[openwrt/openwrt] bcm4908: backport bcm4908_enet fix for NULL dereference

LEDE Commits lede-commits at lists.infradead.org
Thu Oct 27 12:14:16 PDT 2022


rmilecki pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/31e4e566545e53594bafe846c170a5d2fa6821e3

commit 31e4e566545e53594bafe846c170a5d2fa6821e3
Author: Rafał Miłecki <rafal at milecki.pl>
AuthorDate: Thu Oct 27 21:05:20 2022 +0200

    bcm4908: backport bcm4908_enet fix for NULL dereference
    
    Signed-off-by: Rafał Miłecki <rafal at milecki.pl>
---
 ...m-bcm4908enet-remove-redundant-variable-b.patch | 34 +++++++++++
 ...-bcm4908_enet-handle-EPROBE_DEFER-when-g.patch} |  4 +-
 ...m-bcm4908_enet-update-TX-stats-after-actu.patch | 65 ++++++++++++++++++++++
 ...1-net-broadcom-bcm4908_enet-use-build_skb.patch |  4 +-
 4 files changed, 103 insertions(+), 4 deletions(-)

diff --git a/target/linux/bcm4908/patches-5.10/077-v5.17-net-broadcom-bcm4908enet-remove-redundant-variable-b.patch b/target/linux/bcm4908/patches-5.10/077-v5.17-net-broadcom-bcm4908enet-remove-redundant-variable-b.patch
new file mode 100644
index 0000000000..03e546cb5f
--- /dev/null
+++ b/target/linux/bcm4908/patches-5.10/077-v5.17-net-broadcom-bcm4908enet-remove-redundant-variable-b.patch
@@ -0,0 +1,34 @@
+From 62a3106697f3c6f9af64a2cd0f9ff58552010dc8 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.i.king at gmail.com>
+Date: Wed, 22 Dec 2021 00:39:37 +0000
+Subject: [PATCH] net: broadcom: bcm4908enet: remove redundant variable bytes
+
+The variable bytes is being used to summate slot lengths,
+however the value is never used afterwards. The summation
+is redundant so remove variable bytes.
+
+Signed-off-by: Colin Ian King <colin.i.king at gmail.com>
+Link: https://lore.kernel.org/r/20211222003937.727325-1-colin.i.king@gmail.com
+Signed-off-by: Jakub Kicinski <kuba at kernel.org>
+---
+ drivers/net/ethernet/broadcom/bcm4908_enet.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bcm4908_enet.c
++++ b/drivers/net/ethernet/broadcom/bcm4908_enet.c
+@@ -634,7 +634,6 @@ static int bcm4908_enet_poll_tx(struct n
+ 	struct bcm4908_enet_dma_ring_bd *buf_desc;
+ 	struct bcm4908_enet_dma_ring_slot *slot;
+ 	struct device *dev = enet->dev;
+-	unsigned int bytes = 0;
+ 	int handled = 0;
+ 
+ 	while (handled < weight && tx_ring->read_idx != tx_ring->write_idx) {
+@@ -645,7 +644,6 @@ static int bcm4908_enet_poll_tx(struct n
+ 
+ 		dma_unmap_single(dev, slot->dma_addr, slot->len, DMA_TO_DEVICE);
+ 		dev_kfree_skb(slot->skb);
+-		bytes += slot->len;
+ 		if (++tx_ring->read_idx == tx_ring->length)
+ 			tx_ring->read_idx = 0;
+ 
diff --git a/target/linux/bcm4908/patches-5.10/078-v6.1-net-broadcom-bcm4908_enet-handle-EPROBE_DEFER-when-g.patch b/target/linux/bcm4908/patches-5.10/078-v6.1-0001-net-broadcom-bcm4908_enet-handle-EPROBE_DEFER-when-g.patch
similarity index 92%
rename from target/linux/bcm4908/patches-5.10/078-v6.1-net-broadcom-bcm4908_enet-handle-EPROBE_DEFER-when-g.patch
rename to target/linux/bcm4908/patches-5.10/078-v6.1-0001-net-broadcom-bcm4908_enet-handle-EPROBE_DEFER-when-g.patch
index 702b7641fd..a6eba111f9 100644
--- a/target/linux/bcm4908/patches-5.10/078-v6.1-net-broadcom-bcm4908_enet-handle-EPROBE_DEFER-when-g.patch
+++ b/target/linux/bcm4908/patches-5.10/078-v6.1-0001-net-broadcom-bcm4908_enet-handle-EPROBE_DEFER-when-g.patch
@@ -20,7 +20,7 @@ Signed-off-by: Jakub Kicinski <kuba at kernel.org>
 
 --- a/drivers/net/ethernet/broadcom/bcm4908_enet.c
 +++ b/drivers/net/ethernet/broadcom/bcm4908_enet.c
-@@ -714,7 +714,9 @@ static int bcm4908_enet_probe(struct pla
+@@ -712,7 +712,9 @@ static int bcm4908_enet_probe(struct pla
  		return err;
  
  	SET_NETDEV_DEV(netdev, &pdev->dev);
@@ -31,7 +31,7 @@ Signed-off-by: Jakub Kicinski <kuba at kernel.org>
  	if (!is_valid_ether_addr(netdev->dev_addr))
  		eth_hw_addr_random(netdev);
  	netdev->netdev_ops = &bcm4908_enet_netdev_ops;
-@@ -725,14 +727,17 @@ static int bcm4908_enet_probe(struct pla
+@@ -723,14 +725,17 @@ static int bcm4908_enet_probe(struct pla
  	netif_napi_add(netdev, &enet->rx_ring.napi, bcm4908_enet_poll_rx, NAPI_POLL_WEIGHT);
  
  	err = register_netdev(netdev);
diff --git a/target/linux/bcm4908/patches-5.10/078-v6.1-0002-net-broadcom-bcm4908_enet-update-TX-stats-after-actu.patch b/target/linux/bcm4908/patches-5.10/078-v6.1-0002-net-broadcom-bcm4908_enet-update-TX-stats-after-actu.patch
new file mode 100644
index 0000000000..29cf3742f4
--- /dev/null
+++ b/target/linux/bcm4908/patches-5.10/078-v6.1-0002-net-broadcom-bcm4908_enet-update-TX-stats-after-actu.patch
@@ -0,0 +1,65 @@
+From ef3556ee16c68735ec69bd08df41d1cd83b14ad3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal at milecki.pl>
+Date: Thu, 27 Oct 2022 13:24:30 +0200
+Subject: [PATCH] net: broadcom: bcm4908_enet: update TX stats after actual
+ transmission
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Queueing packets doesn't guarantee their transmission. Update TX stats
+after hardware confirms consuming submitted data.
+
+This also fixes a possible race and NULL dereference.
+bcm4908_enet_start_xmit() could try to access skb after freeing it in
+the bcm4908_enet_poll_tx().
+
+Reported-by: Florian Fainelli <f.fainelli at gmail.com>
+Fixes: 4feffeadbcb2e ("net: broadcom: bcm4908enet: add BCM4908 controller driver")
+Signed-off-by: Rafał Miłecki <rafal at milecki.pl>
+Reviewed-by: Florian Fainelli <f.fainelli at gmail.com>
+Link: https://lore.kernel.org/r/20221027112430.8696-1-zajec5@gmail.com
+Signed-off-by: Jakub Kicinski <kuba at kernel.org>
+---
+ drivers/net/ethernet/broadcom/bcm4908_enet.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bcm4908_enet.c
++++ b/drivers/net/ethernet/broadcom/bcm4908_enet.c
+@@ -560,8 +560,6 @@ static int bcm4908_enet_start_xmit(struc
+ 
+ 	if (++ring->write_idx == ring->length - 1)
+ 		ring->write_idx = 0;
+-	enet->netdev->stats.tx_bytes += skb->len;
+-	enet->netdev->stats.tx_packets++;
+ 
+ 	return NETDEV_TX_OK;
+ }
+@@ -634,6 +632,7 @@ static int bcm4908_enet_poll_tx(struct n
+ 	struct bcm4908_enet_dma_ring_bd *buf_desc;
+ 	struct bcm4908_enet_dma_ring_slot *slot;
+ 	struct device *dev = enet->dev;
++	unsigned int bytes = 0;
+ 	int handled = 0;
+ 
+ 	while (handled < weight && tx_ring->read_idx != tx_ring->write_idx) {
+@@ -644,12 +643,17 @@ static int bcm4908_enet_poll_tx(struct n
+ 
+ 		dma_unmap_single(dev, slot->dma_addr, slot->len, DMA_TO_DEVICE);
+ 		dev_kfree_skb(slot->skb);
+-		if (++tx_ring->read_idx == tx_ring->length)
+-			tx_ring->read_idx = 0;
+ 
+ 		handled++;
++		bytes += slot->len;
++
++		if (++tx_ring->read_idx == tx_ring->length)
++			tx_ring->read_idx = 0;
+ 	}
+ 
++	enet->netdev->stats.tx_packets += handled;
++	enet->netdev->stats.tx_bytes += bytes;
++
+ 	if (handled < weight) {
+ 		napi_complete_done(napi, handled);
+ 		bcm4908_enet_dma_ring_intrs_on(enet, tx_ring);
diff --git a/target/linux/bcm4908/patches-5.10/079-v6.2-0001-net-broadcom-bcm4908_enet-use-build_skb.patch b/target/linux/bcm4908/patches-5.10/079-v6.2-0001-net-broadcom-bcm4908_enet-use-build_skb.patch
index 1a3dc62d44..834973f5c7 100644
--- a/target/linux/bcm4908/patches-5.10/079-v6.2-0001-net-broadcom-bcm4908_enet-use-build_skb.patch
+++ b/target/linux/bcm4908/patches-5.10/079-v6.2-0001-net-broadcom-bcm4908_enet-use-build_skb.patch
@@ -112,7 +112,7 @@ Signed-off-by: Paolo Abeni <pabeni at redhat.com>
  	}
  }
  
-@@ -576,6 +586,7 @@ static int bcm4908_enet_poll_rx(struct n
+@@ -574,6 +584,7 @@ static int bcm4908_enet_poll_rx(struct n
  	while (handled < weight) {
  		struct bcm4908_enet_dma_ring_bd *buf_desc;
  		struct bcm4908_enet_dma_ring_slot slot;
@@ -120,7 +120,7 @@ Signed-off-by: Paolo Abeni <pabeni at redhat.com>
  		u32 ctl;
  		int len;
  		int err;
-@@ -599,16 +610,24 @@ static int bcm4908_enet_poll_rx(struct n
+@@ -597,16 +608,24 @@ static int bcm4908_enet_poll_rx(struct n
  
  		if (len < ETH_ZLEN ||
  		    (ctl & (DMA_CTL_STATUS_SOP | DMA_CTL_STATUS_EOP)) != (DMA_CTL_STATUS_SOP | DMA_CTL_STATUS_EOP)) {




More information about the lede-commits mailing list