From nobody Sun Jun 14 18:55:54 2026 Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D4846369967 for ; Sun, 5 Apr 2026 05:52:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775368369; cv=none; b=BxbKLSwd3AMTbQHxKdkXvpShlIzBLGko7eI4lVKO3F7mY8zdu0p/VCyLNPPNlstn5kUxtxT6rur+pO9WRzqWV/Itz8Gj0tP2TqBGn6/9V7o77KXWl8E48YBXmc1HiNDs4YmyCThpL+4sOFF4Li3aYdN8ytnH0FFTQftleaVDxcY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775368369; c=relaxed/simple; bh=0tTTbC/ebQuK84WVTeLENCfRkHSaH8uFUAbuP1W5FdY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fqflyov/W791DYmOKdVp2pP0OkJHWcVMSJLD7TVW9Z/11VS2+LRfuYbTCxRyGPM4pFLR+Cgv5mZh6IQGqvGi2/oazMzj5Zv8F6A2N0HNTF4Tp5aAS7ndd+OwG9JBUEAgtT7WKfzzdrmbUGP1CpusgF0qyKgjBHGf6Jo5l0GGask= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=GZ/KsOGd; arc=none smtp.client-ip=209.85.128.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="GZ/KsOGd" Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-486fc4725f0so30316995e9.1 for ; Sat, 04 Apr 2026 22:52:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775368366; x=1775973166; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=e7nMVD+VOcNWUuhtqvwltUnQm85Jrmb6cAMzCcy5HCI=; b=GZ/KsOGd41hD4c3HUTOhAwJATP8z7SYWev84NsPtekiKicIwETvw4yv3KjqijLEH5t MTH6+iViXXozluCaWxBqF/H0Iimx0EDH7S9wSYFvvDNJ9zWBduxkKOq4+KaE42IZsNTN wiU7aMAQDQB+KUIaAFljXeX1fnX4PHnsyZcQ/9IUE2br5gtidcNJkQiQxuahDTEavybS cGU5jW+CHi8mfcVpfT5WxaGZyVO787I6T8QOqCRWkcrMIUIGQ3qFD3vUo1bcklNNRhNY wWdv6ukY+0XJxgyglEpY/6X4oiBnFGpOq6nQCtzoVNzJT+nJjYaY3wiv9Smc593xVcQk qGMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775368366; x=1775973166; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=e7nMVD+VOcNWUuhtqvwltUnQm85Jrmb6cAMzCcy5HCI=; b=fUZ3pomJ8gRlJ9qvlvcnxL9PJldln0a520/e0Z6mCS2p/0PyJ6jqk2i3xf0Vg4TxYD xHgtZH4Qn/vlsDP0c8kkTa9xcr/fwqrGcTGVLMAx0Kr9pwRHpoAEoDw85oiCk8R2f1mo Fo7HU3SvDU5EACtbjF6YpUu58fSXsHwDnHv3oxEiBPsdplQesUw4vCOfg3oHjDjMleLg 3Par+WqsZq0oR0oqJYz33TTn7ez1ONJMqBriunE2QcKuZk7XlvKqOlZyijTA+/pXjv6f 57H26H+LwGGxvsi38Kn3PCTWBdbiegc8PWJVG8zO1AG4fKUOcqUr8V7U3S5trymuEE1l 2+NQ== X-Forwarded-Encrypted: i=1; AJvYcCUndWP15/Po/VcP0d0KPtx6utsb7UUy7z+IYCZbKNhkLqC+mDI2Dt7shQYlUYMjTgOP/ydY9P3cSm5Ea4o=@vger.kernel.org X-Gm-Message-State: AOJu0YxWFBSYcadp7xTPW3DBiN/qcK9v6OzbU1ror5o89sPpCQwg8jr9 OcVHuatRBGfwb8Uk+5sf2F82/ezEGpM/Xb1KVFPHS3DdZzanWpQn8Qif X-Gm-Gg: AeBDievLc+A/8q+Z+upH43gP5sGIsjM5PvCBKTWAZ92Hq584KRGyvdB5ub7ngKg54pX 6qF0+jFOqko2mPCNur1lkelO+NYbgtEp1OwHlrz92qGrAl655aSoBT/HZYiNECVZDpH2JaB3Flm /GIcizmNzgJHCKod9xpfapHoru3Y4ebvjfjYZ5IzPjYggVJVxLQ3Y66hhTAFGtHMeEo+HcLbFff fG5G5RBC4UmbqtXs2PIoGgIn6n9TDXL7TwX230PxvSRatImdWjMc1FBqR5A0EdHXxdxHO7GL07W v+dd54kTFMlpxAp9P3iWad1iI4Fbg14am3EltYAY4xoGTI6pg24mQpggvn2HmcjoWWHrNxPCX16 sHUQ94RxYD1f7JEjyo4jvlBTsqq2ES0304vNt4rRMIPWin2QQqCjrRQ8Gynryv0oCGh70FR11X0 lPo6sFOLgjn+CvAGUQ4lIWKe1F0ugqNd8SbLFdvvs1IAv0Q4Mb8rxbIzgD7xhQ3uX208WzE9BGq nWtdFXJPc3X X-Received: by 2002:a05:600c:4f87:b0:486:faa8:9e4 with SMTP id 5b1f17b1804b1-488994a77b1mr117703095e9.12.1775368366063; Sat, 04 Apr 2026 22:52:46 -0700 (PDT) Received: from dohko.chello.ie (188-141-5-72.dynamic.upc.ie. [188.141.5.72]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48899e960a7sm55847465e9.27.2026.04.04.22.52.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Apr 2026 22:52:45 -0700 (PDT) From: David Carlier To: horatiu.vultur@microchip.com, UNGLinuxDriver@microchip.com, andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org, David Carlier Subject: [PATCH net v3 v3 1/3] net: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool() Date: Sun, 5 Apr 2026 06:52:39 +0100 Message-ID: <20260405055241.35767-2-devnexen@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260405055241.35767-1-devnexen@gmail.com> References: <20260405055241.35767-1-devnexen@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" page_pool_create() can return an ERR_PTR on failure. The return value is used unconditionally in the loop that follows, passing the error pointer through xdp_rxq_info_reg_mem_model() into page_pool_use_xdp_mem(), which dereferences it, causing a kernel oops. Add an IS_ERR check after page_pool_create() to return early on failure. Fixes: 11871aba1974 ("net: lan96x: Use page_pool API") Cc: stable@vger.kernel.org Signed-off-by: David Carlier --- drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c b/driver= s/net/ethernet/microchip/lan966x/lan966x_fdma.c index 7b6369e43451..74851c63e46a 100644 --- a/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c +++ b/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c @@ -91,6 +91,8 @@ static int lan966x_fdma_rx_alloc_page_pool(struct lan966x= _rx *rx) pp_params.dma_dir =3D DMA_BIDIRECTIONAL; =20 rx->page_pool =3D page_pool_create(&pp_params); + if (unlikely(IS_ERR(rx->page_pool))) + return PTR_ERR(rx->page_pool); =20 for (int i =3D 0; i < lan966x->num_phys_ports; ++i) { struct lan966x_port *port; --=20 2.53.0 From nobody Sun Jun 14 18:55:54 2026 Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7822A36B044 for ; Sun, 5 Apr 2026 05:52:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775368373; cv=none; b=Asntb6UOcRJtQVFIsHR4AAyBu2DJsz2xOvxlC1QfBfcE2q1WTskCar3WK/GebI/oawYe02adEEIzb6eqxJn7ruePGfzbEiVyM2OjUQOWMHhuHpO6NgdnQbIQa0tLpVhVpMN++ud1Jku/L0SOg0ofKQPUxAcJESE1uw4tzun+9MI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775368373; c=relaxed/simple; bh=AcbCMRscvnlSYNTKITNZryCi2V7a4cYUyJMEAvQd/Ec=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fh1aKthj3a+mIXldjIBph1bWzZg9OopGDmGnsXHl/Ui7+KtxXuE13pjo8MC7JsHTUVP/CSvfXIuFEsS/pvEnwIlPGYR45t8m+V31xh/frfInwZOsNNFLsC+W2GzZLYOz6lfp1yQ4+sZjB12/BPLHoL4mlor/tgzkF6gogBq2m5k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=aF/dX01n; arc=none smtp.client-ip=209.85.128.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="aF/dX01n" Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-4853e1ce427so41077115e9.3 for ; Sat, 04 Apr 2026 22:52:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775368369; x=1775973169; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Io37eMQXjFrNe5EGOk1T1EQBTG5MupuGxN8OBbeP41k=; b=aF/dX01nRH2bxQnsibtNB/5jDNxU2j4y0QCSWw3N6qFUxvVTuLnJPrG6FjgoQ8jpE0 02iB6NyJn7asVR+O0QlKp1Vb+UYXS4oHfc38k56M69vp1X1oKkeqlQovRKiMZTdUlXv2 sQg7IWpZDeQs+xA2n6iJP0FK7iezt+s8Fl9Q4Y1U2KIqSOUWNPBR4LO6uAJ2TWcU7N/5 hLWs3nViOpXbyqu+Dmm741PSbmZQr45qo/qkHSFbYHc2xG9jfj8gu35Fd8w0iogWVaD7 uFMxGntx1WfG5S6P/or+/cJDgtVFH3wsgKR2zby8K0i9AMHtrElepzxb0XuZs9lHtBPL OxiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775368369; x=1775973169; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Io37eMQXjFrNe5EGOk1T1EQBTG5MupuGxN8OBbeP41k=; b=gRuXREIrEUeMKLUT1kw1EdYpVYgssH9aWBZnDnco76OjIY2OobOfs8knOxQLP9c07b KRXvmaIDNAyd57keShkzC2dxL5pBsUt+NZQfAyzlaL82huxMK/m2P2DkQR0y7BOJOsB2 GkmvUrmNNT2Vq9RRU2ryLqbXmWMWUOVYo1IBSIgvdE988XtkSgw4f+gN1vkD1mmnhl1K uSb6ZW1Ut4H6xWcWEjmmw2W8t+iDwurxMwYen/FyI0tiVRiVOr5EKu+6fBpGoWQnYV6Y UXo3QqxlpGpLt47nYFxqpGkHf9mqIJ3G0n48wOXZpsb3zFMQksadQgzl9JG3bMR/OLDH iGVQ== X-Forwarded-Encrypted: i=1; AJvYcCU6GC/XC4F5emExAHzmOPTuwyYSkOG9uBl0paNT9ZPVie4SvV5xwaiUjJqC7y5gP/FCVc/AOkHkC2sIaEM=@vger.kernel.org X-Gm-Message-State: AOJu0YxtTtUzqR208OhCnuxWreMbdqZGL8SYTQDku484d3PGtqElCwKY w8pQJz5qsWnB+qjzH3kQgDOFiQ8YzgOjstT+ecSpUFh7MvDifJRlwWSK X-Gm-Gg: AeBDiesyE4HkHLBu/LkEhKuYBotP279oCIJK/mWaT3TNUL/WhKscJaNg1EC9aUIF3eB AOqklRdTdHmtAshzIR27Ez+/2GUfhdUXwKKiji6b2/td+4aIPp4DFGYfbpuHexwJacKHEIOHUaV /KHfIy130u8EYYmueulMx/ppua0FB5omcP08aUmD9dAjD139GR4eXQ0IoyzrdE7+6hRGW8x1lhi zPWfLumJeBSaIVbmUdSe+pKBNbBqAuXCx3USte0SAeJRa56Detaxw2xOXDe7NlBfj4fxJ0g85k0 GtsnCzg224aYsSh5FXzQMFlAQmGHW0JNhOr7l9GVZOWmn8U7UoK+djwPUFyFLuH8rkgJ8M+auJN K+7PjqbehQwcHudeZTMEK90CRw7JgakjaljCCnDIj5ZVId0W+A8UKmnSZQTUFDMm6Oryu2izAYp /UZKZ7LZdrKzA1LoBRWOuMuagVXl2aHnqeHBzgoROQrSPil4KP6LATQthDVxsQRcuFJYWm99g4X vQ5mceoP/UO X-Received: by 2002:a05:600c:46d5:b0:486:fdba:f5db with SMTP id 5b1f17b1804b1-488995d5fa9mr125286085e9.0.1775368368776; Sat, 04 Apr 2026 22:52:48 -0700 (PDT) Received: from dohko.chello.ie (188-141-5-72.dynamic.upc.ie. [188.141.5.72]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48899e960a7sm55847465e9.27.2026.04.04.22.52.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Apr 2026 22:52:47 -0700 (PDT) From: David Carlier To: horatiu.vultur@microchip.com, UNGLinuxDriver@microchip.com, andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org, David Carlier Subject: [PATCH net v3 v3 2/3] net: lan966x: fix page pool leak in error paths Date: Sun, 5 Apr 2026 06:52:40 +0100 Message-ID: <20260405055241.35767-3-devnexen@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260405055241.35767-1-devnexen@gmail.com> References: <20260405055241.35767-1-devnexen@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" lan966x_fdma_rx_alloc() creates a page pool but does not destroy it if the subsequent fdma_alloc_coherent() call fails, leaking the pool. Similarly, lan966x_fdma_init() frees the coherent DMA memory when lan966x_fdma_tx_alloc() fails but does not destroy the page pool that was successfully created by lan966x_fdma_rx_alloc(), leaking it. Add the missing page_pool_destroy() calls in both error paths. Fixes: 11871aba1974 ("net: lan96x: Use page_pool API") Cc: stable@vger.kernel.org Signed-off-by: David Carlier --- drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c b/driver= s/net/ethernet/microchip/lan966x/lan966x_fdma.c index 74851c63e46a..10773fe93d4d 100644 --- a/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c +++ b/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c @@ -119,8 +119,10 @@ static int lan966x_fdma_rx_alloc(struct lan966x_rx *rx) return PTR_ERR(rx->page_pool); =20 err =3D fdma_alloc_coherent(lan966x->dev, fdma); - if (err) + if (err) { + page_pool_destroy(rx->page_pool); return err; + } =20 fdma_dcbs_init(fdma, FDMA_DCB_INFO_DATAL(fdma->db_size), FDMA_DCB_STATUS_INTR); @@ -957,6 +959,7 @@ int lan966x_fdma_init(struct lan966x *lan966x) err =3D lan966x_fdma_tx_alloc(&lan966x->tx); if (err) { fdma_free_coherent(lan966x->dev, &lan966x->rx.fdma); + page_pool_destroy(lan966x->rx.page_pool); return err; } =20 --=20 2.53.0 From nobody Sun Jun 14 18:55:54 2026 Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4C746369991 for ; Sun, 5 Apr 2026 05:52:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775368378; cv=none; b=pufcT4qZdUlFWo4ac7cjHn+T8I7peclVATWSBppLckI2S8uWvi347fbl8qF03gyueNF5qAskbHaf/joW3J28jvsYmfyRAzBMTmuNBfZgXPNf6PNmvgO+KyrrSNaaw4TUvErLV4KEvK2OM2lY8kwc0BieQUFCyl18Y5KQKaio8L0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775368378; c=relaxed/simple; bh=rjyhxTLjD4oM7GV53cCusNScFU3+tGRuTXJymOhoLO8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sea59SKTdZy58IkuKot9rfM/Lcr/t69kJvhmLqx7rYCkSB0AhjHWKISbVrnb3N7+7jV8hLidesPg+JFT8/3f13vUkoJRzUqkBELvnR9k7I4GFjI/4nNNbT4sDaGMegvCh9ra3UxtWflFSVhBCuyXtv45B3iRrMLs6kTHI7dzg9Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mIJ6u8AF; arc=none smtp.client-ip=209.85.128.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mIJ6u8AF" Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-4838c15e3cbso23252855e9.3 for ; Sat, 04 Apr 2026 22:52:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775368371; x=1775973171; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=eiLiRH4idOnGI7FfnG4m23MwzysNfORwXalUz3M3yBI=; b=mIJ6u8AFGN1tBEGIiMWaOKLOlUOiK35cXSqT4YoLzfugh9j7iCJs+MD8So4l3T2nTh xniZ1Fi2ufpVZPNzOiiBgoDGlk/S5RL4SjVKbfUXGu1ZmHMhTfm3zdoJdSRcqeL+QYjf iATzwgKiDIBbzBVe5/1BErZsyu78zAcoD9lQybUK6963hOKM0IHidQSDmi/Dd0esXNIX YYppJYJdAZb+knhKXa+BL0kWzDGfhViMrn3zqs1Vna0fp9N4eGZfZ0D9KS1ffpMobkFI A9EXAlBbvii2lsDUoo/6hf++nwpdax3VPwFUQVxnaqx+yXWY1shB9KXI+PRxw7tfyOJo NZxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775368371; x=1775973171; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=eiLiRH4idOnGI7FfnG4m23MwzysNfORwXalUz3M3yBI=; b=QS5liPFbbaH/XdoqBRPQg1GiSCCmNLjU5VeBgGKQv1OpRhIcHqJL2L2qaod3RaRBUd M8MjdehX4yNhHYZNHlQkMFUOhjkDxLmj7hLWoSMUNQIrS/4OKK4VDS86XhujPtQKZb/S FSVawEdcocuyzShwjKmTbrboVUE3h8BGFQPsZnoOj81a8rvCsBKM06m+r+FJ+k8BADj4 dJCEH0gX4yckcB4GJFofImPe8dDhQW02+K4/bmj0pH/Qgp9Y9HE8D4K5Hnk6CTRkKtOt mYXBYL50hzJwogwCgA8WQnqN98xyaHJmqgeTFjcUwj+9ZMqRJGvHeNUnm5iHzNHQYjje 8FJQ== X-Forwarded-Encrypted: i=1; AJvYcCXFWumzvhhwhLuB3uvo+hoRxhnn4VsnYnH6LynaCp7QtfNZ9geyr5ZxLFRE7as9SMzqb4ZIXRQXcA9fG80=@vger.kernel.org X-Gm-Message-State: AOJu0YyaWCK7cFV/8EgsoaT1GvkdvCrERcZ4eq/DrpuoZscET22y9lkT wUqcYQobOI9tua88SWWXjgyU8Z7wOHCWGTYzngLFViV/diFj8Ys6xwaAptXDVD8fPHI1sg== X-Gm-Gg: AeBDievmjs0Vdd1t9t98O0T/1SwR2uPMoY3xI+/880d/On4Vnr1bACua1kaOrE7lYj9 C8PEs3KuOkVbpmaz3t+yEzops+0OQ5f9zBwOGAsmPmJlnMQt+6IUVwJxdWLGpmIlDYxgROcb9Ym OvxGB/ESksSlit1rZ14CghwC3iSjXLeXUp1vVgso2mHoawX/dDzKigbJ9Nmba+8os0BiuKA0fGy wqJiF2bnBB4yqG7JSbPFWewELKNMs+y3W0OE2ivfI/ZRVgq4TIAL96RmXwLjVbse0CQInOBv5vk r1h8S9PuAM3j1IHYZMYzxVfwb39vdCJcprIZlhFdNeo4wSbqTcznNx+xSHDOmLv3+wb7sLzxKcZ X+PWsezEH2h02eIoU5skHBxk7saTjw3ESWav95NnNZhi8eJUOVDYWccMtJ1B/nBLkPgvlYsUTjS 0fmY/cx4sCXufdlDDtjDgRwra6pKUxpO63LxDaFsE1yKI1feE7Ps4ww3pzRamlKMP5zsUBlHRvz IlfG6Zu+G/k X-Received: by 2002:a05:600c:4e86:b0:480:4a8f:2d5c with SMTP id 5b1f17b1804b1-488997c9b69mr114746685e9.29.1775368370586; Sat, 04 Apr 2026 22:52:50 -0700 (PDT) Received: from dohko.chello.ie (188-141-5-72.dynamic.upc.ie. [188.141.5.72]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48899e960a7sm55847465e9.27.2026.04.04.22.52.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Apr 2026 22:52:50 -0700 (PDT) From: David Carlier To: horatiu.vultur@microchip.com, UNGLinuxDriver@microchip.com, andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org, David Carlier Subject: [PATCH net v3 v3 3/3] net: lan966x: fix use-after-free and leak in lan966x_fdma_reload() Date: Sun, 5 Apr 2026 06:52:41 +0100 Message-ID: <20260405055241.35767-4-devnexen@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260405055241.35767-1-devnexen@gmail.com> References: <20260405055241.35767-1-devnexen@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When lan966x_fdma_reload() fails to allocate new RX buffers, the restore path restarts DMA using old descriptors whose pages were already freed via lan966x_fdma_rx_free_pages(). Since page_pool_put_full_page() can release pages back to the buddy allocator, the hardware may DMA into memory now owned by other kernel subsystems. Additionally, on the restore path, the newly created page pool (if allocation partially succeeded) is overwritten without being destroyed, leaking it. Fix both issues by deferring the release of old pages until after the new allocation succeeds. Save the old page array before the allocation so old pages can be freed on the success path. On the failure path, the old descriptors, pages and page pool are all still valid, making the restore safe. Also ensure the restore path re-enables NAPI and wakes the netdev, matching the success path. Fixes: 89ba464fcf54 ("net: lan966x: refactor buffer reload function") Cc: stable@vger.kernel.org Signed-off-by: David Carlier --- .../ethernet/microchip/lan966x/lan966x_fdma.c | 21 ++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c b/driver= s/net/ethernet/microchip/lan966x/lan966x_fdma.c index 10773fe93d4d..f8ce735a7fc0 100644 --- a/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c +++ b/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c @@ -812,9 +812,15 @@ static int lan966x_qsys_sw_status(struct lan966x *lan9= 66x) =20 static int lan966x_fdma_reload(struct lan966x *lan966x, int new_mtu) { + struct page *(*old_pages)[FDMA_RX_DCB_MAX_DBS]; struct page_pool *page_pool; struct fdma fdma_rx_old; - int err; + int err, i, j; + + old_pages =3D kmemdup(lan966x->rx.page, sizeof(lan966x->rx.page), + GFP_KERNEL); + if (!old_pages) + return -ENOMEM; =20 /* Store these for later to free them */ memcpy(&fdma_rx_old, &lan966x->rx.fdma, sizeof(struct fdma)); @@ -825,7 +831,6 @@ static int lan966x_fdma_reload(struct lan966x *lan966x,= int new_mtu) lan966x_fdma_stop_netdev(lan966x); =20 lan966x_fdma_rx_disable(&lan966x->rx); - lan966x_fdma_rx_free_pages(&lan966x->rx); lan966x->rx.page_order =3D round_up(new_mtu, PAGE_SIZE) / PAGE_SIZE - 1; lan966x->rx.max_mtu =3D new_mtu; err =3D lan966x_fdma_rx_alloc(&lan966x->rx); @@ -833,6 +838,11 @@ static int lan966x_fdma_reload(struct lan966x *lan966x= , int new_mtu) goto restore; lan966x_fdma_rx_start(&lan966x->rx); =20 + for (i =3D 0; i < fdma_rx_old.n_dcbs; ++i) + for (j =3D 0; j < fdma_rx_old.n_dbs; ++j) + page_pool_put_full_page(page_pool, + old_pages[i][j], false); + fdma_free_coherent(lan966x->dev, &fdma_rx_old); =20 page_pool_destroy(page_pool); @@ -840,12 +850,17 @@ static int lan966x_fdma_reload(struct lan966x *lan966= x, int new_mtu) lan966x_fdma_wakeup_netdev(lan966x); napi_enable(&lan966x->napi); =20 - return err; + kfree(old_pages); + return 0; restore: lan966x->rx.page_pool =3D page_pool; memcpy(&lan966x->rx.fdma, &fdma_rx_old, sizeof(struct fdma)); lan966x_fdma_rx_start(&lan966x->rx); =20 + lan966x_fdma_wakeup_netdev(lan966x); + napi_enable(&lan966x->napi); + + kfree(old_pages); return err; } =20 --=20 2.53.0