diff mbox series

[net] net: mvneta: fix potential double-frees in mvneta_txq_sw_deinit()

Message ID E1phUe5-00EieL-7q@rmk-PC.armlinux.org.uk (mailing list archive)
State Accepted
Commit 2960a2d33b02345c6d710251206053678f92246b
Delegated to: Netdev Maintainers
Headers show
Series [net] net: mvneta: fix potential double-frees in mvneta_txq_sw_deinit() | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/fixes_present fail Series targets non-next tree, but doesn't contain any Fixes tags
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 20 this patch: 20
netdev/cc_maintainers success CCed 6 of 6 maintainers
netdev/build_clang success Errors and warnings before: 18 this patch: 18
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 20 this patch: 20
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Russell King (Oracle) March 29, 2023, 12:11 p.m. UTC 
Reported on the Turris forum, mvneta provokes kernel warnings in the
architecture DMA mapping code when mvneta_setup_txqs() fails to
allocate memory. This happens because when mvneta_cleanup_txqs() is
called in the mvneta_stop() path, we leave pointers in the structure
that have been freed.

Then on mvneta_open(), we call mvneta_setup_txqs(), which starts
allocating memory. On memory allocation failure, mvneta_cleanup_txqs()
will walk all the queues freeing any non-NULL pointers - which includes
pointers that were previously freed in mvneta_stop().

Fix this by setting these pointers to NULL to prevent double-freeing
of the same memory.

Link: https://forum.turris.cz/t/random-kernel-exceptions-on-hbl-tos-7-0/18865/8
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
---
 drivers/net/ethernet/marvell/mvneta.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

patchwork-bot+netdevbpf@kernel.org March 30, 2023, 6:50 p.m. UTC | #1 
Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 29 Mar 2023 13:11:17 +0100 you wrote:
> Reported on the Turris forum, mvneta provokes kernel warnings in the
> architecture DMA mapping code when mvneta_setup_txqs() fails to
> allocate memory. This happens because when mvneta_cleanup_txqs() is
> called in the mvneta_stop() path, we leave pointers in the structure
> that have been freed.
> 
> Then on mvneta_open(), we call mvneta_setup_txqs(), which starts
> allocating memory. On memory allocation failure, mvneta_cleanup_txqs()
> will walk all the queues freeing any non-NULL pointers - which includes
> pointers that were previously freed in mvneta_stop().
> 
> [...]

Here is the summary with links:
  - [net] net: mvneta: fix potential double-frees in mvneta_txq_sw_deinit()
    https://git.kernel.org/netdev/net/c/2960a2d33b02

You are awesome, thank you!
diff mbox series

Patch

diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
index 0e39d199ff06..2cad76d0a50e 100644
--- a/drivers/net/ethernet/marvell/mvneta.c
+++ b/drivers/net/ethernet/marvell/mvneta.c
@@ -3549,6 +3549,8 @@  static void mvneta_txq_sw_deinit(struct mvneta_port *pp,
 
 	netdev_tx_reset_queue(nq);
 
+	txq->buf               = NULL;
+	txq->tso_hdrs          = NULL;
 	txq->descs             = NULL;
 	txq->last_desc         = 0;
 	txq->next_desc_to_proc = 0;