| Message ID | 20240203150323.1041736-1-p.sakharov@ispras.ru |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-51135-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7301:9bc1:b0:106:209c:c626 with SMTP id
op1csp1059324dyc;
Sat, 3 Feb 2024 07:04:36 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IFNe8GZVmdgvC1pkr5WsZ9A1ziwfigZfof0/Pd2fIm0YRg60YevQiGOQdShCUYXnoX35V1k
X-Received: by 2002:a4a:bd86:0:b0:599:c1cf:ea6d with SMTP id
k6-20020a4abd86000000b00599c1cfea6dmr4519718oop.1.1706972676560;
Sat, 03 Feb 2024 07:04:36 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1706972676; cv=pass;
d=google.com; s=arc-20160816;
b=Mnxe4FcelOccYmMYD9V6MfSdmM0paTtgmBNO7QcLq6YA/XupNc+z8OH2NffltrN1Gn
KGbhl5GOpxY3zkf1BFENzzNwFQnDajIuFfoI1pOkHtw6gv4rJybykQHN0N+7Mp6GYg/A
FYF9Z92SSQuRr+JomuUinz5JKXQNfwmOSxUnGmiIceNlRWDKnt21y1w/I80s5xuU1db7
eoPAfuefVDHCBueCF/iHXtsO5q0ZOXk22Lxgzj8rBbyN6Y4/+uU/iEU7W9vH5xCbWV9C
ChHaaLK43KU2Pl7H/+OogFc53ofJ9WHZKpw8ZqcE9okz2PrMQutnwZfx5IeVNUVtKlBz
rK4A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=content-transfer-encoding:mime-version:list-unsubscribe
:list-subscribe:list-id:precedence:message-id:date:subject:cc:to
:from:dkim-signature:dkim-filter;
bh=LWaLolZLVHoMja/NNNmsmRp6PTzwtZ8CVFd3EvB8tPA=;
fh=J5d9wGbU2UTz7GO9L94xGcO+UjD3UEcWtk/tgPM73yU=;
b=lfoS1s5PYrGOuwpBL4px6CRUVFwwxVMqHzwqriJJ9j4DYHErp4+QhLxXpNec+AxY83
/smayGTVsn5Tb3n+aVkfhyVlHISZfvu5Pl2hXF2R8Z/rxKBS1X6/M65frNrd3P3Y/2gD
cgnxPzCEdXUJmbStYHq+CNpCqTWEEHoB8O0lm3nJjGST/KjL9ACHG9/AFo1+u+ZxWm9h
Y972zic2Gw4WgFWVcmIlhLA/smriPOH0ffOMQVSxQNJOwWESRp+uK9e2x2YMOupWnab9
AMShkPxwIjnA+4kh0r9LQ7wSVLVU8JgpKhrGieynlIHdsd4gGA5XT3/EQKXTbnC2ReeM
So1Q==;
dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@ispras.ru header.s=default header.b=C3eu6XJy;
arc=pass (i=1 spf=pass spfdomain=ispras.ru dkim=pass dkdomain=ispras.ru
dmarc=pass fromdomain=ispras.ru);
spf=pass (google.com: domain of
linux-kernel+bounces-51135-ouuuleilei=gmail.com@vger.kernel.org designates
147.75.199.223 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-51135-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
X-Forwarded-Encrypted: i=1;
AJvYcCWt3Sc1bO8UQHf5a/4cEtDkVGLSY6GA9N5HYwoqjTrHNs3ZjI7QcbG4FE/2W/JELxHUDGQd4JU9dc1E6qeXPExkwV/DZQ==
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
by mx.google.com with ESMTPS id
e11-20020a67fb4b000000b0046b1477764bsi579217vsr.65.2024.02.03.07.04.36
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Sat, 03 Feb 2024 07:04:36 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-51135-ouuuleilei=gmail.com@vger.kernel.org designates
147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
dkim=pass header.i=@ispras.ru header.s=default header.b=C3eu6XJy;
arc=pass (i=1 spf=pass spfdomain=ispras.ru dkim=pass dkdomain=ispras.ru
dmarc=pass fromdomain=ispras.ru);
spf=pass (google.com: domain of
linux-kernel+bounces-51135-ouuuleilei=gmail.com@vger.kernel.org designates
147.75.199.223 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-51135-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ny.mirrors.kernel.org (Postfix) with ESMTPS id 506EA1C21700
for <ouuuleilei@gmail.com>; Sat, 3 Feb 2024 15:04:36 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id 654035F54C;
Sat, 3 Feb 2024 15:04:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dkim=pass (1024-bit key) header.d=ispras.ru header.i=@ispras.ru
header.b="C3eu6XJy"
Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84])
(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id 594F95EE86;
Sat, 3 Feb 2024 15:04:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=83.149.199.84
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1706972656; cv=none;
b=U1jGYaMk1xpYOrtVnGQpbccdcLxkyEHx+bYnLoMc/857t0KJ2IkIdXHUblRE0X1myTwULXfPRvqgSUPr6RPj4tWjGpOk/iG2WEKacwSeePofCuAhG8DxoOPTMeQFPQ6rjQKb9dJYsqlholcSBIB+cE5JuUz6QRXkxht76HPZExk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1706972656; c=relaxed/simple;
bh=2GLWDPQIEiSm6KySEb3j7J+GjSJV+EXcOoENDX6iZHA=;
h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
b=m3qxAu4zhj8IN4ohUJ5X9sU8Y6D00wM7H9FZfp8fb/9c2p9/Tgb5wPrrFua3sLWwNAJ1qUttS726t9CBDCGb1z2BZUMpsalwR5lkqKMnEkLE26RukwONrbPTzG0G3KqU564tb8GbMQs84xMRrkbQRXqOlGXkHnPpReti2QxcHYc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=ispras.ru;
spf=pass smtp.mailfrom=ispras.ru;
dkim=pass (1024-bit key) header.d=ispras.ru header.i=@ispras.ru
header.b=C3eu6XJy; arc=none smtp.client-ip=83.149.199.84
Authentication-Results: smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=ispras.ru
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=ispras.ru
Received: from localhost.localdomain (unknown [85.89.126.105])
by mail.ispras.ru (Postfix) with ESMTPSA id 1D2E440F1DC6;
Sat, 3 Feb 2024 15:04:04 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 1D2E440F1DC6
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru;
s=default; t=1706972644;
bh=LWaLolZLVHoMja/NNNmsmRp6PTzwtZ8CVFd3EvB8tPA=;
h=From:To:Cc:Subject:Date:From;
b=C3eu6XJyaDUjR+G0C86mQ6ZfmK67QE9aFBH75t4eJo3MG0wzROpenuGRldhsUG4ya
bJDGjp7dsn6YzyhElq58earXsrx1xa1OQfmp3tZa4EUTtBonJaKLW5gkzcCyWyzWIl
+ryFZYP87zIgqKq665ykwGQdkm19rjtYVL7cCh9w=
From: Pavel Sakharov <p.sakharov@ispras.ru>
To: Alexandre Torgue <alexandre.torgue@foss.st.com>
Cc: Pavel Sakharov <p.sakharov@ispras.ru>,
Jose Abreu <joabreu@synopsys.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
Maxime Coquelin <mcoquelin.stm32@gmail.com>,
netdev@vger.kernel.org,
linux-stm32@st-md-mailman.stormreply.com,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org,
lvc-project@linuxtesting.org,
Alexey Khoroshilov <khoroshilov@ispras.ru>
Subject: [PATCH] stmmac: Fix incorrect dereference in stmmac_*_interrupt()
Date: Sat, 3 Feb 2024 18:03:21 +0300
Message-ID: <20240203150323.1041736-1-p.sakharov@ispras.ru>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1789890580862448119
X-GMAIL-MSGID: 1789890580862448119
|
| Series |
stmmac: Fix incorrect dereference in stmmac_*_interrupt()
|
|
Commit Message
Pavel Sakharov
Feb. 3, 2024, 3:03 p.m. UTC
If 'dev' is NULL, the 'priv' variable has an incorrect address when
dereferencing calling netdev_err().
Pass 'dev' instead of 'priv->dev" to the function.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Pavel Sakharov <p.sakharov@ispras.ru>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Comments
On Sat, Feb 03, 2024 at 06:03:21PM +0300, Pavel Sakharov wrote: > If 'dev' is NULL, the 'priv' variable has an incorrect address when > dereferencing calling netdev_err(). > > Pass 'dev' instead of 'priv->dev" to the function. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Signed-off-by: Pavel Sakharov <p.sakharov@ispras.ru> Thanks Pavel, I agree with your analysis that this can result in a NULL dereference. And that your proposed fix is good: netdev_err() can handle a NULL dev argument. As this seems to be a fix I suggest it should be for net. And that it should be based on that tree and designated as such in the subject: Subject: [PATCH net] ... Also if it is a fix, it should have a fixes tag. Perhaps this one: Fixes: 8532f613bc78 ("net: stmmac: introduce MSI Interrupt routines for mac, safety, RX & TX") I don't think there is a need to respin for the above, though please keep this in mind when posting Networking patches in future. Looking at the patch above, and stmmac_main.c, it seems that the following functions also suffer from a similar problem: static irqreturn_t stmmac_msi_intr_tx(int irq, void *data) { struct stmmac_tx_queue *tx_q = (struct stmmac_tx_queue *)data; ... dma_conf = container_of(tx_q, struct stmmac_dma_conf, tx_queue[chan]); priv = container_of(dma_conf, struct stmmac_priv, dma_conf); if (unlikely(!data)) { netdev_err(priv->dev, "%s: invalid dev pointer\n", __func__); ... And stmmac_msi_intr_rx(), which follows a similar pattern to stmmac_msi_intr_tx(). I also note that in those functions "invalid dev pointer" seems misleading, perhaps it ought to be "invalid queue" pointer. As these problems seem to all have been introduced at the same time, perhaps it is appropriate to fix them all in one patch? > --- > drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c > index 4727f7be4f86..5ab5148013cd 100644 > --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c > +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c > @@ -5848,7 +5848,7 @@ static irqreturn_t stmmac_mac_interrupt(int irq, void *dev_id) > struct stmmac_priv *priv = netdev_priv(dev); > > if (unlikely(!dev)) { > - netdev_err(priv->dev, "%s: invalid dev pointer\n", __func__); > + netdev_err(dev, "%s: invalid dev pointer\n", __func__); > return IRQ_NONE; > } > > @@ -5868,7 +5868,7 @@ static irqreturn_t stmmac_safety_interrupt(int irq, void *dev_id) > struct stmmac_priv *priv = netdev_priv(dev); > > if (unlikely(!dev)) { > - netdev_err(priv->dev, "%s: invalid dev pointer\n", __func__); > + netdev_err(dev, "%s: invalid dev pointer\n", __func__); > return IRQ_NONE; > } > >
On Tue, Feb 06, 2024 at 03:07:04PM +0000, Simon Horman wrote: > On Sat, Feb 03, 2024 at 06:03:21PM +0300, Pavel Sakharov wrote: > > If 'dev' is NULL, the 'priv' variable has an incorrect address when > > dereferencing calling netdev_err(). > > > > Pass 'dev' instead of 'priv->dev" to the function. > > > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > > > Signed-off-by: Pavel Sakharov <p.sakharov@ispras.ru> > > Thanks Pavel, > > I agree with your analysis that this can result in a NULL dereference. > And that your proposed fix is good: netdev_err() can handle a NULL > dev argument. > > As this seems to be a fix I suggest it should be for net. > And that it should be based on that tree and designated as such > in the subject: > > Subject: [PATCH net] ... > > Also if it is a fix, it should have a fixes tag. > Perhaps this one: > > Fixes: 8532f613bc78 ("net: stmmac: introduce MSI Interrupt routines for mac, safety, RX & TX") > > > I don't think there is a need to respin for the above, though please > keep this in mind when posting Networking patches in future. > > > Looking at the patch above, and stmmac_main.c, it seems that the following > functions also suffer from a similar problem: > > static irqreturn_t stmmac_msi_intr_tx(int irq, void *data) > { > struct stmmac_tx_queue *tx_q = (struct stmmac_tx_queue *)data; > ... > dma_conf = container_of(tx_q, struct stmmac_dma_conf, tx_queue[chan]); > priv = container_of(dma_conf, struct stmmac_priv, dma_conf); > > if (unlikely(!data)) { > netdev_err(priv->dev, "%s: invalid dev pointer\n", __func__); > ... > > And stmmac_msi_intr_rx(), which follows a similar pattern > to stmmac_msi_intr_tx(). > > I also note that in those functions "invalid dev pointer" seems misleading, > perhaps it ought to be "invalid queue" pointer. > > As these problems seem to all have been introduced at the same time, > perhaps it is appropriate to fix them all in one patch? IMO we can just drop these and the noted in the patch checks. Before actually making a decision about that there are three general questions we'd need to answer to: 1. Do we trust the IRQ-subsystem to supply a correct cookie pointer specified during the IRQ request procedure? 2. Do we trust the driver code for correctly performing the IRQs request? 3. If we don't trust to any of that then what is caused if the problem happens and there is no sanity checks implemented? Here are my thoughts regarding that: 1. If no dev_id sanity checks implemented in the handlers then having the IRQ requested with NULL argument passed even though the handlers imply the netdev pointer will for sure cause troubles right away since the driver won't work and the system will likely crash. So it will be spotted during the initial test/debug stage of the respective change. 2. If for some reason the IRQ subsystem supplied a NULL pointer instead of the cookie pointer, then something is really wrong and the entire system likely won't work correctly. If this case is possible to happen then all the kernel IRQ handlers should have been implemented with such sanity check, which I don't see in practice. 3. If IRQ was caused by the DW *MAC controller, but NULL pointer is passed and the handler returns IRQ_NONE state, then the actual IRQ won't be handled AFAICS causing the spurious IRQs detected. Eventually the IRQ will be effectively disabled. In anyway the driver will stop working. But even if this happens see points 1. and 2. for the problem cause implications. 4. The common IRQ handler doesn't have such check in the driver. Though unlike the rest of the handlers it's assigned with the IRQF_SHARED flag which requires the cookie pointer passed. Anyway the sanity check was removed from the common IRQ handler in the commit f42234ffd531 ("stmmac: fix pointer check after utilization in stmmac_interrupt") with a justification as being _paranoidal_ and pointless in the respective context. But in about a year afterwards the individual IRQ handlers were introduced with the same check but this time in a bit more reasonable context. Still it doesn't make the check existence less paranoidal. 5. I took a look at first 20 Ethernet device drivers. None of them has such checks implemented even though about half of them request IRQs as non-shared (so the cookie pointer is optional). 6. Finally the checks are implemented in the hard IRQ handlers for which the less code the better. To sum all the above up from my point of view the checks are redundant of course unless we turn on the paranoidal mode and stop trusting the driver code and the IRQ subsystem. -Serge(y) > > > --- > > drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c > > index 4727f7be4f86..5ab5148013cd 100644 > > --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c > > +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c > > @@ -5848,7 +5848,7 @@ static irqreturn_t stmmac_mac_interrupt(int irq, void *dev_id) > > struct stmmac_priv *priv = netdev_priv(dev); > > > > if (unlikely(!dev)) { > > - netdev_err(priv->dev, "%s: invalid dev pointer\n", __func__); > > + netdev_err(dev, "%s: invalid dev pointer\n", __func__); > > return IRQ_NONE; > > } > > > > @@ -5868,7 +5868,7 @@ static irqreturn_t stmmac_safety_interrupt(int irq, void *dev_id) > > struct stmmac_priv *priv = netdev_priv(dev); > > > > if (unlikely(!dev)) { > > - netdev_err(priv->dev, "%s: invalid dev pointer\n", __func__); > > + netdev_err(dev, "%s: invalid dev pointer\n", __func__); > > return IRQ_NONE; > > } > > > > >
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c index 4727f7be4f86..5ab5148013cd 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c @@ -5848,7 +5848,7 @@ static irqreturn_t stmmac_mac_interrupt(int irq, void *dev_id) struct stmmac_priv *priv = netdev_priv(dev); if (unlikely(!dev)) { - netdev_err(priv->dev, "%s: invalid dev pointer\n", __func__); + netdev_err(dev, "%s: invalid dev pointer\n", __func__); return IRQ_NONE; } @@ -5868,7 +5868,7 @@ static irqreturn_t stmmac_safety_interrupt(int irq, void *dev_id) struct stmmac_priv *priv = netdev_priv(dev); if (unlikely(!dev)) { - netdev_err(priv->dev, "%s: invalid dev pointer\n", __func__); + netdev_err(dev, "%s: invalid dev pointer\n", __func__); return IRQ_NONE; }