Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp766644ybi; Wed, 19 Jun 2019 07:32:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqxXjUDcR2Qts51UdLQHsH+pVB7GsGdHWU+qpYNsuZyA9DXka400EyA83MJTXzeIrfMrpXhH X-Received: by 2002:a17:90a:f488:: with SMTP id bx8mr11389094pjb.91.1560954762952; Wed, 19 Jun 2019 07:32:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560954762; cv=none; d=google.com; s=arc-20160816; b=u/DQeTN9NGC5Pqmc0zQeMNdVWbrHfT59o2N09OyB60CtrBwI6gVvrd4DXv4QZ5dw9L Yju83/EB3KdLeniLRHnlWLR5ghcD3Uar0gBcva5nhQDgcUwYhDprgRtmqa/AT8Qe06Fu d3w4gOMSEDwRNMFzSKjV2jFyXHDN0sVZ/2WY0SPKbigASIx5T8N2dQgMjYRy9uF6gRzx L6wpQX2AbhRCAv3brETCN4HXWxvJquKT9m9RLYmWhCja7dx+8qWUtPjrKlIsF4mbbBiI NVdzRapcbeWytE6sOjd9+ZBcJduS/uNBM03YZHSNdjZ/6oxATZW4cGaUnWqwDDwKl4OO Czhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=kl8IFQCbxOLzlCzG+5g9g8i/i2eG+0Q/vr61pPG+2gw=; b=yWsDxxhLWbTAbmAK0B8Gyz9ak70W/YEn/6rJxtqrYyhEbMX3d4rbyfFzgPdFVBWhY+ iZ3cCSVGNhMYbgCJDF9QNG/xZXZM17sD7zEDG39IgOgTaTzLQqdTGlQ37CeyLK33rFzk CYCS4KNJjr0ztZlJap6DRBRdkVp7d2QvebE8Utz1eO9C+5GPdJhAt8fMVcc1zYlONMxf XgK+5+CjTL4YDofn8thbcDERsggyfpU4hTrzlWq78NdMk2klwhkUQt2sG1RSJurOiFUu oR5yL4AA7C6Rj8fHk9VNwcYfVrWLrueI3P/KMwCRHUQuF78sFuiOIvPdneRBgQ+lj6hC DkoQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t21si1515885pjq.62.2019.06.19.07.32.26; Wed, 19 Jun 2019 07:32:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729661AbfFSOav (ORCPT + 99 others); Wed, 19 Jun 2019 10:30:51 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:56887 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725899AbfFSOav (ORCPT ); Wed, 19 Jun 2019 10:30:51 -0400 Received: from 1.general.cking.uk.vpn ([10.172.193.212] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1hdbbp-0005sO-5S; Wed, 19 Jun 2019 14:30:45 +0000 From: Colin King To: Jeff Kirsher , "David S . Miller" , intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH][net-next] iavf: fix dereference of null rx_buffer pointer Date: Wed, 19 Jun 2019 15:30:44 +0100 Message-Id: <20190619143044.10259-1-colin.king@canonical.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Colin Ian King A recent commit efa14c3985828d ("iavf: allow null RX descriptors") added a null pointer sanity check on rx_buffer, however, rx_buffer is being dereferenced before that check, which implies a null pointer dereference bug can potentially occur. Fix this by only dereferencing rx_buffer until after the null pointer check. Addresses-Coverity: ("Dereference before null check") Signed-off-by: Colin Ian King --- drivers/net/ethernet/intel/iavf/iavf_txrx.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.c b/drivers/net/ethernet/intel/iavf/iavf_txrx.c index 1cde1601bc32..0cca1b589b56 100644 --- a/drivers/net/ethernet/intel/iavf/iavf_txrx.c +++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.c @@ -1296,7 +1296,7 @@ static struct sk_buff *iavf_construct_skb(struct iavf_ring *rx_ring, struct iavf_rx_buffer *rx_buffer, unsigned int size) { - void *va = page_address(rx_buffer->page) + rx_buffer->page_offset; + void *va; #if (PAGE_SIZE < 8192) unsigned int truesize = iavf_rx_pg_size(rx_ring) / 2; #else @@ -1308,6 +1308,7 @@ static struct sk_buff *iavf_construct_skb(struct iavf_ring *rx_ring, if (!rx_buffer) return NULL; /* prefetch first cache line of first page */ + va = page_address(rx_buffer->page) + rx_buffer->page_offset; prefetch(va); #if L1_CACHE_BYTES < 128 prefetch(va + L1_CACHE_BYTES); @@ -1362,7 +1363,7 @@ static struct sk_buff *iavf_build_skb(struct iavf_ring *rx_ring, struct iavf_rx_buffer *rx_buffer, unsigned int size) { - void *va = page_address(rx_buffer->page) + rx_buffer->page_offset; + void *va; #if (PAGE_SIZE < 8192) unsigned int truesize = iavf_rx_pg_size(rx_ring) / 2; #else @@ -1374,6 +1375,7 @@ static struct sk_buff *iavf_build_skb(struct iavf_ring *rx_ring, if (!rx_buffer) return NULL; /* prefetch first cache line of first page */ + va = page_address(rx_buffer->page) + rx_buffer->page_offset; prefetch(va); #if L1_CACHE_BYTES < 128 prefetch(va + L1_CACHE_BYTES); -- 2.20.1