net: dl2k: fix potential null deref in receive_packet()

Message ID	20250321121352.29750-1-qasdev00@gmail.com (mailing list archive)
State	New
Delegated to:	Netdev Maintainers
Headers	show Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4EBB1227B9E; Fri, 21 Mar 2025 12:15:06 +0000 (UTC) From: Qasim Ijaz <qasdev00@gmail.com> To: andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, yyyynoom@gmail.com, horms@kernel.org Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] net: dl2k: fix potential null deref in receive_packet() Date: Fri, 21 Mar 2025 12:13:52 +0000 Message-Id: <20250321121352.29750-1-qasdev00@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	net: dl2k: fix potential null deref in receive_packet() \| expand net: dl2k: fix potential null deref in receive_packet()

Message ID

20250321121352.29750-1-qasdev00@gmail.com (mailing list archive)

State

New

Delegated to:

Netdev Maintainers

Headers

From: Qasim Ijaz <qasdev00@gmail.com>
To: andrew+netdev@lunn.ch,
	davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com,
	yyyynoom@gmail.com,
	horms@kernel.org
Cc: netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH] net: dl2k: fix potential null deref in receive_packet()
Date: Fri, 21 Mar 2025 12:13:52 +0000
Message-Id: <20250321121352.29750-1-qasdev00@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

net: dl2k: fix potential null deref in receive_packet() | expand

Context	Check	Description
netdev/series_format	warning	Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection	success	Guessed tree name to be net-next
netdev/ynl	success	Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 0 this patch: 0
netdev/build_tools	success	No tools touched, skip
netdev/cc_maintainers	success	CCed 8 of 8 maintainers
netdev/build_clang	success	Errors and warnings before: 0 this patch: 0
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 1 this patch: 1
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 11 lines checked
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0
netdev/contest	warning	net-next-2025-03-21--18-00 (tests: 896)

Context

Check

Description

netdev/series_format

warning

Single patches do not need cover letters; Target tree name not specified in the subject

netdev/tree_selection

success

Guessed tree name to be net-next

netdev/ynl

success

Generated files up to date; no warnings/errors; no diff in generated;

netdev/fixes_present

success

Fixes tag not required for -next series

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 0 this patch: 0

netdev/build_tools

success

No tools touched, skip

netdev/cc_maintainers

success

CCed 8 of 8 maintainers

netdev/build_clang

success

Errors and warnings before: 0 this patch: 0

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/deprecated_api

success

None detected

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

Fixes tag looks correct

netdev/build_allmodconfig_warn

success

Errors and warnings before: 1 this patch: 1

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 11 lines checked

netdev/build_clang_rust

success

No Rust files in patch. Skipping build

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

netdev/contest

warning

net-next-2025-03-21--18-00 (tests: 896)

Commit Message

Qasim Ijaz March 21, 2025, 12:13 p.m. UTC

If the pkt_len is less than the copy_thresh the netdev_alloc_skb_ip_align()
is called to allocate an skbuff, on failure it can return NULL. Since
there is no NULL check a NULL deref can occur when setting
skb->protocol.

Fix this by introducing a NULL check to handle allocation failure.

Fixes: 89d71a66c40d ("net: Use netdev_alloc_skb_ip_align()")
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
---
 drivers/net/ethernet/dlink/dl2k.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Eric Dumazet March 21, 2025, 3:13 p.m. UTC | #1

On Fri, Mar 21, 2025 at 1:15 PM Qasim Ijaz <qasdev00@gmail.com> wrote:
>
> If the pkt_len is less than the copy_thresh the netdev_alloc_skb_ip_align()
> is called to allocate an skbuff, on failure it can return NULL. Since
> there is no NULL check a NULL deref can occur when setting
> skb->protocol.
>
> Fix this by introducing a NULL check to handle allocation failure.
>
> Fixes: 89d71a66c40d ("net: Use netdev_alloc_skb_ip_align()")

This commit has not changed the behavior in case of memory alloc error.

> Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
> ---
>  drivers/net/ethernet/dlink/dl2k.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/drivers/net/ethernet/dlink/dl2k.c b/drivers/net/ethernet/dlink/dl2k.c
> index d0ea92607870..22e9432adea0 100644
> --- a/drivers/net/ethernet/dlink/dl2k.c
> +++ b/drivers/net/ethernet/dlink/dl2k.c
> @@ -968,6 +968,11 @@ receive_packet (struct net_device *dev)
>                                                            np->rx_buf_sz,
>                                                            DMA_FROM_DEVICE);
>                         }
> +
> +                       if (unlikely(!skb)) {
> +                               np->rx_ring[entry].fraginfo = 0;

Not sure how this was tested...

I think this would leak memory.

> +                               break;
> +                       }
>                         skb->protocol = eth_type_trans (skb, dev);
>  #if 0
>                         /* Checksum done by hw, but csum value unavailable. */
> --
> 2.39.5

Qasim Ijaz March 21, 2025, 6:42 p.m. UTC | #2

On Fri, Mar 21, 2025 at 04:13:04PM +0100, Eric Dumazet wrote:
> On Fri, Mar 21, 2025 at 1:15 PM Qasim Ijaz <qasdev00@gmail.com> wrote:
> >
> > If the pkt_len is less than the copy_thresh the netdev_alloc_skb_ip_align()
> > is called to allocate an skbuff, on failure it can return NULL. Since
> > there is no NULL check a NULL deref can occur when setting
> > skb->protocol.
> >
> > Fix this by introducing a NULL check to handle allocation failure.
> >
> > Fixes: 89d71a66c40d ("net: Use netdev_alloc_skb_ip_align()")
> 
> This commit has not changed the behavior in case of memory alloc error.
> 

Hi Eric,

Thanks for pointing this out, I referenced this commit because it 
added the netdev_alloc_skb_ip_align() call without ensuring the 
result of it succeeds or not. Before this change the code used 
netdev_alloc_skb(), so I now see that there is no functional
difference since an allocation occurs in both versions.

> > Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
> > ---
> >  drivers/net/ethernet/dlink/dl2k.c | 5 +++++
> >  1 file changed, 5 insertions(+)
> >
> > diff --git a/drivers/net/ethernet/dlink/dl2k.c b/drivers/net/ethernet/dlink/dl2k.c
> > index d0ea92607870..22e9432adea0 100644
> > --- a/drivers/net/ethernet/dlink/dl2k.c
> > +++ b/drivers/net/ethernet/dlink/dl2k.c
> > @@ -968,6 +968,11 @@ receive_packet (struct net_device *dev)
> >                                                            np->rx_buf_sz,
> >                                                            DMA_FROM_DEVICE);
> >                         }
> > +
> > +                       if (unlikely(!skb)) {
> > +                               np->rx_ring[entry].fraginfo = 0;
> 
> Not sure how this was tested...
> 
> I think this would leak memory.

Could you please elaborate on where you think this may arise so I can
investigate further and try to amend it?

Thanks
Qasim
> 
> > +                               break;
> > +                       }
> >                         skb->protocol = eth_type_trans (skb, dev);
> >  #if 0
> >                         /* Checksum done by hw, but csum value unavailable. */
> > --
> > 2.39.5

diff --git a/drivers/net/ethernet/dlink/dl2k.c b/drivers/net/ethernet/dlink/dl2k.c
index d0ea92607870..22e9432adea0 100644
--- a/drivers/net/ethernet/dlink/dl2k.c
+++ b/drivers/net/ethernet/dlink/dl2k.c
@@ -968,6 +968,11 @@  receive_packet (struct net_device *dev)
 							   np->rx_buf_sz,
 							   DMA_FROM_DEVICE);
 			}
+
+			if (unlikely(!skb)) {
+				np->rx_ring[entry].fraginfo = 0;
+				break;
+			}
 			skb->protocol = eth_type_trans (skb, dev);
 #if 0
 			/* Checksum done by hw, but csum value unavailable. */