[PATCH net-next] net: airoha: Reset PPE cpu port configuration in airoha_ppe_hw_init()
Jakub Kicinski
kuba at kernel.org
Fri Mar 20 18:31:27 PDT 2026
On Tue, 17 Mar 2026 17:40:47 +0100 Lorenzo Bianconi wrote:
> @@ -155,6 +171,11 @@ static void airoha_ppe_hw_init(struct airoha_ppe *ppe)
> AIROHA_MAX_MTU) |
> FIELD_PREP(FP1_EGRESS_MTU_MASK,
> AIROHA_MAX_MTU));
> + if (!port)
> + continue;
> +
> + airoha_ppe_set_cpu_port(port, i);
AI says:
Can this lead to a NULL pointer dereference if a port is not fully
initialized?
In airoha_probe(), all GDM ports defined in the device tree are allocated
and the eth->ports[] array is populated with pointers, but port->qdma is
left as NULL.
During airoha_register_gdm_devices(), the ports are registered sequentially
with register_netdev(). Since register_netdev() drops the rtnl_lock(),
userspace could react to the RTM_NEWLINK event of the first registered port
and apply a tc flow offload rule.
This would trigger the following call chain:
.ndo_setup_tc() -> airoha_ppe_setup_tc_block_cb() -> airoha_ppe_offload_setup()
-> airoha_ppe_hw_init()
If airoha_ppe_hw_init() iterates over the array, it will find the subsequent
port that has been allocated but not yet registered, meaning its port->qdma
is still NULL. The call to airoha_ppe_set_cpu_port(port, i) will then
dereference the NULL port->qdma.
Would it be better to check if (!port || !port->qdma) before calling
airoha_ppe_set_cpu_port()?
--
pw-bot: cr
More information about the Linux-mediatek
mailing list