Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

net: ethtool: Fix the panic caused by dev being null when dumping coalesce

syzbot reported a general protection fault caused by a null pointer
dereference in coalesce_fill_reply(). The issue occurs when req_base->dev
is null, leading to an invalid memory access.

This panic occurs if dumping coalesce when no device name is specified.

Fixes: f750dfe825b9 ("ethtool: provide customized dim profile management")
Reported-by: syzbot+e77327e34cdc8c36b7d3@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e77327e34cdc8c36b7d3
Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Heng Qi and committed by
David S. Miller
74d6529b f61c72be

+3 -2
+3 -2
net/ethtool/coalesce.c
··· 211 211 { 212 212 const struct coalesce_reply_data *data = COALESCE_REPDATA(reply_base); 213 213 const struct kernel_ethtool_coalesce *kcoal = &data->kernel_coalesce; 214 - struct dim_irq_moder *moder = req_base->dev->irq_moder; 215 214 const struct ethtool_coalesce *coal = &data->coalesce; 216 215 u32 supported = data->supported_params; 216 + struct dim_irq_moder *moder; 217 217 int ret = 0; 218 218 219 219 if (coalesce_put_u32(skb, ETHTOOL_A_COALESCE_RX_USECS, ··· 272 272 kcoal->tx_aggr_time_usecs, supported)) 273 273 return -EMSGSIZE; 274 274 275 - if (!moder) 275 + if (!req_base->dev || !req_base->dev->irq_moder) 276 276 return 0; 277 277 278 + moder = req_base->dev->irq_moder; 278 279 rcu_read_lock(); 279 280 if (moder->profile_flags & DIM_PROFILE_RX) { 280 281 ret = coalesce_put_profile(skb, ETHTOOL_A_COALESCE_RX_PROFILE,