From nobody Thu Apr 2 12:25:52 2026 Received: from mail-dy1-f178.google.com (mail-dy1-f178.google.com [74.125.82.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B9BB1343D63 for ; Sat, 28 Mar 2026 19:25:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774725929; cv=none; b=j66/2Rg7V8J+uzRET+oTXJODhw0mCh5o7VkIu+DwE9iJfG3Q4cqz5JgrE+SA5+1+B2DY4atYiPVx/BnKwHbK8/bZE8zMb1pOluKmizV+qNZefuPNbPL8yZoA0GlDglroG/HNmsoDwvRrr9HUoOYlW0m2Og+XTkpic3q9HRNW1QI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774725929; c=relaxed/simple; bh=Un+tjKghOnSOGQJqIv2n+A/mJ2xTSQ27PpNpWvuI/2I=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sSkHafnyUDsGJBUt0KEdUBB3y0GmhVIRDpUaMyQuBOY4QBhL9AEFmY74I8IkTD0ewxzcUXQMpVjPrqTCBBE8hTUynQFPQk2CVpjsAjU4gnc6OyHZVL3szy61kA2O093+o2Y0LK+Y4OB0yrsfBW1VKMKdGVgTRpp3vh6YO1RSn3U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gAZbrUuS; arc=none smtp.client-ip=74.125.82.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gAZbrUuS" Received: by mail-dy1-f178.google.com with SMTP id 5a478bee46e88-2c107ef474fso6381931eec.0 for ; Sat, 28 Mar 2026 12:25:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774725927; x=1775330727; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=FLw+KspfNI17fHokU2DyOGE90apcIrKC40CCDarAeuo=; b=gAZbrUuSJ54fpPF/RPKat5pfBFs2D483Dvzo0TVyZKs9hyqZ44pnkSK20HBKAdRtWc 155DYKThHGQQy7e/iNIoUdZIMxMOs+fvmi2PNOjWQ4I9R11SlpfSbSh0IAS7aTxelpWp fIkybNHp6tvK715E27dQCvj4X/v5Cwd3mx279+j17JuRiYiA/Aw0LDf/+/W+yIwSdntH QyxpPGid9OR5tOhtgbDg301qjBevWUmMhXd3d9IsJvTUvyHzNH7fnINETVGi/JlvA59M ydw4+cHcvrI8hsdo6UKXHvRUev/Vcuo1Hq9gXjLFz8wPESBd2HmuiNdZGjvr01/DilyY qbmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774725927; x=1775330727; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=FLw+KspfNI17fHokU2DyOGE90apcIrKC40CCDarAeuo=; b=G0Zsf/HTvJ2Drtr9BwwrRMrQUU5lesNWpv/poxOe/cwdMVul5x/ZN9ODUGJoW1Rs7G VrUWcSt5eCmyVYZCkbts6ijnl0Rwu9+v1UYdmLR+YW0BiXOLcenfbTQmuLJ2AkxOUqAg hG/ti7JqNy46d19y5eHgTtE9HX/QnUaRYAmN8Fhln2Y1/fOZyeOOTxUv+HeCr6b0OMUm br+YLdysGXnXmCL0XWnd7rCmeVtRFABJwRBr8v/lFWKkm2Gcz94nv9iAU7956LNshKbh iS48Sc9fzimWPD1W8Pf1c/UZXh40PUTojzgFKQNSNqm0wsuQcaQC4Sd203TMvDjMHjxY aWkg== X-Forwarded-Encrypted: i=1; AJvYcCXwetSebobjI4nFT3IXwXtBX4rTuPR37jLnNoLC13KLNJSavE74hCc0niMuFUrxiA1t2Wb9tr1IecRzTis=@vger.kernel.org X-Gm-Message-State: AOJu0YzPqzYqvC6cRPSCpjRBq5aO/JWIwjPCZXSIhAd1Em36UQikEGah nYfTv+ZGswQbuLl3j8uHHESVSz4tQpl6zfJ8v91VD52/gdBurrwgh4c4 X-Gm-Gg: ATEYQzzeztrxhT3N/FORZ+ZXLKprDWaruwXCsOyL0vwW2Fx61UvP5imkkHCrse0IUlG 0ey5YhrcsGK/fIpjWk1+rDfcO7jlY77ey1bmGx50TAnbXr5xXUOdFUlXIjCnHnZwam9Emjab9g8 eWyJA3rhTMWBleIQOcU9OkqmmtFoFmlCMLMbc4qF3kMGgJxwG2HWMLGcgQh06+uTN32Q8WWjpJn X3p0uoBuCrEPEYz8L4mpCDdTqrVCp3KUKsX6EtThmdK3xgsCSlmbu4h3P2oul0IWQyrn26KLtWE GNqyCCM6yhz9qhFDV+6ET1w/uqPntLlmx7EIyP+5i5q5HSpSNxxm02juFYhwSE1wgga6dyFyuNk x7XYxtANhr7zWbHyUJJ0EKYW20IpM7WzoAhgFdEbSA33utFUPVGNmqkhmtJc8XpzAzwR2Krgv0y Rzk7OAoZKBXnXuahs9y+k1IClSeXF0tomf3TYrn4lNjKOhN0YhSIYsSwjY X-Received: by 2002:a05:693c:3282:b0:2c0:c96a:a4db with SMTP id 5a478bee46e88-2c185d8e84emr3824454eec.4.1774725926850; Sat, 28 Mar 2026 12:25:26 -0700 (PDT) Received: from localhost (static-23-234-93-211.cust.tzulo.com. [23.234.93.211]) by smtp.gmail.com with UTF8SMTPSA id 5a478bee46e88-2c3c79722e0sm2905771eec.31.2026.03.28.12.25.24 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 28 Mar 2026 12:25:26 -0700 (PDT) From: Sam Edwards X-Google-Original-From: Sam Edwards To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni Cc: Maxime Coquelin , Alexandre Torgue , "Russell King (Oracle)" , Maxime Chevallier , Ovidiu Panait , Vladimir Oltean , Baruch Siach , Serge Semin , Giuseppe Cavallaro , netdev@vger.kernel.org, linux-stm32@st-md-mailman.stormreply.com, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Sam Edwards , stable@vger.kernel.org Subject: [RESEND PATCH net v3 1/2] net: stmmac: Prevent NULL deref when RX memory exhausted Date: Sat, 28 Mar 2026 12:25:02 -0700 Message-ID: <20260328192503.520689-2-CFSworks@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260328192503.520689-1-CFSworks@gmail.com> References: <20260328192503.520689-1-CFSworks@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag ("OWN") indicating which side owns the buffer: OWN=3D0 for CPU, OWN=3D1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both "submissions" and "completions." In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=3D0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=3D1). If it fails any allocation, it simply stops early (leaving OWN=3D0) and will retry where it left off when next called. This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=3D1, buffer valid) - `full` (OWN=3D0, buffer valid and populated) - `dirty` (OWN=3D0, buffer NULL) But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`. Fix this by further tightening the clamp from `dma_rx_size - 1` to `dma_rx_size - stmmac_rx_dirty() - 1`, subtracting any remnant dirty entries and limiting the loop so that `cur_rx` cannot catch back up to `dirty_rx`. This carries no risk of arithmetic underflow: since the maximum possible return value of stmmac_rx_dirty() is `dma_rx_size - 1`, the worst the clamp can do is prevent the loop from running at all. Fixes: b6cb4541853c7 ("net: stmmac: avoid rx queue overrun") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=3D221010 Cc: stable@vger.kernel.org Signed-off-by: Sam Edwards --- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/ne= t/ethernet/stmicro/stmmac/stmmac_main.c index 6827c99bde8c..f98b070073c0 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c @@ -5609,7 +5609,8 @@ static int stmmac_rx(struct stmmac_priv *priv, int li= mit, u32 queue) =20 dma_dir =3D page_pool_get_dma_dir(rx_q->page_pool); bufsz =3D DIV_ROUND_UP(priv->dma_conf.dma_buf_sz, PAGE_SIZE) * PAGE_SIZE; - limit =3D min(priv->dma_conf.dma_rx_size - 1, (unsigned int)limit); + limit =3D min(priv->dma_conf.dma_rx_size - stmmac_rx_dirty(priv, queue) -= 1, + (unsigned int)limit); =20 if (netif_msg_rx_status(priv)) { void *rx_head; --=20 2.52.0 From nobody Thu Apr 2 12:25:52 2026 Received: from mail-dl1-f43.google.com (mail-dl1-f43.google.com [74.125.82.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4CEF32874ED for ; Sat, 28 Mar 2026 19:25:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774725934; cv=none; b=Z0WRJioqkiSHIRkyGaKbw9Ui+lfxtusiYDqkIAkZueGCCpbF9NtfwLJSrBhq+Q0RYnVYh+p4fwhuxTNW6FGBfOifXmfYIOOrw7FlO8ZCpyCvUCUdFEdV/+EW9MhY74Nk6DCZiO4dBK7Ehc5z4KYGam+TB1lykrerPkTyEa37UGI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774725934; c=relaxed/simple; bh=qGFTzlpUUEI4pKdSdaSVMTnjSAfvQHYO8xeTqhyGGNE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=LPIdNTgoAIFJ2CMwShEfatN/HdCIHYyYTRwzK4EV5kF28wo1pxE1cFH64Whela4e8ISnH2XInUjq9kPlSvvt5KmcEkGkEAldf1qN4C0KhfPTy318KRbYe8elY+IJ0BKnVePrcpOGn9ATGMTymYRdGjj3g3JnX+pAtfBUqyTvWFU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=lEgR0KLr; arc=none smtp.client-ip=74.125.82.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="lEgR0KLr" Received: by mail-dl1-f43.google.com with SMTP id a92af1059eb24-126ea4e9694so3789682c88.1 for ; Sat, 28 Mar 2026 12:25:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774725932; x=1775330732; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=nV0vTDjXno/BRjs9UsVyAooL1Z9SQRTeEW/NqAyKUfY=; b=lEgR0KLrwKjxKMvDE7rNcArqNArDMySNPm3gewc/DJDizynnvtbkQUAHotPimHp8Cd hLJm/LZ2MbSzJ/QOUyMg62MAkgscoQrSTwy/XQGzKfmFV8XDxTmX6CJoIfV7D9SEXysB rGAWPgXuI5ayVUf9ayPELcRxFvRHtlRNqj2XuXI2LkYUfpaCZeGvKgm5BWeoiYFzhlYw xIxO3DZlR6fLG/iJb32msjYk92zaUEVn347yLGYVWpNk5o0OFOPHYzIdry5zosA9WSul 4T1AuLy7rx/AeJXTxyJpu1wdxm8poar/CzsgRCSTPlDRyFNop7pjcmTvuymJ/62fhtnJ 88CQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774725932; x=1775330732; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=nV0vTDjXno/BRjs9UsVyAooL1Z9SQRTeEW/NqAyKUfY=; b=ZDpK4sOy3kirP2Fxn2lP7nBkx+Spod1lNSnWFwiynPM+95o6O3b9OIWh2dsvWyzs7m y6jg59R586m+DGpZV4yYKPKj3dX0bkN6fw6NenR2m2gBe5UqUN23zvJ6JNHMJk+CTNu0 CYdTJt131nB0L+5QTAAclDQ09INxuz+uDfN838HOQJQIR9XIaYb0AN9KgdauHuY/r5ex eTJeL54WVOoMMlrQlk76e44F3vF3oifQ+v4iD6MTUgtvdvX0PVNhiBmqrfISGKh0H0gY 50fhXGJ0lf6Xhs5+/rmYruN5Iv9yAKx/7G0/j8fIFjB+r6JqNFbyNSbYp5hvdRibKG9a CCHg== X-Forwarded-Encrypted: i=1; AJvYcCXYrqY0JgpNINXabEzyFa9MHl52X87jV1D4UQxLIaBAAxq82/mFljpGXE7jcVm0aCXXOr6i0tSAzZau4Ms=@vger.kernel.org X-Gm-Message-State: AOJu0Ywgtl7fFef004fu9t4s/Q+C4nPRsSmbnLIG6HXFB0YHh2h2yQ/Q FwgcEvBiJueqjPldxGsfD1reTffggaCgwE3f+CGdrmlVbOKsuszC8NYG X-Gm-Gg: ATEYQzwV8Wew8ZDLIKCr64m633TX8+u5fj5/qBOEoaFamAg1EGVQraEy9o8/JPisSK9 1EvIumAqr09YV1qtwQ/Z+JhY3Lowvtk5ocV2oZCLa336yo4m2SMXfotuRrwoYQRBLwQqLYQ08HY xxUo79Tk8Abo3UOhpjCoHLJ0nwg7+VV+gBf4PfOvFayBFGFQURICWcJwnnYpu4IAO40/pBoN8DB IGMrgJigXPwcznDDJBWgbbXLdjiC18NRA724deBagbKEDt7wGe14mI5CiGdLEXUl17ZtKqltimO kmL0AbBKsXmfPE6g3xNeJlwEl2k6l9fVUKQ8sUMUmgV5DGY5czf4lypB1avOx/IDaWdCu6AWI0P ZP1iroUEWx7RGCrzi6oHKfsl+wVdMikNxJ11RQDIbSTkKXG6Glz5AI0tMTcDnv9F2QDNyG3mbZM 22jFs7iPHQxg+UUBpMv61gbt2cs+QFffrod14SPlRf3r9ntEQppeUDAwxJ X-Received: by 2002:a05:7022:92a:b0:11b:9b9f:426b with SMTP id a92af1059eb24-12ab28e4dd5mr4350751c88.20.1774725932423; Sat, 28 Mar 2026 12:25:32 -0700 (PDT) Received: from localhost (static-23-234-93-211.cust.tzulo.com. [23.234.93.211]) by smtp.gmail.com with UTF8SMTPSA id a92af1059eb24-12ab970da7fsm2819438c88.0.2026.03.28.12.25.28 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 28 Mar 2026 12:25:30 -0700 (PDT) From: Sam Edwards X-Google-Original-From: Sam Edwards To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni Cc: Maxime Coquelin , Alexandre Torgue , "Russell King (Oracle)" , Maxime Chevallier , Ovidiu Panait , Vladimir Oltean , Baruch Siach , Serge Semin , Giuseppe Cavallaro , netdev@vger.kernel.org, linux-stm32@st-md-mailman.stormreply.com, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Sam Edwards , stable@vger.kernel.org Subject: [RESEND PATCH net v3 2/2] net: stmmac: Prevent indefinite RX stall on buffer exhaustion Date: Sat, 28 Mar 2026 12:25:03 -0700 Message-ID: <20260328192503.520689-3-CFSworks@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260328192503.520689-1-CFSworks@gmail.com> References: <20260328192503.520689-1-CFSworks@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The stmmac driver handles interrupts in the usual NAPI way: an interrupt arrives, the NAPI instance is scheduled and interrupts are masked, and the actual work occurs in the NAPI polling function. Once no further work remains, interrupts are unmasked and the NAPI instance is put to sleep to await a future interrupt. In the receive case, the MAC only sends the interrupt when a DMA operation completes; thus the driver must make sure a usable RX DMA descriptor exists before expecting a future interrupt. The main receive loop in stmmac_rx() exits under one of 3 conditions: 1) It encounters a DMA descriptor with OWN=3D1, indicating that no further pending data exists. The MAC will use this descriptor for the next RX DMA operation, so the driver can expect a future interrupt. 2) It exhausts the NAPI budget. In this case, the driver doesn't know whether the MAC has any usable DMA descriptors. But when the driver consumes its full budget, that signals NAPI to keep polling, so the question is moot. 3) It runs out of (non-dirty) descriptors in the RX ring. In this case, the MAC will only have a usable descriptor if stmmac_rx_refill() succeeds (at least partially). Currently, stmmac_rx() lacks any check against scenario #3 and stmmac_rx_refill() failing: it will stop NAPI polling and unmask interrupts to await an interrupt that will never arrive, stalling the receive pipeline indefinitely. Fix this by checking stmmac_rx_dirty(): it will return 0 if stmmac_rx_refill() fully succeeded and we can safely await an interrupt. Any nonzero value means some allocations failed, in which case we risk dropping frames if a large traffic burst exhausts the surviving non-dirties. Therefore, simply return the full budget (to keep polling) until all allocations succeed. Fixes: 47dd7a540b8a ("net: add support for STMicroelectronics Ethernet cont= rollers.") Cc: stable@vger.kernel.org Signed-off-by: Sam Edwards --- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/ne= t/ethernet/stmicro/stmmac/stmmac_main.c index f98b070073c0..81f764352f3d 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c @@ -5604,6 +5604,7 @@ static int stmmac_rx(struct stmmac_priv *priv, int li= mit, u32 queue) unsigned int desc_size; struct sk_buff *skb =3D NULL; struct stmmac_xdp_buff ctx; + int budget =3D limit; int xdp_status =3D 0; int bufsz; =20 @@ -5870,6 +5871,10 @@ static int stmmac_rx(struct stmmac_priv *priv, int l= imit, u32 queue) priv->xstats.rx_dropped +=3D rx_dropped; priv->xstats.rx_errors +=3D rx_errors; =20 + /* If stmmac_rx_refill() failed, keep trying until it doesn't. */ + if (unlikely(stmmac_rx_dirty(priv, queue) > 0)) + return budget; + return count; } =20 --=20 2.52.0