1. Patchew
  2. linux
  3. [PATCH net v2 0/2] net: dlink: handle copy_thresh allocation
  4. View patch

[PATCH net v2 2/2] net: dlink: handle copy_thresh allocation failure

Yeounsu Moon posted 2 patches 2 weeks, 3 days ago
There is a newer version of this series
[PATCH net v2 2/2] net: dlink: handle copy_thresh allocation failure
Posted by Yeounsu Moon 2 weeks, 3 days ago 
The driver did not handle failure of `netdev_alloc_skb_ip_align()`.
If the allocation failed, dereferencing `skb->protocol` could lead to a
NULL pointer dereference.

This patch adds proper error handling by falling back to the `else` clause
when the allocation fails.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Tested-on: D-Link DGE-550T Rev-A3
Signed-off-by: Yeounsu Moon <yyyynoom@gmail.com>
---
 drivers/net/ethernet/dlink/dl2k.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/drivers/net/ethernet/dlink/dl2k.c b/drivers/net/ethernet/dlink/dl2k.c
index faf8a9fc7ed1..a82e1fd01b92 100644
--- a/drivers/net/ethernet/dlink/dl2k.c
+++ b/drivers/net/ethernet/dlink/dl2k.c
@@ -965,14 +965,11 @@ receive_packet (struct net_device *dev)
 			struct sk_buff *skb;
 
 			/* Small skbuffs for short packets */
-			if (pkt_len > copy_thresh) {
-				dma_unmap_single(&np->pdev->dev,
-						 desc_to_dma(desc),
-						 np->rx_buf_sz,
-						 DMA_FROM_DEVICE);
-				skb_put(skb = np->rx_skbuff[entry], pkt_len);
-				np->rx_skbuff[entry] = NULL;
-			} else if ((skb = netdev_alloc_skb_ip_align(dev, pkt_len))) {
+			if (pkt_len <= copy_thresh) {
+				skb = netdev_alloc_skb_ip_align(dev, pkt_len);
+				if (!skb)
+					goto reuse_skbuff;
+
 				dma_sync_single_for_cpu(&np->pdev->dev,
 							desc_to_dma(desc),
 							np->rx_buf_sz,
@@ -985,6 +982,14 @@ receive_packet (struct net_device *dev)
 							   desc_to_dma(desc),
 							   np->rx_buf_sz,
 							   DMA_FROM_DEVICE);
+			} else {
+reuse_skbuff:
+				dma_unmap_single(&np->pdev->dev,
+						 desc_to_dma(desc),
+						 np->rx_buf_sz,
+						 DMA_FROM_DEVICE);
+				skb_put(skb = np->rx_skbuff[entry], pkt_len);
+				np->rx_skbuff[entry] = NULL;
 			}
 			skb->protocol = eth_type_trans (skb, dev);
 #if 0
-- 
2.51.0
Re: [PATCH net v2 2/2] net: dlink: handle copy_thresh allocation failure
Posted by Andrew Lunn 2 weeks, 3 days ago 
> This patch adds proper error handling by falling back to the `else` clause
> when the allocation fails.

> +			if (pkt_len <= copy_thresh) {
> +				skb = netdev_alloc_skb_ip_align(dev, pkt_len);
> +				if (!skb)
> +					goto reuse_skbuff;
> +
>  				dma_sync_single_for_cpu(&np->pdev->dev,
>  							desc_to_dma(desc),
>  							np->rx_buf_sz,
> @@ -985,6 +982,14 @@ receive_packet (struct net_device *dev)
>  							   desc_to_dma(desc),
>  							   np->rx_buf_sz,
>  							   DMA_FROM_DEVICE);
> +			} else {
> +reuse_skbuff:

To me, the name is confusing. What Ethernet drivers usually mean with
reuse of an skbuf, is that they will give it straight back to the
hardware for use. If you can successfully do copy break, this makes
sense, the frame is no longer in the skbuf, it is in a new skbuf, so
the old skbuf can be recycled.

But that is not what is going on here. Copy break fails, and you fall
back to the normal path. The data is still in the skbuf, so you cannot
reuse it.


    Andrew

---
pw-bot: cr

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.