org.uk header.i=@armlinux.org.uk header.b=dWBpN9W9; arc=none smtp.client-ip=78.32.30.218 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=armlinux.org.uk Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=armlinux.org.uk Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=armlinux.org.uk header.i=@armlinux.org.uk header.b="dWBpN9W9" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=armlinux.org.uk; s=pandora-2019; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=H6Fvhuo4DkldsPVDo20mT9bIWk6orSSbm77N0GIMwrE=; b=dWBpN9W92CDVnlfI9sNMjT5Nup JZZr7ViAfsir0I9K6wpLBymyIbaZrNqLVEncxmeoyrEmefVQx7IhCxsxsA5RA+PPZr1Vp7/tPot+/ CNq1cS1u1XN7i74+5/oWt2v3wIU+JnvA96qNZqXevQeFrcHyl4X+VDDYaJ6cxAeVdrkAaMG+we0FV ZXvq2uOOkLEjwBqqYmrl312E3o6thrmT8yV4ABjwsdjOte3koAReDrFLyf/P3jaVST3w0zHAYJura UxsOuj4rT/nTFDH/FrtIOzQmiXFoDo/SIH3tF+ckt/9k2qQ2dP1q+zdfdHxatZQjI9zf6Lt/ekFr+ ZkJ1enaw==; Received: from shell.armlinux.org.uk ([fd8f:7570:feb6:1:5054:ff:fe00:4ec]:36538) by pandora.armlinux.org.uk with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wCznH-00000000267-27zv; Wed, 15 Apr 2026 13:56:35 +0100 Received: from linux by shell.armlinux.org.uk with local (Exim 4.98.2) (envelope-from ) id 1wCznE-000000002ED-2SR5; Wed, 15 Apr 2026 13:56:32 +0100 Date: Wed, 15 Apr 2026 13:56:32 +0100 From: "Russell King (Oracle)" To: Sam Edwards Cc: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Maxime Coquelin , Alexandre Torgue , Maxime Chevallier , Ovidiu Panait , Vladimir Oltean , Baruch Siach , Serge Semin , Giuseppe Cavallaro , netdev@vger.kernel.org, linux-stm32@st-md-mailman.stormreply.com, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH net v5] net: stmmac: Prevent NULL deref when RX memory exhausted Message-ID: References: <20260415023947.7627-1-CFSworks@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260415023947.7627-1-CFSworks@gmail.com> Sender: Russell King (Oracle) On Tue, Apr 14, 2026 at 07:39:47PM -0700, Sam Edwards wrote: > The CPU receives frames from the MAC through conventional DMA: the CPU > allocates buffers for the MAC, then the MAC fills them and returns > ownership to the CPU. For each hardware RX queue, the CPU and MAC > coordinate through a shared ring array of DMA descriptors: one > descriptor per DMA buffer. Each descriptor includes the buffer's > physical address and a status flag ("OWN") indicating which side owns > the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set > the flag and the MAC is only allowed to clear it, and both must move > through the ring in sequence: thus the ring is used for both > "submissions" and "completions." > > In the stmmac driver, stmmac_rx() bookmarks its position in the ring > with the `cur_rx` index. The main receive loop in that function checks > for rx_descs[cur_rx].own=0, gives the corresponding buffer to the > network stack (NULLing the pointer), and increments `cur_rx` modulo the > ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its > position with `dirty_rx`, allocates fresh buffers and rearms the > descriptors (setting OWN=1). If it fails any allocation, it simply stops > early (leaving OWN=0) and will retry where it left off when next called. > > This means descriptors have a three-stage lifecycle (terms my own): > - `empty` (OWN=1, buffer valid) > - `full` (OWN=0, buffer valid and populated) > - `dirty` (OWN=0, buffer NULL) > > But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In > the past (see 'Fixes:'), there was a bug where the loop could cycle > `cur_rx` all the way back to the first descriptor it dirtied, resulting > in a NULL dereference when mistaken for `full`. The aforementioned > commit resolved that *specific* failure by capping the loop's iteration > limit at `dma_rx_size - 1`, but this is only a partial fix: if the > previous stmmac_rx_refill() didn't complete, then there are leftover > `dirty` descriptors that the loop might encounter without needing to > cycle fully around. The current code therefore panics (see 'Closes:') > when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to > catch up to `dirty_rx`. > > Fix this by further tightening the clamp from `dma_rx_size - 1` to > `dma_rx_size - stmmac_rx_dirty() - 1`, subtracting any remnant dirty > entries and limiting the loop so that `cur_rx` cannot catch back up to > `dirty_rx`. This carries no risk of arithmetic underflow: since the > maximum possible return value of stmmac_rx_dirty() is `dma_rx_size - 1`, > the worst the clamp can do is prevent the loop from running at all. > > Fixes: b6cb4541853c7 ("net: stmmac: avoid rx queue overrun") > Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221010 > Cc: stable@vger.kernel.org > Signed-off-by: Sam Edwards Locally, while debugging my issues, I used this to prevent cur_rx catching up with dirty_rx: status = stmmac_rx_status(priv, &priv->xstats, p); /* check if managed by the DMA otherwise go ahead */ if (unlikely(status & dma_own)) break; next_entry = STMMAC_NEXT_ENTRY(rx_q->cur_rx, priv->dma_conf.dma_rx_size); if (unlikely(next_entry == rx_q->dirty_rx)) break; rx_q->cur_rx = next_entry; If we care about the cost of reloading rx_q->dirty_rx on every iteration, then I'd suggest that the cost we already incur reading and writing rx_q->cur_rx is something that should be addressed, and eliminating that would counter the cost of reading rx_q->dirty_rx. I suspect, however, that the cost is minimal, as cur_tx and dirty_rx are likely in the same cache line. It looks like any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). -- RMK's Patch system: https://www.armlinux.org.uk/developer/patches/ FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!