nfp: bpf: offload: Check prog before dereference

Message ID	20231018145244.591454-1-artem.chernyshev@red-soft.ru (mailing list archive)
State	Changes Requested
Delegated to:	Netdev Maintainers
Headers	show Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 95E3911C80; Wed, 18 Oct 2023 14:53:01 +0000 (UTC) From: Artem Chernyshev <artem.chernyshev@red-soft.ru> To: Louis Peens <louis.peens@corigine.com> Cc: Artem Chernyshev <artem.chernyshev@red-soft.ru>, Jakub Kicinski <kuba@kernel.org>, "David S . Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, Paolo Abeni <pabeni@redhat.com>, bpf@vger.kernel.org, oss-drivers@corigine.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org Subject: [PATCH] nfp: bpf: offload: Check prog before dereference Date: Wed, 18 Oct 2023 17:52:44 +0300 Message-Id: <20231018145244.591454-1-artem.chernyshev@red-soft.ru> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit FromAlignment: s bases: 2023/10/18 12:41:00 bases: 2023/10/18 12:07:00 #22221112
Series	nfp: bpf: offload: Check prog before dereference \| expand nfp: bpf: offload: Check prog before dereference

Message ID

20231018145244.591454-1-artem.chernyshev@red-soft.ru (mailing list archive)

State

Changes Requested

Delegated to:

Netdev Maintainers

Headers

From: Artem Chernyshev <artem.chernyshev@red-soft.ru>
To: Louis Peens <louis.peens@corigine.com>
Cc: Artem Chernyshev <artem.chernyshev@red-soft.ru>,
	Jakub Kicinski <kuba@kernel.org>,
	"David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Paolo Abeni <pabeni@redhat.com>,
	bpf@vger.kernel.org,
	oss-drivers@corigine.com,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	lvc-project@linuxtesting.org
Subject: [PATCH] nfp: bpf: offload: Check prog before dereference
Date: Wed, 18 Oct 2023 17:52:44 +0300
Message-Id: <20231018145244.591454-1-artem.chernyshev@red-soft.ru>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

nfp: bpf: offload: Check prog before dereference | expand

Context	Check	Description
netdev/series_format	warning	Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection	success	Guessed tree name to be net-next
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 1363 this patch: 1363
netdev/cc_maintainers	success	CCed 9 of 9 maintainers
netdev/build_clang	success	Errors and warnings before: 1388 this patch: 1388
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	No Fixes tag
netdev/build_allmodconfig_warn	success	Errors and warnings before: 1388 this patch: 1388
netdev/checkpatch	fail	ERROR: do not use assignment in if condition
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0

Context

Check

Description

netdev/series_format

warning

Single patches do not need cover letters; Target tree name not specified in the subject

netdev/tree_selection

success

Guessed tree name to be net-next

netdev/fixes_present

success

Fixes tag not required for -next series

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 1363 this patch: 1363

netdev/cc_maintainers

success

CCed 9 of 9 maintainers

netdev/build_clang

success

Errors and warnings before: 1388 this patch: 1388

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/deprecated_api

success

None detected

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

No Fixes tag

netdev/build_allmodconfig_warn

success

Errors and warnings before: 1388 this patch: 1388

netdev/checkpatch

fail

ERROR: do not use assignment in if condition

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

Commit Message

Artem Chernyshev Oct. 18, 2023, 2:52 p.m. UTC

In nfp_net_bpf_offload() it is possible to dereference a
NULL pointer.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
---
 drivers/net/ethernet/netronome/nfp/bpf/offload.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

Comments

Jakub Kicinski Oct. 18, 2023, 3:17 p.m. UTC | #1

On Wed, 18 Oct 2023 17:52:44 +0300 Artem Chernyshev wrote:
> In nfp_net_bpf_offload() it is possible to dereference a
> NULL pointer.

And who would call this function with prog = NULL if old_prog
is also NULL, exactly?

diff --git a/drivers/net/ethernet/netronome/nfp/bpf/offload.c b/drivers/net/ethernet/netronome/nfp/bpf/offload.c
index 9d97cd281f18..925862f7b7d6 100644
--- a/drivers/net/ethernet/netronome/nfp/bpf/offload.c
+++ b/drivers/net/ethernet/netronome/nfp/bpf/offload.c
@@ -598,8 +598,7 @@  int nfp_net_bpf_offload(struct nfp_net *nn, struct bpf_prog *prog,
 	if (old_prog && !prog)
 		return nfp_net_bpf_stop(nn);
 
-	err = nfp_net_bpf_load(nn, prog, extack);
-	if (err)
+	if (prog && (err = nfp_net_bpf_load(nn, prog, extack)))
 		return err;
 
 	if (!old_prog)

nfp: bpf: offload: Check prog before dereference

Checks

Commit Message

Comments

Patch