From nobody Sun Dec 28 22:53:11 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EF663C4167B for ; Mon, 4 Dec 2023 08:59:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230245AbjLDI70 (ORCPT ); Mon, 4 Dec 2023 03:59:26 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55666 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229446AbjLDI7W (ORCPT ); Mon, 4 Dec 2023 03:59:22 -0500 Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 854C083; Mon, 4 Dec 2023 00:59:28 -0800 (PST) Received: by mail-lj1-x236.google.com with SMTP id 38308e7fff4ca-2ca0715f0faso5490491fa.0; Mon, 04 Dec 2023 00:59:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701680367; x=1702285167; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=zLkzq4LH7qNlQ4R2u0+qoSFWaByEk2XvcwE8gCptUKs=; b=jAYaC39+pi18OkhVSnnxRUdhCOzE+J2SuWEAlT8EaKRILmEDV5T3cDhjhnyW2qSLvF vWglB0wT6Hr7lnhFJZDG7pPXnWWp3pqsKtttW+W/Dj2LNOhffMNy8OGcGdySH+vlccIm 1ufzwPmBnCLEGy7JJgjdm3c53IRQ+N/rvFLvdoWuJ31HBY5TvoLP1i/dNt6K9ExYqk0T c0bf5dIaEQih3M0mEsD259gqNcbnOHwUhQNVIlfXyl6G1ZdeZXx85IOgSzJqchCgPIbH sgHC0fshUQ/JMjG6IAjCUQjYRbjmqWoUolkn5NncOMpxmN9UJ6mBZuwflAx8KXu8RkE8 Rzfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701680367; x=1702285167; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=zLkzq4LH7qNlQ4R2u0+qoSFWaByEk2XvcwE8gCptUKs=; b=Y3uCvIgKrgY6DW1SC8nMrCQhzWZ5Ia2NqY0ZkdlSwALj5xvKXv547eCLFRjPEn1Sce 4hKL8iKFBVO6dQftj8iirqHwqc3KDt0qLm/uqdbbUrivCYSg8LCp/+EIZd50r/6PMyRq p+/L2X8jGoxcPj3f2J1F68iXT/5ribjD7iPs9TvG29q+nT8+Y/7/SC838ZMix5Ye2qIT tZcZ45J99hzh0hkwNPXSkE5IRkgXUUeD/QdBlVmaszoRdlj3H90w706vilzSun3lOHAR w8kZ9z7sXPWTLrYBIvFNrt/7F6QSlBRyl0noOPV/UpZtpnrEVfoqSShW5Y16kgjlrgGB 0aYw== X-Gm-Message-State: AOJu0Yz3/UK6+d4n+xLT5ZwwjTJqmiHJdAWD5Dgb/p+kSZtyQW8jTCFs IgvITTMj3oASK9kiAW0GeNw= X-Google-Smtp-Source: AGHT+IE82gdSoQHkIX6sW/TGs1kWdZkYu7hNPBJN6aj+F37YHJCBIYDbXsGrUffPnYSoFa8FuAy5Sw== X-Received: by 2002:a2e:3814:0:b0:2c9:f71f:c00f with SMTP id f20-20020a2e3814000000b002c9f71fc00fmr1101183lja.30.1701680366458; Mon, 04 Dec 2023 00:59:26 -0800 (PST) Received: from localhost.localdomain ([93.175.11.252]) by smtp.gmail.com with ESMTPSA id o5-20020a05651c050500b002ca0abab79bsm108294ljp.4.2023.12.04.00.59.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Dec 2023 00:59:26 -0800 (PST) From: Daniil Maximov To: Egor Pomozov Cc: Daniil Maximov , Igor Russkikh , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Richard Cochran , Alexei Starovoitov , Daniel Borkmann , Jesper Dangaard Brouer , John Fastabend , Taehee Yoo , Alexey Khoroshilov , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, lvc-project@linuxtesting.org Subject: [PATCH] net: atlantic: Fix NULL dereference of skb pointer in Date: Mon, 4 Dec 2023 11:58:10 +0300 Message-Id: <20231204085810.1681386-1-daniil31415it@gmail.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" If is_ptp_ring =3D=3D true in the loop of __aq_ring_xdp_clean function, then a timestamp is stored from a packet in a field of skb object, which is not allocated at the moment of the call (skb =3D=3D NULL). Generalize aq_ptp_extract_ts and other affected functions so they don't work with struct sk_buff*, but with struct skb_shared_hwtstamps*. Found by Linux Verification Center (linuxtesting.org) with SVACE Fixes: 26efaef759a1 ("net: atlantic: Implement xdp data plane") Signed-off-by: Daniil Maximov Reviewed-by: Igor Russkikh --- .../net/ethernet/aquantia/atlantic/aq_ptp.c | 10 +++++----- .../net/ethernet/aquantia/atlantic/aq_ptp.h | 4 ++-- .../net/ethernet/aquantia/atlantic/aq_ring.c | 18 ++++++++++++------ 3 files changed, 19 insertions(+), 13 deletions(-) diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ptp.c b/drivers/net/= ethernet/aquantia/atlantic/aq_ptp.c index 80b44043e6c5..28c9b6f1a54f 100644 --- a/drivers/net/ethernet/aquantia/atlantic/aq_ptp.c +++ b/drivers/net/ethernet/aquantia/atlantic/aq_ptp.c @@ -553,17 +553,17 @@ void aq_ptp_tx_hwtstamp(struct aq_nic_s *aq_nic, u64 = timestamp) =20 /* aq_ptp_rx_hwtstamp - utility function which checks for RX time stamp * @adapter: pointer to adapter struct - * @skb: particular skb to send timestamp with + * @shhwtstamps: particular skb_shared_hwtstamps to save timestamp * * if the timestamp is valid, we convert it into the timecounter ns * value, then store that result into the hwtstamps structure which * is passed up the network stack */ -static void aq_ptp_rx_hwtstamp(struct aq_ptp_s *aq_ptp, struct sk_buff *sk= b, +static void aq_ptp_rx_hwtstamp(struct aq_ptp_s *aq_ptp, struct skb_shared_= hwtstamps *shhwtstamps, u64 timestamp) { timestamp -=3D atomic_read(&aq_ptp->offset_ingress); - aq_ptp_convert_to_hwtstamp(aq_ptp, skb_hwtstamps(skb), timestamp); + aq_ptp_convert_to_hwtstamp(aq_ptp, shhwtstamps, timestamp); } =20 void aq_ptp_hwtstamp_config_get(struct aq_ptp_s *aq_ptp, @@ -639,7 +639,7 @@ bool aq_ptp_ring(struct aq_nic_s *aq_nic, struct aq_rin= g_s *ring) &aq_ptp->ptp_rx =3D=3D ring || &aq_ptp->hwts_rx =3D=3D ring; } =20 -u16 aq_ptp_extract_ts(struct aq_nic_s *aq_nic, struct sk_buff *skb, u8 *p, +u16 aq_ptp_extract_ts(struct aq_nic_s *aq_nic, struct skb_shared_hwtstamps= *shhwtstamps, u8 *p, unsigned int len) { struct aq_ptp_s *aq_ptp =3D aq_nic->aq_ptp; @@ -648,7 +648,7 @@ u16 aq_ptp_extract_ts(struct aq_nic_s *aq_nic, struct s= k_buff *skb, u8 *p, p, len, ×tamp); =20 if (ret > 0) - aq_ptp_rx_hwtstamp(aq_ptp, skb, timestamp); + aq_ptp_rx_hwtstamp(aq_ptp, shhwtstamps, timestamp); =20 return ret; } diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ptp.h b/drivers/net/= ethernet/aquantia/atlantic/aq_ptp.h index 28ccb7ca2df9..210b723f2207 100644 --- a/drivers/net/ethernet/aquantia/atlantic/aq_ptp.h +++ b/drivers/net/ethernet/aquantia/atlantic/aq_ptp.h @@ -67,7 +67,7 @@ int aq_ptp_hwtstamp_config_set(struct aq_ptp_s *aq_ptp, /* Return either ring is belong to PTP or not*/ bool aq_ptp_ring(struct aq_nic_s *aq_nic, struct aq_ring_s *ring); =20 -u16 aq_ptp_extract_ts(struct aq_nic_s *aq_nic, struct sk_buff *skb, u8 *p, +u16 aq_ptp_extract_ts(struct aq_nic_s *aq_nic, struct skb_shared_hwtstamps= *shhwtstamps, u8 *p, unsigned int len); =20 struct ptp_clock *aq_ptp_get_ptp_clock(struct aq_ptp_s *aq_ptp); @@ -143,7 +143,7 @@ static inline bool aq_ptp_ring(struct aq_nic_s *aq_nic,= struct aq_ring_s *ring) } =20 static inline u16 aq_ptp_extract_ts(struct aq_nic_s *aq_nic, - struct sk_buff *skb, u8 *p, + struct skb_shared_hwtstamps *shhwtstamps, u8 *p, unsigned int len) { return 0; diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net= /ethernet/aquantia/atlantic/aq_ring.c index 4de22eed099a..694daeaf3e61 100644 --- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c @@ -647,7 +647,7 @@ static int __aq_ring_rx_clean(struct aq_ring_s *self, s= truct napi_struct *napi, } if (is_ptp_ring) buff->len -=3D - aq_ptp_extract_ts(self->aq_nic, skb, + aq_ptp_extract_ts(self->aq_nic, skb_hwtstamps(skb), aq_buf_vaddr(&buff->rxdata), buff->len); =20 @@ -742,6 +742,8 @@ static int __aq_ring_xdp_clean(struct aq_ring_s *rx_rin= g, struct aq_ring_buff_s *buff =3D &rx_ring->buff_ring[rx_ring->sw_head]; bool is_ptp_ring =3D aq_ptp_ring(rx_ring->aq_nic, rx_ring); struct aq_ring_buff_s *buff_ =3D NULL; + u16 ptp_hwtstamp_len =3D 0; + struct skb_shared_hwtstamps shhwtstamps; struct sk_buff *skb =3D NULL; unsigned int next_ =3D 0U; struct xdp_buff xdp; @@ -810,11 +812,12 @@ static int __aq_ring_xdp_clean(struct aq_ring_s *rx_r= ing, hard_start =3D page_address(buff->rxdata.page) + buff->rxdata.pg_off - rx_ring->page_offset; =20 - if (is_ptp_ring) - buff->len -=3D - aq_ptp_extract_ts(rx_ring->aq_nic, skb, - aq_buf_vaddr(&buff->rxdata), - buff->len); + if (is_ptp_ring) { + ptp_hwtstamp_len =3D aq_ptp_extract_ts(rx_ring->aq_nic, &shhwtstamps, + aq_buf_vaddr(&buff->rxdata), + buff->len); + buff->len -=3D ptp_hwtstamp_len; + } =20 xdp_init_buff(&xdp, frame_sz, &rx_ring->xdp_rxq); xdp_prepare_buff(&xdp, hard_start, rx_ring->page_offset, @@ -834,6 +837,9 @@ static int __aq_ring_xdp_clean(struct aq_ring_s *rx_rin= g, if (IS_ERR(skb) || !skb) continue; =20 + if (ptp_hwtstamp_len > 0) + *skb_hwtstamps(skb) =3D shhwtstamps; + if (buff->is_vlan) __vlan_hwaccel_put_tag(skb, htons(ETH_P_8021Q), buff->vlan_rx_tag); --=20 2.25.1