From patchwork Thu Dec 3 22:45:40 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sergei Shtylyov X-Patchwork-Id: 552479 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 5D18C1402A1 for ; Fri, 4 Dec 2015 09:46:34 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=cogentembedded-com.20150623.gappssmtp.com header.i=@cogentembedded-com.20150623.gappssmtp.com header.b=KJwnZyew; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753396AbbLCWq3 (ORCPT ); Thu, 3 Dec 2015 17:46:29 -0500 Received: from mail-lf0-f50.google.com ([209.85.215.50]:32804 "EHLO mail-lf0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752869AbbLCWq2 (ORCPT ); Thu, 3 Dec 2015 17:46:28 -0500 Received: by lfaz4 with SMTP id z4so100828596lfa.0 for ; Thu, 03 Dec 2015 14:46:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cogentembedded-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:organization:user-agent :mime-version:content-transfer-encoding:content-type; bh=uWqOHPwgiCj/+qQ82jKUqWz2a2TrjrGS1h5QFw0Cc44=; b=KJwnZyewYJ8qix/3LgRhm2mYaoCuPxTKwEikCoVYjCrSf7wIAvF0Sd6rbnxlwafhYa ny1qhLPf8uXHGwar942SwhPAHKZdVDb4RHQrFbVI1bgSsk5BPxguy+d9hU10WdC8Tg16 INdyWSnMNWoVJ2JcvObehRXCnpB+iC2F0KtrXr1EDxNQHGzNabRmgfokdOskrp/N0JnG Vw+9rjU2pbSkqOlKTBS/uvlxoOH7QykidIYtvIRuEM4MFt1y9V0wPyNkCTnzu1Xxs5Ug QH0M3Knk+Jr45z5t2c+VMme9ZoOyista1psI3ED6If/eOgWvGaWPD76X9obYuEuc+Aqc l1og== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:organization :user-agent:mime-version:content-transfer-encoding:content-type; bh=uWqOHPwgiCj/+qQ82jKUqWz2a2TrjrGS1h5QFw0Cc44=; b=GnPTM/0GsYF5i/Lj818OO2sOgSeQ0k0BtKOCx+Xxr86sryQwmKnyHJR6amorlxyZC6 Sl3fjr85rJHzT78Nu2uP7HhNuImhU29Cqt0WYXqcEH82dRq08DZJLblUrCWDb+ttMVUC Mi7HDZvBef/9GWaFwmHsK000K6UvZX85G+sPbftOLuyBOOXeFgFK+uT7tCya8PkguhN9 d4GAYzZL1i7sbXhRCOJ/bYQELgc2y/HSynbtrqM++JTmg5PbwJr5tIealOKgP0C9gZok Q8gWzwEw0R6jDKsbJQBdGUn63kXXVqGozaN8jqh+Ha9xGLtv360OJ517f973Gb1Eygt/ 6ESw== X-Gm-Message-State: ALoCoQkchmpl3NpUHvENAI8QnvO1OKETVxBpMDcyV+h+eOBN6/t9371bP6FpPoffeX0qNQtze0s6 X-Received: by 10.25.17.196 with SMTP id 65mr5791545lfr.137.1449182786908; Thu, 03 Dec 2015 14:46:26 -0800 (PST) Received: from wasted.cogentembedded.com ([83.149.8.114]) by smtp.gmail.com with ESMTPSA id p69sm1788638lfe.42.2015.12.03.14.46.17 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 03 Dec 2015 14:46:25 -0800 (PST) From: Sergei Shtylyov To: netdev@vger.kernel.org, yashi@atmark-techno.com Cc: linux-sh@vger.kernel.org Subject: [PATCH v3] sh_eth: fix kernel oops in skb_put() Date: Fri, 04 Dec 2015 01:45:40 +0300 Message-ID: <1498048.4g9dLWgJuk@wasted.cogentembedded.com> Organization: Cogent Embedded Inc. User-Agent: KMail/4.14.10 (Linux/4.2.6-201.fc22.x86_64; KDE/4.14.14; x86_64; ; ) MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org In a low memory situation the following kernel oops occurs: Unable to handle kernel NULL pointer dereference at virtual address 00000050 pgd = 8490c000 [00000050] *pgd=4651e831, *pte=00000000, *ppte=00000000 Internal error: Oops: 17 [#1] PREEMPT ARM Modules linked in: CPU: 0 Not tainted (3.4-at16 #9) PC is at skb_put+0x10/0x98 LR is at sh_eth_poll+0x2c8/0xa10 pc : [<8035f780>] lr : [<8028bf50>] psr: 60000113 sp : 84eb1a90 ip : 84eb1ac8 fp : 84eb1ac4 r10: 0000003f r9 : 000005ea r8 : 00000000 r7 : 00000000 r6 : 940453b0 r5 : 00030000 r4 : 9381b180 r3 : 00000000 r2 : 00000000 r1 : 000005ea r0 : 00000000 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c53c7d Table: 4248c059 DAC: 00000015 Process klogd (pid: 2046, stack limit = 0x84eb02e8) [...] This is because netdev_alloc_skb() fails and 'mdp->rx_skbuff[entry]' is left NULL but sh_eth_rx() later uses it without checking. Add such check... Reported-by: Yasushi SHOJI Signed-off-by: Sergei Shtylyov --- The patch is against Dave Miller's 'net.git' repo. Changes in version 3: - refreshed the patch; - reformatted the changelog; - removed [RFT] from the subject. Changes in version 2: - moved reading 'mdp->rx_skbuff[entry]' earlier to avoid *goto*. drivers/net/ethernet/renesas/sh_eth.c | 4 ++-- drivers/net/ethernet/renesas/sh_eth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Index: net/drivers/net/ethernet/renesas/sh_eth.c =================================================================== --- net.orig/drivers/net/ethernet/renesas/sh_eth.c +++ net/drivers/net/ethernet/renesas/sh_eth.c @@ -1462,6 +1462,7 @@ static int sh_eth_rx(struct net_device * if (mdp->cd->shift_rd0) desc_status >>= 16; + skb = mdp->rx_skbuff[entry]; if (desc_status & (RD_RFS1 | RD_RFS2 | RD_RFS3 | RD_RFS4 | RD_RFS5 | RD_RFS6 | RD_RFS10)) { ndev->stats.rx_errors++; @@ -1477,12 +1478,11 @@ static int sh_eth_rx(struct net_device * ndev->stats.rx_missed_errors++; if (desc_status & RD_RFS10) ndev->stats.rx_over_errors++; - } else { + } else if (skb) { if (!mdp->cd->hw_swap) sh_eth_soft_swap( phys_to_virt(ALIGN(rxdesc->addr, 4)), pkt_len + 2); - skb = mdp->rx_skbuff[entry]; mdp->rx_skbuff[entry] = NULL; if (mdp->cd->rpadir) skb_reserve(skb, NET_IP_ALIGN);