From nobody Sat Jun 20 19:57:39 2026 Received: from mail-qv1-f41.google.com (mail-qv1-f41.google.com [209.85.219.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 830DB39A807 for ; Fri, 10 Apr 2026 20:30:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775853047; cv=none; b=NvqpJpbRNdthLs5AufqtV1dM7jci8TnUwmgE+pYHVmZBEneN0ywkYYyDfoyBsgyfgfHlr5WqfYtvoqZDFU4O5Cu74/0C4RaY3vrg1GC2/Mr4+pvUn7TwX2okHfFkhPs/KWfgwj/Z9epn6sMMt3welKdDnO9OvmSVfeGaaLjp4uc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775853047; c=relaxed/simple; bh=5WEjBpB7GBkWglj5+48lXpVH1r3V4fT8wfU8bJUd7sU=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=pbeevDhC+8ApM6r/vvU9haUrctCB+xhjaXme2Ner6ZrR6BFJm8Z7EjCFoRhuJvFlBVvkErtu/5DjAJGoiGe9bkSBsgxy4nu+s6VHE3CTHV2RXBf3UT2Enu3N3HjbfqW5UVDgTp5sye4tgJR7j9Z7YY74T7HqDQ0iIIAJSlXP3uk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=sa9P0Rzo; arc=none smtp.client-ip=209.85.219.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="sa9P0Rzo" Received: by mail-qv1-f41.google.com with SMTP id 6a1803df08f44-8a016799d2cso30646686d6.1 for ; Fri, 10 Apr 2026 13:30:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775853044; x=1776457844; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Bg1THXuqlaX4hybh4CmPAceCR0tZGm2LDqqlEfk6Eg0=; b=sa9P0Rzo+VFHpj4g0ikvzGKv9ERE71znjZZAJqeofqk7voFXeqSBlAKVo1ocEwHG88 gJFsplfhnE2Ofg8uxGMHadKsxx3t1/UI3ekb8yYcfg+2sNcHKXSqTQppTpuXQzeGGRZm addwMwWX/K7Tv5VXFuQ7Ge7aHgDOZvoaamsD0hYv6vYcK5G//YTfZgWzpP/Mt2CgIq7V DTt/VwiGNQ4RQyP5L1W76lRxLuQCZc4YVPwjs5nzkkhwgeFKjqe9m5qwoOug/xjgq2YG zX9f7AedzBlxBWhyt4PCiFnxBXCPZQwEndmI6+u6Z5sXj+U4Upaf4XHEtKaD0BGAZfge auTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775853044; x=1776457844; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Bg1THXuqlaX4hybh4CmPAceCR0tZGm2LDqqlEfk6Eg0=; b=SptTH7DvDMwLJHlWTXYb6pz21iK+CQ/GmsgcLK7EjUzcwaUPfOJAQdmrDhAfNGomL0 sZv7uafxipoUAkG2b3FKc9ZK6hMedyMVFx751dMS/2ipzVe1lYE09tFonqM4CHeZEE+g aELBJh8shJv1jBLqyNW2fOrfnPVaB00EwXAMOSo2dVhjKWjMfya9vVbtJ74JSkWepKyl tgYbfkVGMU4Q/SUMOueHzbLgF5gR0V/hR2TNd4lYcfKhOxtqwuuh8IZYbxc8t6c2r5YA MWXx2+qCUr1PcfVGHwgf7vO00JjymhD8c6EVh7mZoqNYduZO66zv0eYNkwDNqIc3zFqx T7PQ== X-Forwarded-Encrypted: i=1; AJvYcCUycj98O8iiLQriFAtLsnf49fF1jMR07R3PAZePiBXM9rMqAWSj64eJiWf5vcLlwgsDUPQ0XndbTMQGbak=@vger.kernel.org X-Gm-Message-State: AOJu0YyiR480qCx2W7pmLJCHdSPZGZcUTZh3Ghk+J+APQIN+XprhB+O+ uryyg0BX8wNhv8RKTz6/75ZeohE0LilpRTF/r7jlTbF8lZtj7rhmPrKwJJcrAA== X-Gm-Gg: AeBDietedMnPPUGoBw9SmAU62yGIlR37eBP8Oq//in/bH+FlXBNYM2nGJAn/oXZuKkR bLz/sz+x/x2ZCm3vLJ9kEmK0djeo6hf1x9SzMN2aaarutJn8QGKAj2ElDb/EiBUHR/2RUtcOSa+ R0r5JtSN3OrgCHjY6KZhm8DXbg/hfx60eOlu3pMcBFwRvZPM45PKUKo4ykfQKvjkr3F01AHfuPg q0Wc4I3fkCFPA6DCPbM83r/3xU4d8RqHCCU+hYR4TIjxdJpN+RTP3DYDhTYJmrU7NbogzFp8VX3 1oGGXrAcABCl2NungAf1iVhqvl5CC8zX57Sz0RYNPHsLlaf2k6yR+T4k3jd/rMGsDkgBuh59111 nVXJS7x6RfYuHJdL2mbCQzaTIKys3sV6tExayE9lhqmLl3lfL0KuNC89TKqj/3haOC0h5+rJa9B 9z/IXQsN+HH9czwG6hD8H2zXSDaqrOtegrjfgNn/xr3HnmRrEiUvlqVjYeZFaLcLNyGgyp0t4Rk 9f+ljpDgCXW8q6s6WEzpioXBCiozya3AmW60w== X-Received: by 2002:a05:6214:4706:b0:8a0:a3fb:862c with SMTP id 6a1803df08f44-8ac86162c8amr60783576d6.8.1775853044441; Fri, 10 Apr 2026 13:30:44 -0700 (PDT) Received: from workstation1 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8ac84c9c37csm30845756d6.36.2026.04.10.13.30.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Apr 2026 13:30:43 -0700 (PDT) From: Michael Bommarito To: richard@nod.at, anton.ivanov@cambridgegreys.com, johannes@sipsolutions.net Cc: linux-um@lists.infradead.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Michael Bommarito Subject: [PATCH] um: vector: fix NULL pointer derefs in queue-less transports Date: Fri, 10 Apr 2026 16:30:28 -0400 Message-ID: <20260410203028.3717914-1-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" TAP transport sets neither VECTOR_RX nor VECTOR_TX, so vector_net_open() never allocates rx_queue or tx_queue. HYBRID sets VECTOR_RX but not VECTOR_TX, so tx_queue is NULL there too. vector_reset_stats(), vector_poll(), vector_get_ethtool_stats(), and vector_get_ringparam() unconditionally deref these queue pointers, causing a NULL pointer crash on SMP or with any lock debugging option. Guard all queue pointer accesses with NULL checks. Fixes: 49da7e64f33e ("High Performance UML Vector Network Driver") Cc: stable@vger.kernel.org Cc: Anton Ivanov Assisted-by: Claude:claude-opus-4-6 Assisted-by: Codex:gpt-5-4 Signed-off-by: Michael Bommarito Acked-By: Anton Ivanov --- Found while enabling KCOV and lockdep on UML for a network-stack test lab. Tested boot with SMP=3Dy + PROVE_LOCKING + DEBUG_SPINLOCK + DEBUG_LOCK_ALLOC + LOCKDEP + KCOV, all with vec0:transport=3Dtap. Without the fix, the same config panics at addr 0x18 (SMP, no debug), 0x1c (DEBUG_SPINLOCK), or 0x30 (lockdep) -- all offsets into a NULL vector_queue pointer. arch/um/drivers/vector_kern.c | 48 +++++++++++++++++------------------ 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/arch/um/drivers/vector_kern.c b/arch/um/drivers/vector_kern.c index 2cc90055499a5..6134c376e57be 100644 --- a/arch/um/drivers/vector_kern.c +++ b/arch/um/drivers/vector_kern.c @@ -105,25 +105,18 @@ static const struct { =20 static void vector_reset_stats(struct vector_private *vp) { - /* We reuse the existing queue locks for stats */ - - /* RX stats are modified with RX head_lock held - * in vector_poll. - */ - - spin_lock(&vp->rx_queue->head_lock); + if (vp->rx_queue) + spin_lock(&vp->rx_queue->head_lock); vp->estats.rx_queue_max =3D 0; vp->estats.rx_queue_running_average =3D 0; vp->estats.rx_encaps_errors =3D 0; vp->estats.sg_ok =3D 0; vp->estats.sg_linearized =3D 0; - spin_unlock(&vp->rx_queue->head_lock); - - /* TX stats are modified with TX head_lock held - * in vector_send. - */ + if (vp->rx_queue) + spin_unlock(&vp->rx_queue->head_lock); =20 - spin_lock(&vp->tx_queue->head_lock); + if (vp->tx_queue) + spin_lock(&vp->tx_queue->head_lock); vp->estats.tx_timeout_count =3D 0; vp->estats.tx_restart_queue =3D 0; vp->estats.tx_kicks =3D 0; @@ -131,7 +124,8 @@ static void vector_reset_stats(struct vector_private *v= p) vp->estats.tx_flow_control_xoff =3D 0; vp->estats.tx_queue_max =3D 0; vp->estats.tx_queue_running_average =3D 0; - spin_unlock(&vp->tx_queue->head_lock); + if (vp->tx_queue) + spin_unlock(&vp->tx_queue->head_lock); } =20 static int get_mtu(struct arglist *def) @@ -1163,7 +1157,8 @@ static int vector_poll(struct napi_struct *napi, int = budget) =20 if ((vp->options & VECTOR_TX) !=3D 0) tx_enqueued =3D (vector_send(vp->tx_queue) > 0); - spin_lock(&vp->rx_queue->head_lock); + if (vp->rx_queue) + spin_lock(&vp->rx_queue->head_lock); if ((vp->options & VECTOR_RX) > 0) err =3D vector_mmsg_rx(vp, budget); else { @@ -1171,7 +1166,8 @@ static int vector_poll(struct napi_struct *napi, int = budget) if (err > 0) err =3D 1; } - spin_unlock(&vp->rx_queue->head_lock); + if (vp->rx_queue) + spin_unlock(&vp->rx_queue->head_lock); if (err > 0) work_done +=3D err; =20 @@ -1421,10 +1417,10 @@ static void vector_get_ringparam(struct net_device = *netdev, { struct vector_private *vp =3D netdev_priv(netdev); =20 - ring->rx_max_pending =3D vp->rx_queue->max_depth; - ring->tx_max_pending =3D vp->tx_queue->max_depth; - ring->rx_pending =3D vp->rx_queue->max_depth; - ring->tx_pending =3D vp->tx_queue->max_depth; + ring->rx_max_pending =3D vp->rx_queue ? vp->rx_queue->max_depth : 0; + ring->tx_max_pending =3D vp->tx_queue ? vp->tx_queue->max_depth : 0; + ring->rx_pending =3D ring->rx_max_pending; + ring->tx_pending =3D ring->tx_max_pending; } =20 static void vector_get_strings(struct net_device *dev, u32 stringset, u8 *= buf) @@ -1466,11 +1462,15 @@ static void vector_get_ethtool_stats(struct net_dev= ice *dev, * to date. */ =20 - spin_lock(&vp->tx_queue->head_lock); - spin_lock(&vp->rx_queue->head_lock); + if (vp->tx_queue) + spin_lock(&vp->tx_queue->head_lock); + if (vp->rx_queue) + spin_lock(&vp->rx_queue->head_lock); memcpy(tmp_stats, &vp->estats, sizeof(struct vector_estats)); - spin_unlock(&vp->rx_queue->head_lock); - spin_unlock(&vp->tx_queue->head_lock); + if (vp->rx_queue) + spin_unlock(&vp->rx_queue->head_lock); + if (vp->tx_queue) + spin_unlock(&vp->tx_queue->head_lock); } =20 static int vector_get_coalesce(struct net_device *netdev, --=20 2.53.0