Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp1042500iob;
        Fri, 13 May 2022 20:47:37 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxOqkIEbDSIqUOvxltj/R94dOffIJL1r+bogobfoPuKHPs02Ew7JeFdk2CN1Qdbd9vxPYJI
X-Received: by 2002:adf:f00d:0:b0:20c:d4d4:2b79 with SMTP id j13-20020adff00d000000b0020cd4d42b79mr6545414wro.552.1652500057729;
        Fri, 13 May 2022 20:47:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1652500057; cv=none;
        d=google.com; s=arc-20160816;
        b=mcDq0NkXPERXt9v++n6HsMlyxGslskxrsl1PwyIcYQ/Mcl1yMta8rF/ZFBh2l0JTR0
         wivc02WCv2ZQ73IkGSKu9QUSPeezDLrYgIMHnCD5rlBb7w+KAzgMIof7cXsOAvzg/prw
         y+h4NQzH7w1REMsi/0+q6rYFjcHLq+LQbqZEnVl9P7vBL6o2dydjlczfv4ApIRX71ny7
         eLoKkF2Rf9q8q6eO/LFuS9PZBeimbZ8IUICd4zOFERtWf2usbCoZ0sUL5Al/9mXMLObw
         dyq0WYuEev/3zmPMQgK9Njxu8ItfaJaOYqdEHv42yYq/w1vJvP14mFRYLjDABtyUT0tC
         qvLw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:date:cc:to:from:subject
         :message-id:dkim-signature;
        bh=kseTB5nEdb0NBMdde4rHbkMWqkdFBH/zYnlVhau93BU=;
        b=Vvq1RhA6E3qHrgefkMrbUZsTvRCEQa3Y7ofc1uDevwgGz1vMT33h1h1HxD71iSA2OJ
         MrEZ5w7WJ7o/yNQzycexz2Jmf9Unt5UkvWjjkwQW8li5FxDcHnGMHiO8BligWGfXeG1c
         3tFJJy92631hgJkG/5RBTT07jaeX1V1TjEsP9RRwy9okvmmEcTRIL2Z+ET83w44gRtGv
         kmMcJ6Lfjrl38q8v33MyxkFHJFpz+3f1908CxtO0zBzfFwkT307Bn9kB0p8be34qLYDf
         kz2M+ze1OTMlLXMe8otchRnkbsQovSwaMSgAJDswlpg60fD4oiP3Tqq1oLjIAkuHrR7g
         xsMw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ahcR3uv0;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id s10-20020a5d424a000000b0020c5172c881si3548357wrr.311.2022.05.13.20.47.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 13 May 2022 20:47:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ahcR3uv0;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 5867046C679;
	Fri, 13 May 2022 17:21:17 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1350920AbiELHXW (ORCPT <rfc822;stevenley.huang@gmail.com>
        + 99 others); Thu, 12 May 2022 03:23:22 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53466 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1344245AbiELHWy (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 12 May 2022 03:22:54 -0400
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 2B1FB64701
        for <linux-kernel@vger.kernel.org>; Thu, 12 May 2022 00:22:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1652340172;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=kseTB5nEdb0NBMdde4rHbkMWqkdFBH/zYnlVhau93BU=;
        b=ahcR3uv0SqRmdd2vBNlXfaR9kqK01uZx66qaMDyhaB5ZGI6tHEdrFCy+hbeZV6LGE3n8Y7
        nClHpV8yQZEvCwz+p9h5RqdvIJBGDwDfVTOzu9P7ocQLwD0GC76PXnlkY3Qlt/F+hincwv
        G8JBDkoexmki9XaJ4w6+VTYfYdGoKfg=
Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com
 [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-425-TKHmWdNOOZCqiFFStrO-bw-1; Thu, 12 May 2022 03:22:51 -0400
X-MC-Unique: TKHmWdNOOZCqiFFStrO-bw-1
Received: by mail-wr1-f71.google.com with SMTP id u17-20020a056000161100b0020cda98f292so1701575wrb.21
        for <linux-kernel@vger.kernel.org>; Thu, 12 May 2022 00:22:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to
         :references:user-agent:mime-version:content-transfer-encoding;
        bh=kseTB5nEdb0NBMdde4rHbkMWqkdFBH/zYnlVhau93BU=;
        b=pYBcV7CsC5+IlO5HcylDDu0pK/Wrf8RW8BbLS0UkK4V/nkbF7X4QlkhMIFTkWr+CiW
         yPRJ/0LZLU+QoiHzcojAPfXaNAfv2Etm2AJsrzRP1TNMrqsow8T2CKWqeW4GYDWvqG13
         VTNHifV1Y4wVLegDJAv+k46xdLuDD9dOFA+Pwirfa+v3Wu7kvbSDZZfG3i0Nq8EYxYJ1
         1+m1fYYYeT+S+LEAe4kn2Y1MIWRvyoHazov8cJZuwsLWH4b3z86sV5+tG4JYxAhmev/7
         z0GwB37Os/ZIpVoSXCmXwNsOZaA7qYemk1urK07A40FzvQmObT5GcsxqWnQPz1g3N77k
         iw9w==
X-Gm-Message-State: AOAM532DAQeyhwFDVnaPiN8k+aF3QnhERXAYp/BZLmBs25jwXmkfpSy+
        za+MYro6/zRmYHkvOCuAQ+C85iU8y05C3kekZ+DwVeRbBPJpmsU1gavka0jFG/ZH7Kf6jsPuTwx
        Qdf7n6Ia8yYAJ2bGdSCdGHAhF
X-Received: by 2002:a05:600c:5008:b0:394:533c:54a1 with SMTP id n8-20020a05600c500800b00394533c54a1mr8661638wmr.15.1652340169935;
        Thu, 12 May 2022 00:22:49 -0700 (PDT)
X-Received: by 2002:a05:600c:5008:b0:394:533c:54a1 with SMTP id n8-20020a05600c500800b00394533c54a1mr8661622wmr.15.1652340169675;
        Thu, 12 May 2022 00:22:49 -0700 (PDT)
Received: from gerbillo.redhat.com (146-241-113-89.dyn.eolo.it. [146.241.113.89])
        by smtp.gmail.com with ESMTPSA id r5-20020adfdc85000000b0020c5253d8d2sm3279125wrj.30.2022.05.12.00.22.48
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 12 May 2022 00:22:49 -0700 (PDT)
Message-ID: <dd7641f326b63211c3a749341e905cca90c9e124.camel@redhat.com>
Subject: Re: [PATCH v2]  drivers: net: vmxnet3: fix possible NULL pointer
 dereference in vmxnet3_rq_cleanup()
From:   Paolo Abeni <pabeni@redhat.com>
To:     Zixuan Fu <r33s3n6@gmail.com>, doshir@vmware.com,
        pv-drivers@vmware.com, davem@davemloft.net, edumazet@google.com,
        kuba@kernel.org
Cc:     netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        baijiaju1990@gmail.com, TOTE Robot <oslab@tsinghua.edu.cn>
Date:   Thu, 12 May 2022 09:22:48 +0200
In-Reply-To: <20220510131727.929547-1-r33s3n6@gmail.com>
References: <20220510131727.929547-1-r33s3n6@gmail.com>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.42.4 (3.42.4-2.fc35) 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 2022-05-10 at 21:17 +0800, Zixuan Fu wrote:
> In vmxnet3_rq_create(), when dma_alloc_coherent() fails, 
> vmxnet3_rq_destroy() is called. It sets rq->rx_ring[i].base to NULL. Then
> vmxnet3_rq_create() returns an error to its callers mxnet3_rq_create_all()
> -> vmxnet3_change_mtu(). Then vmxnet3_change_mtu() calls 
> vmxnet3_force_close() -> dev_close() in error handling code. And the driver
> calls vmxnet3_close() -> vmxnet3_quiesce_dev() -> vmxnet3_rq_cleanup_all()
> -> vmxnet3_rq_cleanup(). In vmxnet3_rq_cleanup(), 
> rq->rx_ring[ring_idx].base is accessed, but this variable is NULL, causing
> a NULL pointer dereference.
> 
> To fix this possible bug, an if statement is added to check whether 
> rq->rx_ring[0].base is NULL in vmxnet3_rq_cleanup() and exit early if so.
> 
> The error log in our fault-injection testing is shown as follows:
> 
> [   65.220135] BUG: kernel NULL pointer dereference, address: 0000000000000008
> ...
> [   65.222633] RIP: 0010:vmxnet3_rq_cleanup_all+0x396/0x4e0 [vmxnet3]
> ...
> [   65.227977] Call Trace:
> ...
> [   65.228262]  vmxnet3_quiesce_dev+0x80f/0x8a0 [vmxnet3]
> [   65.228580]  vmxnet3_close+0x2c4/0x3f0 [vmxnet3]
> [   65.228866]  __dev_close_many+0x288/0x350
> [   65.229607]  dev_close_many+0xa4/0x480
> [   65.231124]  dev_close+0x138/0x230
> [   65.231933]  vmxnet3_force_close+0x1f0/0x240 [vmxnet3]
> [   65.232248]  vmxnet3_change_mtu+0x75d/0x920 [vmxnet3]
> ...
> 
> Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
> Signed-off-by: Zixuan Fu <r33s3n6@gmail.com>

Same remarks here, please provide a new version with a suitable fixes
tag, thanks!

Paolo