Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp4744264pxv;
        Tue, 20 Jul 2021 10:35:00 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzekWT7KN/SXFS04/W7L0oRnsWQsV9bXVk2ha6/5C2O5R7n/KOyOjl2PbPUtn83GDTDSs7a
X-Received: by 2002:a17:906:14cf:: with SMTP id y15mr33199202ejc.124.1626802500605;
        Tue, 20 Jul 2021 10:35:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1626802500; cv=none;
        d=google.com; s=arc-20160816;
        b=Y3neOUZtO8nfHkky6/xCJ/0j7N0+TraHA7qplDMUkQtQtBx/jY67oKve64nJ89mIR3
         lnVYs0bNhq/RxQPmKRma76wChBvg8EkkV0PByfwyMkgfxXqHEE9AdsY6C77nczdzB2eK
         MGAaowW9Ze0udqSJRePnsNWj4GAq1ZMi0CV9fZjED0J6wZ14XKnaeAUFx0cKRLiSu0im
         BKTpuL27X4FQ4NG1/MsTzWXS0itQO2JRNCY9Y7V69biEF7XLAz+YVeZ+wDTF5+0Kio1r
         Y34s9+ih3UhqBRXLcqDzU266v9t+D0WQ7Gil0Jvl2pXmmGw3q3vHHxmiDAjjIUJP+nK+
         fQjA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:user-agent:references:message-id
         :in-reply-to:subject:cc:to:from:date;
        bh=EG8HJQ68XlkIezCMNNfWPZlNKPSbkOkrPlYmbfm7A7w=;
        b=UpQmqq8HIIOLlVxm4kOO5fXy73E508FsgO7pZVpyJwOdNCWsZzskOhH6AFVD0OS9r5
         2C8JNIhznbF3dy3rlnFbhY1zzO3EKF3oqL9xAttOnhvRmHpEo5H0S2h9tlwC44Um6kl7
         DQc6+JQ3C9YsMqkqYDpgeeiHtCJi4EPiDcKy0efIjHm+gCa2j5Fb7MUATOJVnmqoVaOy
         HW7Bk9CGKEp6O/+edGcBNucMVRYrcnGFyWspdzTQ120M1k5qbL35X8N6G8o+DDMc40O5
         D6zp5MiTGeK6PgKY5fyruoU29TIJxM3lYYsgdI9QrWgyRywNeJF+oKSzVvyeYf+jUyCN
         ZZmg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id z17si2265665edr.452.2021.07.20.10.34.36;
        Tue, 20 Jul 2021 10:35:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230440AbhGTQwH (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 99 others); Tue, 20 Jul 2021 12:52:07 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56096 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229623AbhGTQvl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 20 Jul 2021 12:51:41 -0400
Received: from angie.orcam.me.uk (angie.orcam.me.uk [IPv6:2001:4190:8020::34])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 5C75DC061574
        for <linux-kernel@vger.kernel.org>; Tue, 20 Jul 2021 10:32:19 -0700 (PDT)
Received: by angie.orcam.me.uk (Postfix, from userid 500)
        id 40D5392009C; Tue, 20 Jul 2021 19:32:18 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
        by angie.orcam.me.uk (Postfix) with ESMTP id 39CE492009B;
        Tue, 20 Jul 2021 19:32:18 +0200 (CEST)
Date:   Tue, 20 Jul 2021 19:32:18 +0200 (CEST)
From:   "Maciej W. Rozycki" <macro@orcam.me.uk>
To:     Zheyu Ma <zheyuma97@gmail.com>
cc:     Shannon Nelson <snelson@pensando.io>, klassert@kernel.org,
        David Miller <davem@davemloft.net>, kuba@kernel.org,
        jeffrey.t.kirsher@intel.com, netdev@vger.kernel.org,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] net: 3com: 3c59x: add a check against null pointer
 dereference
In-Reply-To: <CAMhUBjnmeS5G4CNFhsV7EVFSfLspNNotd5qP-g8o8OsBx7xd5A@mail.gmail.com>
Message-ID: <alpine.DEB.2.21.2107201918150.9461@angie.orcam.me.uk>
References: <1623498978-30759-1-git-send-email-zheyuma97@gmail.com> <7ca72971-e072-2489-99cc-3b25e111d333@pensando.io> <CAMhUBjnmeS5G4CNFhsV7EVFSfLspNNotd5qP-g8o8OsBx7xd5A@mail.gmail.com>
User-Agent: Alpine 2.21 (DEB 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 15 Jun 2021, Zheyu Ma wrote:

> > > When the driver is processing the interrupt, it will read the value of
> > > the register to determine the status of the device. If the device is in
> > > an incorrect state, the driver may mistakenly enter this branch. At this
> > > time, the dma buffer has not been allocated, which will result in a null
> > > pointer dereference.
[...]
> > > diff --git a/drivers/net/ethernet/3com/3c59x.c b/drivers/net/ethernet/3com/3c59x.c
> > > index 741c67e546d4..e27901ded7a0 100644
> > > --- a/drivers/net/ethernet/3com/3c59x.c
> > > +++ b/drivers/net/ethernet/3com/3c59x.c
> > > @@ -2300,7 +2300,7 @@ _vortex_interrupt(int irq, struct net_device *dev)
> > >               }
> > >
> > >               if (status & DMADone) {
> > > -                     if (ioread16(ioaddr + Wn7_MasterStatus) & 0x1000) {
> > > +                     if ((ioread16(ioaddr + Wn7_MasterStatus) & 0x1000) && vp->tx_skb_dma) {
> > >                               iowrite16(0x1000, ioaddr + Wn7_MasterStatus); /* Ack the event. */
> > >                               dma_unmap_single(vp->gendev, vp->tx_skb_dma, (vp->tx_skb->len + 3) & ~3, DMA_TO_DEVICE);
> > >                               pkts_compl++;
> >
> > This means you won't be ack'ing the event - is this unacknowledged event
> > going to cause an issue later?
> >
> 
> First, I'm not an expert in networking, but from my perspective, I
> don't think this will cause a problem. Because when the driver enters
> this branch, It means that it thinks that the hardware has already
> performed a DMA operation, and the driver only needs to do some
> follow-up work, but this is not the case. At this time,
> 'vp->tx_skb_dma' is still a null pointer, so there is no need for
> follow-up work at this time, it is meaningless, and it is appropriate
> not to perform any operations at this time.

 What are the circumstances you observe this behaviour under?  The state 
of hardware is supposed to be consistent with the state of the driver.  If 
an inconsistency happens, then there are various possible causes such as:

1. The driver has a bug (in which case you need to track the bug down and 
   fix it).

2. The hardware does not behave as specified, e.g. due to an erratum (in 
   which case you need to track the problem down and work it around in the 
   driver).

3. The hardware may have been disturbed, e.g. due to EMC interference (in 
   which case you may implement a recovery attempt by reinitialising the 
   hardware once an odd state has been discovered).

4. The hardware is broken (throw it away).

For #4 the solution is obvious.  For #3 you might want to implement a 
hardware reset path rather than ignoring the inconsistent state and only 
prevent the driver from crashing.  If you have a way to reproduce the 
issue, which I gather you do, then it's likely not #3 as that would be 
intermittent, and then you'll have to investigate what is causing the 
problem to see if it is #1 or #2 (or maybe #4), and act accordingly.  

 Someone more familiar with this hardware (is there a spec available?) 
might be able to assist you once you have figured out what the exact 
scenario leading to the failure you have observed is.

 HTH,

  Maciej