From patchwork Fri Oct 23 23:09:47 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sergei Shtylyov X-Patchwork-Id: 7478811 X-Patchwork-Delegate: geert@linux-m68k.org Return-Path: X-Original-To: patchwork-linux-sh@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 7CF339F302 for ; Fri, 23 Oct 2015 23:09:55 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 96D2D20A29 for ; Fri, 23 Oct 2015 23:09:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6E0F4209BC for ; Fri, 23 Oct 2015 23:09:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751543AbbJWXJw (ORCPT ); Fri, 23 Oct 2015 19:09:52 -0400 Received: from mail-lf0-f50.google.com ([209.85.215.50]:34743 "EHLO mail-lf0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751301AbbJWXJv (ORCPT ); Fri, 23 Oct 2015 19:09:51 -0400 Received: by lfaz124 with SMTP id z124so99020923lfa.1 for ; Fri, 23 Oct 2015 16:09:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cogentembedded_com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:organization:user-agent :mime-version:content-transfer-encoding:content-type; bh=mqJT6TodYaMOaQsSP+iDInTRfSY15++HKZtop3qMM/g=; b=UF2BMkVqHY8lUPzqVNteGoFcYgT3YFS1/oUSUn1YPEMb7pUK9Y660FWyFvpA40GC5v ZC7Act4lMrrvFnrXq4kgvEhW+nPv1K7YjSg6xXjKi+5eS/6xrGJYWSmjgUED3aqMgfP1 B95AGjpZt1sGwEMSTZ829b5Bv8hPEtJN+v7qsjmHW7akdtZqT2fYdIOagFf1is+hGZ24 sSGi8jN9D2w1gV5eXu/Ttqb3RcN0QYKRfDBzM2a3wYPeTMUGh4rpak9jrMLFxybEskh+ i8bAisKaPEdizPjm0bLc7q9NNGZfW1OVtqhNVMAEjDrA25dTMVb01j5wH4kngtMlG0Gl U1sw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:organization :user-agent:mime-version:content-transfer-encoding:content-type; bh=mqJT6TodYaMOaQsSP+iDInTRfSY15++HKZtop3qMM/g=; b=ZwkFA0n+NT+WngUO/rp2mT9MdMWuOrAmSm/3BO7Swn2qZ6ib+dEtcm+FAd9vqUfgPZ 60mqMLAaBPoPboBl6UILY+WHAwwS099tGG5xJnT3HS/o23DNG7Et75ZZIyGrwh8CXmj9 WEfvy4Y9uagt2uY8obCCo0ATyFc2BlkND0ZcnumfKLfxCJhBeZ07zee1SwyOb/ksSOKS STBfVLbaUPhkP/rQY3NN2bEfi1nTCtY/qqq/gV5rOniI8yW3Q9P7pK6lkceb0Ks4yywm 2D7p/5TbnRt67logL2XuX75Id/PrKHe5b5xKg5RFH9ToL/edVuj4SG8VhxuU1I6EqdeD rDkA== X-Gm-Message-State: ALoCoQkQ5lHHHJ0AbFhMq4famr8WLF8YELF8RbfapDl928KrKeC/k0iSVejHsnKSsodnwPkNn4YM X-Received: by 10.112.130.39 with SMTP id ob7mr12350407lbb.66.1445641790240; Fri, 23 Oct 2015 16:09:50 -0700 (PDT) Received: from wasted.cogentembedded.com ([83.149.8.130]) by smtp.gmail.com with ESMTPSA id r77sm3716747lfr.30.2015.10.23.16.09.48 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 23 Oct 2015 16:09:49 -0700 (PDT) From: Sergei Shtylyov To: netdev@vger.kernel.org, yashi@atmark-techno.com Cc: linux-sh@vger.kernel.org Subject: [PATCH RTF] sh_eth: fix kernel oops in skb_put() Date: Sat, 24 Oct 2015 02:09:47 +0300 Message-ID: <4859772.ltR2e4ZqZH@wasted.cogentembedded.com> Organization: Cogent Embedded Inc. User-Agent: KMail/4.14.9 (Linux/4.1.8-100.fc21.x86_64; KDE/4.14.9; x86_64; ; ) MIME-Version: 1.0 Sender: linux-sh-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-sh@vger.kernel.org X-Spam-Status: No, score=-6.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,RCVD_IN_SORBS_WEB,RP_MATCHES_RCVD,T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP In a low memory situation the following kernel oops occurs: Unable to handle kernel NULL pointer dereference at virtual address 00000050 pgd = 8490c000 [00000050] *pgd=4651e831, *pte=00000000, *ppte=00000000 Internal error: Oops: 17 [#1] PREEMPT ARM Modules linked in: CPU: 0 Not tainted (3.4-at16 #9) PC is at skb_put+0x10/0x98 LR is at sh_eth_poll+0x2c8/0xa10 pc : [<8035f780>] lr : [<8028bf50>] psr: 60000113 sp : 84eb1a90 ip : 84eb1ac8 fp : 84eb1ac4 r10: 0000003f r9 : 000005ea r8 : 00000000 r7 : 00000000 r6 : 940453b0 r5 : 00030000 r4 : 9381b180 r3 : 00000000 r2 : 00000000 r1 : 000005ea r0 : 00000000 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c53c7d Table: 4248c059 DAC: 00000015 Process klogd (pid: 2046, stack limit = 0x84eb02e8) [...] This is because netdev_alloc_skb() fails and 'mdp->rx_skbuff[entry]' is left NULL but sh_eth_rx() later uses it without checking. Add such check... Reported-by: Yasushi SHOJI Signed-off-by: Sergei Shtylyov --- This patch is against DaveM's 'net.git' repo. drivers/net/ethernet/renesas/sh_eth.c | 3 +++ 1 file changed, 3 insertions(+) -- To unsubscribe from this list: send the line "unsubscribe linux-sh" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Index: net/drivers/net/ethernet/renesas/sh_eth.c =================================================================== --- net.orig/drivers/net/ethernet/renesas/sh_eth.c +++ net/drivers/net/ethernet/renesas/sh_eth.c @@ -1502,6 +1502,8 @@ static int sh_eth_rx(struct net_device * phys_to_virt(ALIGN(rxdesc->addr, 4)), pkt_len + 2); skb = mdp->rx_skbuff[entry]; + if (!skb) + goto skip; mdp->rx_skbuff[entry] = NULL; if (mdp->cd->rpadir) skb_reserve(skb, NET_IP_ALIGN); @@ -1516,6 +1518,7 @@ static int sh_eth_rx(struct net_device * if (desc_status & RD_RFS8) ndev->stats.multicast++; } +skip: entry = (++mdp->cur_rx) % mdp->num_rx_ring; rxdesc = &mdp->rx_ring[entry]; }