* [PATCH net v2 0/2] octeon_ep_vf: fix napi_build_skb() NULL dereference
@ 2026-04-09 18:40 David Carlier
2026-04-09 18:40 ` [PATCH net v2 1/2] octeon_ep_vf: introduce octep_vf_oq_next_idx() helper David Carlier
2026-04-09 18:40 ` [PATCH net v2 2/2] octeon_ep_vf: add NULL check for napi_build_skb() David Carlier
0 siblings, 2 replies; 3+ messages in thread
From: David Carlier @ 2026-04-09 18:40 UTC (permalink / raw)
To: netdev
Cc: vburru, sedara, srasheed, sburla, andrew+netdev, davem, edumazet,
kuba, pabeni, horms, linux-kernel, stable, David Carlier
napi_build_skb() can return NULL on allocation failure. In
__octep_vf_oq_process_rx(), the result is used directly without a
NULL check in both the single-buffer and multi-fragment paths,
leading to a NULL pointer dereference.
Patch 1 introduces a helper to deduplicate the ring index advance
pattern, patch 2 adds the actual NULL checks.
---
v1 -> v2: split into refactor + fix per Simon Horman review.
v1: https://lore.kernel.org/netdev/Z-6w5kfCJoGhb30g@framework/
David Carlier (2):
octeon_ep_vf: introduce octep_vf_oq_next_idx() helper
octeon_ep_vf: add NULL check for napi_build_skb()
.../marvell/octeon_ep_vf/octep_vf_rx.c | 47 ++++++++++++++-----
1 file changed, 36 insertions(+), 11 deletions(-)
--
2.53.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH net v2 1/2] octeon_ep_vf: introduce octep_vf_oq_next_idx() helper
2026-04-09 18:40 [PATCH net v2 0/2] octeon_ep_vf: fix napi_build_skb() NULL dereference David Carlier
@ 2026-04-09 18:40 ` David Carlier
2026-04-09 18:40 ` [PATCH net v2 2/2] octeon_ep_vf: add NULL check for napi_build_skb() David Carlier
1 sibling, 0 replies; 3+ messages in thread
From: David Carlier @ 2026-04-09 18:40 UTC (permalink / raw)
To: netdev
Cc: vburru, sedara, srasheed, sburla, andrew+netdev, davem, edumazet,
kuba, pabeni, horms, linux-kernel, stable, David Carlier
Introduce octep_vf_oq_next_idx() to consolidate the repeated
ring index advance and wraparound pattern in __octep_vf_oq_process_rx().
No functional change intended.
Signed-off-by: David Carlier <devnexen@gmail.com>
---
.../ethernet/marvell/octeon_ep_vf/octep_vf_rx.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c b/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c
index b579d5b545c4..7bd1b9b8d7f5 100644
--- a/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c
+++ b/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c
@@ -352,6 +352,11 @@ static int octep_vf_oq_check_hw_for_pkts(struct octep_vf_device *oct,
return new_pkts;
}
+static inline u32 octep_vf_oq_next_idx(struct octep_vf_oq *oq, u32 idx)
+{
+ return (idx + 1 == oq->max_count) ? 0 : idx + 1;
+}
+
/**
* __octep_vf_oq_process_rx() - Process hardware Rx queue and push to stack.
*
@@ -415,10 +420,8 @@ static int __octep_vf_oq_process_rx(struct octep_vf_device *oct,
skb = napi_build_skb((void *)resp_hw, PAGE_SIZE);
skb_reserve(skb, data_offset);
skb_put(skb, buff_info->len);
- read_idx++;
desc_used++;
- if (read_idx == oq->max_count)
- read_idx = 0;
+ read_idx = octep_vf_oq_next_idx(oq, read_idx);
} else {
struct skb_shared_info *shinfo;
u16 data_len;
@@ -429,10 +432,8 @@ static int __octep_vf_oq_process_rx(struct octep_vf_device *oct,
* subsequent fragments contains only data.
*/
skb_put(skb, oq->max_single_buffer_size);
- read_idx++;
desc_used++;
- if (read_idx == oq->max_count)
- read_idx = 0;
+ read_idx = octep_vf_oq_next_idx(oq, read_idx);
shinfo = skb_shinfo(skb);
data_len = buff_info->len - oq->max_single_buffer_size;
@@ -454,10 +455,8 @@ static int __octep_vf_oq_process_rx(struct octep_vf_device *oct,
buff_info->len,
buff_info->len);
buff_info->page = NULL;
- read_idx++;
desc_used++;
- if (read_idx == oq->max_count)
- read_idx = 0;
+ read_idx = octep_vf_oq_next_idx(oq, read_idx);
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH net v2 2/2] octeon_ep_vf: add NULL check for napi_build_skb()
2026-04-09 18:40 [PATCH net v2 0/2] octeon_ep_vf: fix napi_build_skb() NULL dereference David Carlier
2026-04-09 18:40 ` [PATCH net v2 1/2] octeon_ep_vf: introduce octep_vf_oq_next_idx() helper David Carlier
@ 2026-04-09 18:40 ` David Carlier
1 sibling, 0 replies; 3+ messages in thread
From: David Carlier @ 2026-04-09 18:40 UTC (permalink / raw)
To: netdev
Cc: vburru, sedara, srasheed, sburla, andrew+netdev, davem, edumazet,
kuba, pabeni, horms, linux-kernel, stable, David Carlier
napi_build_skb() can return NULL on allocation failure. In
__octep_vf_oq_process_rx(), the result is used directly without a NULL
check in both the single-buffer and multi-fragment paths, leading to a
NULL pointer dereference.
Add NULL checks after both napi_build_skb() calls, properly advancing
descriptors and consuming remaining fragments on failure.
Fixes: 1cd3b407977c ("octeon_ep_vf: add Tx/Rx processing and interrupt support")
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
---
.../marvell/octeon_ep_vf/octep_vf_rx.c | 30 +++++++++++++++++--
1 file changed, 28 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c b/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c
index 7bd1b9b8d7f5..d98247408242 100644
--- a/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c
+++ b/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_rx.c
@@ -414,10 +414,15 @@ static int __octep_vf_oq_process_rx(struct octep_vf_device *oct,
data_offset = OCTEP_VF_OQ_RESP_HW_SIZE;
rx_ol_flags = 0;
}
- rx_bytes += buff_info->len;
-
if (buff_info->len <= oq->max_single_buffer_size) {
skb = napi_build_skb((void *)resp_hw, PAGE_SIZE);
+ if (!skb) {
+ oq->stats->alloc_failures++;
+ desc_used++;
+ read_idx = octep_vf_oq_next_idx(oq, read_idx);
+ continue;
+ }
+ rx_bytes += buff_info->len;
skb_reserve(skb, data_offset);
skb_put(skb, buff_info->len);
desc_used++;
@@ -427,6 +432,27 @@ static int __octep_vf_oq_process_rx(struct octep_vf_device *oct,
u16 data_len;
skb = napi_build_skb((void *)resp_hw, PAGE_SIZE);
+ if (!skb) {
+ oq->stats->alloc_failures++;
+ desc_used++;
+ read_idx = octep_vf_oq_next_idx(oq, read_idx);
+ data_len = buff_info->len - oq->max_single_buffer_size;
+ while (data_len) {
+ dma_unmap_page(oq->dev, oq->desc_ring[read_idx].buffer_ptr,
+ PAGE_SIZE, DMA_FROM_DEVICE);
+ buff_info = (struct octep_vf_rx_buffer *)
+ &oq->buff_info[read_idx];
+ buff_info->page = NULL;
+ if (data_len < oq->buffer_size)
+ data_len = 0;
+ else
+ data_len -= oq->buffer_size;
+ desc_used++;
+ read_idx = octep_vf_oq_next_idx(oq, read_idx);
+ }
+ continue;
+ }
+ rx_bytes += buff_info->len;
skb_reserve(skb, data_offset);
/* Head fragment includes response header(s);
* subsequent fragments contains only data.
--
2.53.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-09 18:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-09 18:40 [PATCH net v2 0/2] octeon_ep_vf: fix napi_build_skb() NULL dereference David Carlier
2026-04-09 18:40 ` [PATCH net v2 1/2] octeon_ep_vf: introduce octep_vf_oq_next_idx() helper David Carlier
2026-04-09 18:40 ` [PATCH net v2 2/2] octeon_ep_vf: add NULL check for napi_build_skb() David Carlier
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox