From nobody Fri Sep 20 11:47:58 2024 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D12F0C27C7A for ; Thu, 17 Aug 2023 12:03:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350597AbjHQMCe (ORCPT ); Thu, 17 Aug 2023 08:02:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49156 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1350469AbjHQMCD (ORCPT ); Thu, 17 Aug 2023 08:02:03 -0400 Received: from pidgin.makrotopia.org (pidgin.makrotopia.org [185.142.180.65]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C0F862136; Thu, 17 Aug 2023 05:01:48 -0700 (PDT) Received: from local by pidgin.makrotopia.org with esmtpsa (TLS1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.96) (envelope-from ) id 1qWbh3-0001ko-02; Thu, 17 Aug 2023 12:01:38 +0000 Date: Thu, 17 Aug 2023 13:01:11 +0100 From: Daniel Golle To: Felix Fietkau , John Crispin , Sean Wang , Mark Lee , Lorenzo Bianconi , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Matthias Brugger , AngeloGioacchino Del Regno , Sujuan Chen , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org Subject: [PATCH net] net: ethernet: mtk_eth_soc: fix NULL pointer on hw reset Message-ID: <6863f378a2a077701c60cea6ae654212e919d624.1692273610.git.daniel@makrotopia.org> MIME-Version: 1.0 Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When a hardware reset is triggered on devices not initializing WED the calls to mtk_wed_fe_reset and mtk_wed_fe_reset_complete dereference a pointer on uninitialized stack memory. Initialize the hw_list will 0s and break out of both functions in case a hw_list entry is 0. Fixes: 08a764a7c51b ("net: ethernet: mtk_wed: add reset/reset_complete call= backs") Signed-off-by: Daniel Golle Reviewed-by: Simon Horman --- drivers/net/ethernet/mediatek/mtk_wed.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/mediatek/mtk_wed.c b/drivers/net/ethernet= /mediatek/mtk_wed.c index 00aeee0d5e45f..d14f5137379b9 100644 --- a/drivers/net/ethernet/mediatek/mtk_wed.c +++ b/drivers/net/ethernet/mediatek/mtk_wed.c @@ -41,7 +41,7 @@ #define MTK_WED_RRO_QUE_CNT 8192 #define MTK_WED_MIOD_ENTRY_CNT 128 =20 -static struct mtk_wed_hw *hw_list[2]; +static struct mtk_wed_hw *hw_list[2] =3D {}; static DEFINE_MUTEX(hw_lock); =20 struct mtk_wed_flow_block_priv { @@ -222,9 +222,13 @@ void mtk_wed_fe_reset(void) =20 for (i =3D 0; i < ARRAY_SIZE(hw_list); i++) { struct mtk_wed_hw *hw =3D hw_list[i]; - struct mtk_wed_device *dev =3D hw->wed_dev; + struct mtk_wed_device *dev; int err; =20 + if (!hw) + break; + + dev =3D hw->wed_dev; if (!dev || !dev->wlan.reset) continue; =20 @@ -245,8 +249,12 @@ void mtk_wed_fe_reset_complete(void) =20 for (i =3D 0; i < ARRAY_SIZE(hw_list); i++) { struct mtk_wed_hw *hw =3D hw_list[i]; - struct mtk_wed_device *dev =3D hw->wed_dev; + struct mtk_wed_device *dev; + + if (!hw) + break; =20 + dev =3D hw->wed_dev; if (!dev || !dev->wlan.reset_complete) continue; =20 --=20 2.41.0