From nobody Tue Dec  2 02:20:12 2025
Received: from mail.crpt.ru (mail.crpt.ru [91.236.205.1])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BD2A234CFCB;
	Wed, 19 Nov 2025 10:53:41 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=91.236.205.1
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1763549626; cv=none;
 b=NuPv4UHnY7ygSpXZkd3Se+Sh+Gfj7W7uxuX9cJjUr+8QJRQ59T0Qs3TleydrtZnh9lvLUDo6GPG5oBtYLEIxVhevLxt1U69O5yHh0u4UkSKyTDNNReQbnq6uzKzpHZU77M8/VSFOIK2ThLkoXSsk8Jqw+5kCI46ZcJHoenIOiT0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1763549626; c=relaxed/simple;
	bh=r8NQXmkDGFK45wMHuCWwoJWze6DIL4Jbz9p+2HOcp/o=;
	h=From:To:CC:Subject:Date:Message-ID:Content-Type:MIME-Version;
 b=Vn4y196lZmYUtAfXXowQfDF66gjFaThSESjAwPxrjFb6ApKfBmgucVt+bb8Vrc7EWigOxH+qfRc5c5kvtioTAG107E5K+ppSNKJsDfIHPowmGFScylK88TY5Cjh7L7LnPGA57GuNk8dazvYdMElepavL47mig/Qr+BhkFmYUy+s=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=crpt.ru;
 spf=pass smtp.mailfrom=crpt.ru;
 dkim=pass (2048-bit key) header.d=crpt.ru header.i=@crpt.ru
 header.b=ejtmpWyK; arc=none smtp.client-ip=91.236.205.1
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=crpt.ru
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=crpt.ru
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=crpt.ru header.i=@crpt.ru
 header.b="ejtmpWyK"
Received: from mail.crpt.ru ([192.168.60.3])
	by mail.crpt.ru  with ESMTPS id 5AJApD1P015814-5AJApD1R015814
	(version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=OK);
	Wed, 19 Nov 2025 13:51:13 +0300
Received: from EX2.crpt.local (192.168.60.4) by ex1.crpt.local (192.168.60.3)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.44; Wed, 19 Nov
 2025 13:51:12 +0300
Received: from EX2.crpt.local ([192.168.60.4]) by EX2.crpt.local
 ([192.168.60.4]) with mapi id 15.01.2507.044; Wed, 19 Nov 2025 13:51:12 +0300
From: =?utf-8?B?0JLQsNGC0L7RgNC+0L/QuNC9INCQ0L3QtNGA0LXQuQ==?=
	<a.vatoropin@crpt.ru>
To: Ajit Khaparde <ajit.khaparde@broadcom.com>
CC: =?utf-8?B?0JLQsNGC0L7RgNC+0L/QuNC9INCQ0L3QtNGA0LXQuQ==?=
	<a.vatoropin@crpt.ru>, Sriharsha Basavapatna
	<sriharsha.basavapatna@broadcom.com>, Somnath Kotur
	<somnath.kotur@broadcom.com>, Andrew Lunn <andrew+netdev@lunn.ch>, "David S.
 Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, "Jakub
 Kicinski" <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, Venkata Duvvuru
	<VenkatKumar.Duvvuru@Emulex.Com>, "netdev@vger.kernel.org"
	<netdev@vger.kernel.org>, "linux-kernel@vger.kernel.org"
	<linux-kernel@vger.kernel.org>, "lvc-project@linuxtesting.org"
	<lvc-project@linuxtesting.org>, "stable@vger.kernel.org"
	<stable@vger.kernel.org>
Subject: [PATCH net] be2net: pass wrb_params in case of OS2BMC
Thread-Topic: [PATCH net] be2net: pass wrb_params in case of OS2BMC
Thread-Index: AQHcWUJr/pH3Et6rekuGUHy0xRHHsg==
Date: Wed, 19 Nov 2025 10:51:12 +0000
Message-ID: <20251119105015.194501-1-a.vatoropin@crpt.ru>
Accept-Language: ru-RU, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-kse-serverinfo: EX1.crpt.local, 9
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean, bases: 11/18/2025 10:39:00 PM
x-kse-attachment-filter-triggered-rules: Clean
x-kse-attachment-filter-triggered-filters: Clean
x-kse-bulkmessagesfiltering-scan-result: protection disabled
Content-Type: text/plain; charset="utf-8"
Content-ID: <9AAC07FCABA36D47B99B9BEAA47F1486@crpt.ru>
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-FEAS-BEC-Info: 
 WlpIGw0aAQkEARIJHAEHBlJSCRoLAAEeDUhZUEhYSFhIWUhZXkguLVxYWC48UVlRWFhYWVxaSFlRSAlGHgkcBxoHGAEGKAsaGBxGGh1IWUhaXkgJAgEcRgMACRgJGgwNKAoaBwkMCwcFRgsHBUhYSFpIWVpIWVFaRlleUEZeWEZbSFBIWEhYSFFIWEhYSFhIWl5ICQIBHEYDAAkYCRoMDSgKGgcJDAsHBUYLBwVIWEhaWUgJBgwaDR9DBg0cDA0eKAQdBgZGCwBIWEhZUUgMCR4NBSgMCR4NBQQHDhxGBg0cSFhIWVFIDQwdBQkSDRwoDwcHDwQNRgsHBUhYSFldSAMdCgkoAw0aBg0ERgcaD0hYSFpQSAQBBh0QRQMNGgYNBCgeDw0aRgMNGgYNBEYHGg9IWEhaUEgEHgtFGBoHAg0LHCgEAQYdEBwNGxwBBg9GBxoPSFhIWV9IGAkKDQYBKBoNDAAJHEYLBwVIWEhbWEg+DQYDCRwjHQUJGkYsHR4eHRodKA0FHQQNEEYLBwVIWA==
X-FEAS-Client-IP: 192.168.60.3
X-FE-Policy-ID: 2:4:0:SYSTEM
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=crpt.ru; s=crpt.ru;
 c=relaxed/relaxed;
 h=from:to:cc:subject:date:message-id:content-type:mime-version;
 bh=r8NQXmkDGFK45wMHuCWwoJWze6DIL4Jbz9p+2HOcp/o=;
 b=ejtmpWyK3YYi/4wHcCWgLa/WMvB3Aa4S/mFVSwPGpDEs8p4I5jh3NuFzmSw+tRkd6N70ojzON4zE
	3vVfUx/un5npcgUV7lCWVFekeKkPrQjb9dGRNxGynrmgJM+7S3uKY70a4Hh2PZIPHA2xr3ToQ4Qs
	v/vfspGiXIo3PBgWrwhU9HsZdcbtvAOjRzzw2KiOlxzCVvBkTsj1OxjIzON8mq45Xa8rlWWifoIC
	zmnMF7gJowE45V8kB32cFuZEIuCBTmeVYfZXLubyfBwScAd7dZfTUxMVSqqXxdcefzY4kEyK/+Zb
	FFwZ4NY0AyGU3uyX+aVyKDm1lzawBaL3Y7wjlQ==

From: Andrey Vatoropin <a.vatoropin@crpt.ru>

be_insert_vlan_in_pkt() is called with the wrb_params argument being NULL
at be_send_pkt_to_bmc() call site.=C2=A0 This may lead to dereferencing a N=
ULL
pointer when processing a workaround for specific packet, as commit
bc0c3405abbb ("be2net: fix a Tx stall bug caused by a specific ipv6
packet") states.

The correct way would be to pass the wrb_params from be_xmit().

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 760c295e0e8d ("be2net: Support for OS2BMC.")
Cc: stable@vger.kernel.org
Signed-off-by: Andrey Vatoropin <a.vatoropin@crpt.ru>
---
v2: - pass wrb_params from inside be_xmit()=C2=A0 (Jakub Kicinski)
v1: https://lore.kernel.org/netdev/20251112092051.851163-1-a.vatoropin@crpt=
.ru/
 drivers/net/ethernet/emulex/benet/be_main.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethe=
rnet/emulex/benet/be_main.c
index cb004fd16252..5bb31c8fab39 100644
--- a/drivers/net/ethernet/emulex/benet/be_main.c
+++ b/drivers/net/ethernet/emulex/benet/be_main.c
@@ -1296,7 +1296,8 @@ static void be_xmit_flush(struct be_adapter *adapter,=
 struct be_tx_obj *txo)
 		(adapter->bmc_filt_mask & BMC_FILT_MULTICAST)
=20
 static bool be_send_pkt_to_bmc(struct be_adapter *adapter,
-			       struct sk_buff **skb)
+			       struct sk_buff **skb,
+			       struct be_wrb_params *wrb_params)
 {
 	struct ethhdr *eh =3D (struct ethhdr *)(*skb)->data;
 	bool os2bmc =3D false;
@@ -1360,7 +1361,7 @@ static bool be_send_pkt_to_bmc(struct be_adapter *ada=
pter,
 	 * to BMC, asic expects the vlan to be inline in the packet.
 	 */
 	if (os2bmc)
-		*skb =3D be_insert_vlan_in_pkt(adapter, *skb, NULL);
+		*skb =3D be_insert_vlan_in_pkt(adapter, *skb, wrb_params);
=20
 	return os2bmc;
 }
@@ -1387,7 +1388,7 @@ static netdev_tx_t be_xmit(struct sk_buff *skb, struc=
t net_device *netdev)
 	/* if os2bmc is enabled and if the pkt is destined to bmc,
 	 * enqueue the pkt a 2nd time with mgmt bit set.
 	 */
-	if (be_send_pkt_to_bmc(adapter, &skb)) {
+	if (be_send_pkt_to_bmc(adapter, &skb, &wrb_params)) {
 		BE_WRB_F_SET(wrb_params.features, OS2BMC, 1);
 		wrb_cnt =3D be_xmit_enqueue(adapter, txo, skb, &wrb_params);
 		if (unlikely(!wrb_cnt))
--=20
2.43.0