net: atlantic: Fix NULL dereference of skb pointer in

DanMax03 · Paolo Abeni · commit cbe860be3609 · 2023-12-06T11:26:46.000+01:00
If is_ptp_ring == true in the loop of __aq_ring_xdp_clean function, then a timestamp is stored from a packet in a field of skb object, which is not allocated at the moment of the call (skb == NULL). Generalize aq_ptp_extract_ts and other affected functions so they don't work with struct sk_buff*, but with struct skb_shared_hwtstamps*. Found by Linux Verification Center (linuxtesting.org) with SVACE Fixes: 26efaef ("net: atlantic: Implement xdp data plane") Signed-off-by: Daniil Maximov <daniil31415it@gmail.com> Reviewed-by: Igor Russkikh <irusskikh@marvell.com> Link: https://lore.kernel.org/r/20231204085810.1681386-1-daniil31415it@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ptp.c b/drivers/net/ethernet/aquantia/atlantic/aq_ptp.c
@@ -553,17 +553,17 @@ void aq_ptp_tx_hwtstamp(struct aq_nic_s *aq_nic, u64 timestamp)
 
 /* aq_ptp_rx_hwtstamp - utility function which checks for RX time stamp
  * @adapter: pointer to adapter struct
- * @skb: particular skb to send timestamp with
+ * @shhwtstamps: particular skb_shared_hwtstamps to save timestamp
  *
  * if the timestamp is valid, we convert it into the timecounter ns
  * value, then store that result into the hwtstamps structure which
  * is passed up the network stack
  */
-static void aq_ptp_rx_hwtstamp(struct aq_ptp_s *aq_ptp, struct sk_buff *skb,
+static void aq_ptp_rx_hwtstamp(struct aq_ptp_s *aq_ptp, struct skb_shared_hwtstamps *shhwtstamps,
 			       u64 timestamp)
 {
 	timestamp -= atomic_read(&aq_ptp->offset_ingress);
-	aq_ptp_convert_to_hwtstamp(aq_ptp, skb_hwtstamps(skb), timestamp);
+	aq_ptp_convert_to_hwtstamp(aq_ptp, shhwtstamps, timestamp);
 }
 
 void aq_ptp_hwtstamp_config_get(struct aq_ptp_s *aq_ptp,
@@ -639,7 +639,7 @@ bool aq_ptp_ring(struct aq_nic_s *aq_nic, struct aq_ring_s *ring)
 	       &aq_ptp->ptp_rx == ring || &aq_ptp->hwts_rx == ring;
 }
 
-u16 aq_ptp_extract_ts(struct aq_nic_s *aq_nic, struct sk_buff *skb, u8 *p,
+u16 aq_ptp_extract_ts(struct aq_nic_s *aq_nic, struct skb_shared_hwtstamps *shhwtstamps, u8 *p,
 		      unsigned int len)
 {
 	struct aq_ptp_s *aq_ptp = aq_nic->aq_ptp;
@@ -648,7 +648,7 @@ u16 aq_ptp_extract_ts(struct aq_nic_s *aq_nic, struct sk_buff *skb, u8 *p,
 						   p, len, &timestamp);
 
 	if (ret > 0)
-		aq_ptp_rx_hwtstamp(aq_ptp, skb, timestamp);
+		aq_ptp_rx_hwtstamp(aq_ptp, shhwtstamps, timestamp);
 
 	return ret;
 }
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ptp.h b/drivers/net/ethernet/aquantia/atlantic/aq_ptp.h
@@ -67,7 +67,7 @@ int aq_ptp_hwtstamp_config_set(struct aq_ptp_s *aq_ptp,
 /* Return either ring is belong to PTP or not*/
 bool aq_ptp_ring(struct aq_nic_s *aq_nic, struct aq_ring_s *ring);
 
-u16 aq_ptp_extract_ts(struct aq_nic_s *aq_nic, struct sk_buff *skb, u8 *p,
+u16 aq_ptp_extract_ts(struct aq_nic_s *aq_nic, struct skb_shared_hwtstamps *shhwtstamps, u8 *p,
 		      unsigned int len);
 
 struct ptp_clock *aq_ptp_get_ptp_clock(struct aq_ptp_s *aq_ptp);
@@ -143,7 +143,7 @@ static inline bool aq_ptp_ring(struct aq_nic_s *aq_nic, struct aq_ring_s *ring)
 }
 
 static inline u16 aq_ptp_extract_ts(struct aq_nic_s *aq_nic,
-				    struct sk_buff *skb, u8 *p,
+				    struct skb_shared_hwtstamps *shhwtstamps, u8 *p,
 				    unsigned int len)
 {
 	return 0;
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
@@ -647,7 +647,7 @@ static int __aq_ring_rx_clean(struct aq_ring_s *self, struct napi_struct *napi,
 		}
 		if (is_ptp_ring)
 			buff->len -=
-				aq_ptp_extract_ts(self->aq_nic, skb,
+				aq_ptp_extract_ts(self->aq_nic, skb_hwtstamps(skb),
 						  aq_buf_vaddr(&buff->rxdata),
 						  buff->len);
 
@@ -742,6 +742,8 @@ static int __aq_ring_xdp_clean(struct aq_ring_s *rx_ring,
 		struct aq_ring_buff_s *buff = &rx_ring->buff_ring[rx_ring->sw_head];
 		bool is_ptp_ring = aq_ptp_ring(rx_ring->aq_nic, rx_ring);
 		struct aq_ring_buff_s *buff_ = NULL;
+		u16 ptp_hwtstamp_len = 0;
+		struct skb_shared_hwtstamps shhwtstamps;
 		struct sk_buff *skb = NULL;
 		unsigned int next_ = 0U;
 		struct xdp_buff xdp;
@@ -810,11 +812,12 @@ static int __aq_ring_xdp_clean(struct aq_ring_s *rx_ring,
 		hard_start = page_address(buff->rxdata.page) +
 			     buff->rxdata.pg_off - rx_ring->page_offset;
 
-		if (is_ptp_ring)
-			buff->len -=
-				aq_ptp_extract_ts(rx_ring->aq_nic, skb,
-						  aq_buf_vaddr(&buff->rxdata),
-						  buff->len);
+		if (is_ptp_ring) {
+			ptp_hwtstamp_len = aq_ptp_extract_ts(rx_ring->aq_nic, &shhwtstamps,
+							     aq_buf_vaddr(&buff->rxdata),
+							     buff->len);
+			buff->len -= ptp_hwtstamp_len;
+		}
 
 		xdp_init_buff(&xdp, frame_sz, &rx_ring->xdp_rxq);
 		xdp_prepare_buff(&xdp, hard_start, rx_ring->page_offset,
@@ -834,6 +837,9 @@ static int __aq_ring_xdp_clean(struct aq_ring_s *rx_ring,
 		if (IS_ERR(skb) || !skb)
 			continue;
 
+		if (ptp_hwtstamp_len > 0)
+			*skb_hwtstamps(skb) = shhwtstamps;
+
 		if (buff->is_vlan)
 			__vlan_hwaccel_put_tag(skb, htons(ETH_P_8021Q),
 					       buff->vlan_rx_tag);

Original file line number	Diff line number	Diff line change
`@@ -553,17 +553,17 @@ void aq_ptp_tx_hwtstamp(struct aq_nic_s *aq_nic, u64 timestamp)`
`553`	`553`
`554`	`554`	`/* aq_ptp_rx_hwtstamp - utility function which checks for RX time stamp`
`555`	`555`	`* @adapter: pointer to adapter struct`
`556`		`- * @skb: particular skb to send timestamp with`
	`556`	`+ * @shhwtstamps: particular skb_shared_hwtstamps to save timestamp`
`557`	`557`	`*`
`558`	`558`	`* if the timestamp is valid, we convert it into the timecounter ns`
`559`	`559`	`* value, then store that result into the hwtstamps structure which`
`560`	`560`	`* is passed up the network stack`
`561`	`561`	`*/`
`562`		`-static void aq_ptp_rx_hwtstamp(struct aq_ptp_s aq_ptp, struct sk_buff skb,`
	`562`	`+static void aq_ptp_rx_hwtstamp(struct aq_ptp_s aq_ptp, struct skb_shared_hwtstamps shhwtstamps,`
`563`	`563`	`u64 timestamp)`
`564`	`564`	`{`
`565`	`565`	`timestamp -= atomic_read(&aq_ptp->offset_ingress);`
`566`		`- aq_ptp_convert_to_hwtstamp(aq_ptp, skb_hwtstamps(skb), timestamp);`
	`566`	`+ aq_ptp_convert_to_hwtstamp(aq_ptp, shhwtstamps, timestamp);`
`567`	`567`	`}`
`568`	`568`
`569`	`569`	`void aq_ptp_hwtstamp_config_get(struct aq_ptp_s *aq_ptp,`
`@@ -639,7 +639,7 @@ bool aq_ptp_ring(struct aq_nic_s aq_nic, struct aq_ring_s ring)`
`639`	`639`	`&aq_ptp->ptp_rx == ring \|\| &aq_ptp->hwts_rx == ring;`
`640`	`640`	`}`
`641`	`641`
`642`		`-u16 aq_ptp_extract_ts(struct aq_nic_s aq_nic, struct sk_buff skb, u8 *p,`
	`642`	`+u16 aq_ptp_extract_ts(struct aq_nic_s aq_nic, struct skb_shared_hwtstamps shhwtstamps, u8 *p,`
`643`	`643`	`unsigned int len)`
`644`	`644`	`{`
`645`	`645`	`struct aq_ptp_s *aq_ptp = aq_nic->aq_ptp;`
`@@ -648,7 +648,7 @@ u16 aq_ptp_extract_ts(struct aq_nic_s aq_nic, struct sk_buff skb, u8 *p,`
`648`	`648`	`p, len, &timestamp);`
`649`	`649`
`650`	`650`	`if (ret > 0)`
`651`		`- aq_ptp_rx_hwtstamp(aq_ptp, skb, timestamp);`
	`651`	`+ aq_ptp_rx_hwtstamp(aq_ptp, shhwtstamps, timestamp);`
`652`	`652`
`653`	`653`	`return ret;`
`654`	`654`	`}`
Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,7 @@ int aq_ptp_hwtstamp_config_set(struct aq_ptp_s *aq_ptp,`
`67`	`67`	`/* Return either ring is belong to PTP or not*/`
`68`	`68`	`bool aq_ptp_ring(struct aq_nic_s aq_nic, struct aq_ring_s ring);`
`69`	`69`
`70`		`-u16 aq_ptp_extract_ts(struct aq_nic_s aq_nic, struct sk_buff skb, u8 *p,`
	`70`	`+u16 aq_ptp_extract_ts(struct aq_nic_s aq_nic, struct skb_shared_hwtstamps shhwtstamps, u8 *p,`
`71`	`71`	`unsigned int len);`
`72`	`72`
`73`	`73`	`struct ptp_clock aq_ptp_get_ptp_clock(struct aq_ptp_s aq_ptp);`
`@@ -143,7 +143,7 @@ static inline bool aq_ptp_ring(struct aq_nic_s aq_nic, struct aq_ring_s ring)`
`143`	`143`	`}`
`144`	`144`
`145`	`145`	`static inline u16 aq_ptp_extract_ts(struct aq_nic_s *aq_nic,`
`146`		`- struct sk_buff skb, u8 p,`
	`146`	`+ struct skb_shared_hwtstamps shhwtstamps, u8 p,`
`147`	`147`	`unsigned int len)`
`148`	`148`	`{`
`149`	`149`	`return 0;`