]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob - queue-6.1/net-phy-micrel-fix-potential-null-pointer-dereference.patch
projects / thirdparty / kernel / stable-queue.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
6.1-stable patches
[thirdparty/kernel/stable-queue.git] / queue-6.1 / net-phy-micrel-fix-potential-null-pointer-dereference.patch
1 From 96c155943a703f0655c0c4cab540f67055960e91 Mon Sep 17 00:00:00 2001
2 From: Aleksandr Mishin <amishin@t-argos.ru>
3 Date: Fri, 29 Mar 2024 09:16:31 +0300
4 Subject: net: phy: micrel: Fix potential null pointer dereference
5
6 From: Aleksandr Mishin <amishin@t-argos.ru>
7
8 commit 96c155943a703f0655c0c4cab540f67055960e91 upstream.
9
10 In lan8814_get_sig_rx() and lan8814_get_sig_tx() ptp_parse_header() may
11 return NULL as ptp_header due to abnormal packet type or corrupted packet.
12 Fix this bug by adding ptp_header check.
13
14 Found by Linux Verification Center (linuxtesting.org) with SVACE.
15
16 Fixes: ece19502834d ("net: phy: micrel: 1588 support for LAN8814 phy")
17 Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
18 Reviewed-by: Andrew Lunn <andrew@lunn.ch>
19 Link: https://lore.kernel.org/r/20240329061631.33199-1-amishin@t-argos.ru
20 Signed-off-by: Jakub Kicinski <kuba@kernel.org>
21 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
22 ---
23 drivers/net/phy/micrel.c | 21 ++++++++++++++++-----
24 1 file changed, 16 insertions(+), 5 deletions(-)
25
26 --- a/drivers/net/phy/micrel.c
27 +++ b/drivers/net/phy/micrel.c
28 @@ -2303,7 +2303,7 @@ static void lan8814_txtstamp(struct mii_
29 }
30 }
31
32 -static void lan8814_get_sig_rx(struct sk_buff *skb, u16 *sig)
33 +static bool lan8814_get_sig_rx(struct sk_buff *skb, u16 *sig)
34 {
35 struct ptp_header *ptp_header;
36 u32 type;
37 @@ -2313,7 +2313,11 @@ static void lan8814_get_sig_rx(struct sk
38 ptp_header = ptp_parse_header(skb, type);
39 skb_pull_inline(skb, ETH_HLEN);
40
41 + if (!ptp_header)
42 + return false;
43 +
44 *sig = (__force u16)(ntohs(ptp_header->sequence_id));
45 + return true;
46 }
47
48 static bool lan8814_match_rx_ts(struct kszphy_ptp_priv *ptp_priv,
49 @@ -2325,7 +2329,8 @@ static bool lan8814_match_rx_ts(struct k
50 bool ret = false;
51 u16 skb_sig;
52
53 - lan8814_get_sig_rx(skb, &skb_sig);
54 + if (!lan8814_get_sig_rx(skb, &skb_sig))
55 + return ret;
56
57 /* Iterate over all RX timestamps and match it with the received skbs */
58 spin_lock_irqsave(&ptp_priv->rx_ts_lock, flags);
59 @@ -2605,7 +2610,7 @@ static int lan8814_ptpci_adjfine(struct
60 return 0;
61 }
62
63 -static void lan8814_get_sig_tx(struct sk_buff *skb, u16 *sig)
64 +static bool lan8814_get_sig_tx(struct sk_buff *skb, u16 *sig)
65 {
66 struct ptp_header *ptp_header;
67 u32 type;
68 @@ -2613,7 +2618,11 @@ static void lan8814_get_sig_tx(struct sk
69 type = ptp_classify_raw(skb);
70 ptp_header = ptp_parse_header(skb, type);
71
72 + if (!ptp_header)
73 + return false;
74 +
75 *sig = (__force u16)(ntohs(ptp_header->sequence_id));
76 + return true;
77 }
78
79 static void lan8814_dequeue_tx_skb(struct kszphy_ptp_priv *ptp_priv)
80 @@ -2631,7 +2640,8 @@ static void lan8814_dequeue_tx_skb(struc
81
82 spin_lock_irqsave(&ptp_priv->tx_queue.lock, flags);
83 skb_queue_walk_safe(&ptp_priv->tx_queue, skb, skb_tmp) {
84 - lan8814_get_sig_tx(skb, &skb_sig);
85 + if (!lan8814_get_sig_tx(skb, &skb_sig))
86 + continue;
87
88 if (memcmp(&skb_sig, &seq_id, sizeof(seq_id)))
89 continue;
90 @@ -2675,7 +2685,8 @@ static bool lan8814_match_skb(struct ksz
91
92 spin_lock_irqsave(&ptp_priv->rx_queue.lock, flags);
93 skb_queue_walk_safe(&ptp_priv->rx_queue, skb, skb_tmp) {
94 - lan8814_get_sig_rx(skb, &skb_sig);
95 + if (!lan8814_get_sig_rx(skb, &skb_sig))
96 + continue;
97
98 if (memcmp(&skb_sig, &rx_ts->seq_id, sizeof(rx_ts->seq_id)))
99 continue;
Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git