From patchwork Thu Dec 3 22:45:40 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sergei Shtylyov X-Patchwork-Id: 7763981 X-Patchwork-Delegate: horms@verge.net.au Return-Path: X-Original-To: patchwork-linux-sh@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 7F806BEEE1 for ; Thu, 3 Dec 2015 22:46:33 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 91BC5204E0 for ; Thu, 3 Dec 2015 22:46:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 5723D20511 for ; Thu, 3 Dec 2015 22:46:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753383AbbLCWq3 (ORCPT ); Thu, 3 Dec 2015 17:46:29 -0500 Received: from mail-lf0-f41.google.com ([209.85.215.41]:36525 "EHLO mail-lf0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753149AbbLCWq2 (ORCPT ); Thu, 3 Dec 2015 17:46:28 -0500 Received: by lfs39 with SMTP id 39so97211824lfs.3 for ; Thu, 03 Dec 2015 14:46:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cogentembedded-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:organization:user-agent :mime-version:content-transfer-encoding:content-type; bh=uWqOHPwgiCj/+qQ82jKUqWz2a2TrjrGS1h5QFw0Cc44=; b=KJwnZyewYJ8qix/3LgRhm2mYaoCuPxTKwEikCoVYjCrSf7wIAvF0Sd6rbnxlwafhYa ny1qhLPf8uXHGwar942SwhPAHKZdVDb4RHQrFbVI1bgSsk5BPxguy+d9hU10WdC8Tg16 INdyWSnMNWoVJ2JcvObehRXCnpB+iC2F0KtrXr1EDxNQHGzNabRmgfokdOskrp/N0JnG Vw+9rjU2pbSkqOlKTBS/uvlxoOH7QykidIYtvIRuEM4MFt1y9V0wPyNkCTnzu1Xxs5Ug QH0M3Knk+Jr45z5t2c+VMme9ZoOyista1psI3ED6If/eOgWvGaWPD76X9obYuEuc+Aqc l1og== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:organization :user-agent:mime-version:content-transfer-encoding:content-type; bh=uWqOHPwgiCj/+qQ82jKUqWz2a2TrjrGS1h5QFw0Cc44=; b=TE2a5t/c5RqxumXGUtZDi/7vnojf5t4rXYjqQLpB8U4CRzgc3f4uNuIyvZo1KRJGZI 6j4Cja3kW2648/5eF1vD+Egmy+TADW1V/DwYsU/IPfP+2iOg+6TrfwzWNgKpnx3rmpCl uj9gkFIOCDqqxKHUEs2P+0GWluVcgTpTJHwehS3AcmT8fcN7cZz34fiLYV1N6yZ7m9yA LLUbw8+4pMInjj6DD284JJKkXIT+yMafCqDOojsJgvcltFMp3bWYCH6YujF9pigzJmOG sY4bddCWvLGyLQHlezv6Nqw+uLipf8InKUxoWpHoAwR2JZfr6McilY0Xd4sTWBde428s cKMw== X-Gm-Message-State: ALoCoQk4Wbtxv5c/9AYRLsXRzS0/QbrRx6A/FxP8DNV3nEXCVeJwBpt4dIOgVSOdecWnrqJXS7RB X-Received: by 10.25.17.196 with SMTP id 65mr5791545lfr.137.1449182786908; Thu, 03 Dec 2015 14:46:26 -0800 (PST) Received: from wasted.cogentembedded.com ([83.149.8.114]) by smtp.gmail.com with ESMTPSA id p69sm1788638lfe.42.2015.12.03.14.46.17 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 03 Dec 2015 14:46:25 -0800 (PST) From: Sergei Shtylyov To: netdev@vger.kernel.org, yashi@atmark-techno.com Cc: linux-sh@vger.kernel.org Subject: [PATCH v3] sh_eth: fix kernel oops in skb_put() Date: Fri, 04 Dec 2015 01:45:40 +0300 Message-ID: <1498048.4g9dLWgJuk@wasted.cogentembedded.com> Organization: Cogent Embedded Inc. User-Agent: KMail/4.14.10 (Linux/4.2.6-201.fc22.x86_64; KDE/4.14.14; x86_64; ; ) MIME-Version: 1.0 Sender: linux-sh-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-sh@vger.kernel.org X-Spam-Status: No, score=-6.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_WEB, T_DKIM_INVALID, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP In a low memory situation the following kernel oops occurs: Unable to handle kernel NULL pointer dereference at virtual address 00000050 pgd = 8490c000 [00000050] *pgd=4651e831, *pte=00000000, *ppte=00000000 Internal error: Oops: 17 [#1] PREEMPT ARM Modules linked in: CPU: 0 Not tainted (3.4-at16 #9) PC is at skb_put+0x10/0x98 LR is at sh_eth_poll+0x2c8/0xa10 pc : [<8035f780>] lr : [<8028bf50>] psr: 60000113 sp : 84eb1a90 ip : 84eb1ac8 fp : 84eb1ac4 r10: 0000003f r9 : 000005ea r8 : 00000000 r7 : 00000000 r6 : 940453b0 r5 : 00030000 r4 : 9381b180 r3 : 00000000 r2 : 00000000 r1 : 000005ea r0 : 00000000 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c53c7d Table: 4248c059 DAC: 00000015 Process klogd (pid: 2046, stack limit = 0x84eb02e8) [...] This is because netdev_alloc_skb() fails and 'mdp->rx_skbuff[entry]' is left NULL but sh_eth_rx() later uses it without checking. Add such check... Reported-by: Yasushi SHOJI Signed-off-by: Sergei Shtylyov --- The patch is against Dave Miller's 'net.git' repo. Changes in version 3: - refreshed the patch; - reformatted the changelog; - removed [RFT] from the subject. Changes in version 2: - moved reading 'mdp->rx_skbuff[entry]' earlier to avoid *goto*. drivers/net/ethernet/renesas/sh_eth.c | 4 ++-- drivers/net/ethernet/renesas/sh_eth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-sh" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Index: net/drivers/net/ethernet/renesas/sh_eth.c =================================================================== --- net.orig/drivers/net/ethernet/renesas/sh_eth.c +++ net/drivers/net/ethernet/renesas/sh_eth.c @@ -1462,6 +1462,7 @@ static int sh_eth_rx(struct net_device * if (mdp->cd->shift_rd0) desc_status >>= 16; + skb = mdp->rx_skbuff[entry]; if (desc_status & (RD_RFS1 | RD_RFS2 | RD_RFS3 | RD_RFS4 | RD_RFS5 | RD_RFS6 | RD_RFS10)) { ndev->stats.rx_errors++; @@ -1477,12 +1478,11 @@ static int sh_eth_rx(struct net_device * ndev->stats.rx_missed_errors++; if (desc_status & RD_RFS10) ndev->stats.rx_over_errors++; - } else { + } else if (skb) { if (!mdp->cd->hw_swap) sh_eth_soft_swap( phys_to_virt(ALIGN(rxdesc->addr, 4)), pkt_len + 2); - skb = mdp->rx_skbuff[entry]; mdp->rx_skbuff[entry] = NULL; if (mdp->cd->rpadir) skb_reserve(skb, NET_IP_ALIGN);