Skip to content

Commit

Permalink
net: microchip: sparx5: Fix potential null-ptr-deref in sparx_stats_i…
Browse files Browse the repository at this point in the history 
…nit() and sparx5_start()

[ Upstream commit 639f5d0 ]

sparx_stats_init() calls create_singlethread_workqueue() and not
checked the ret value, which may return NULL. And a null-ptr-deref may
happen:

sparx_stats_init()
    create_singlethread_workqueue() # failed, sparx5->stats_queue is NULL
    queue_delayed_work()
        queue_delayed_work_on()
            __queue_delayed_work()  # warning here, but continue
                __queue_work()      # access wq->flags, null-ptr-deref

Check the ret value and return -ENOMEM if it is NULL. So as
sparx5_start().

Fixes: af4b110 ("net: sparx5: add ethtool configuration and statistics support")
Fixes: b37a1ba ("net: sparx5: add mactable support")
Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
  • Loading branch information
@gregkh
Shang XiaoJing authored and gregkh committed Nov 26, 2022
1 parent 4a43c1c commit 456327e
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 0 deletions.
3 changes: 3 additions & 0 deletions drivers/net/ethernet/microchip/sparx5/sparx5_ethtool.c
View file
Expand Up @@ -1253,6 +1253,9 @@ int sparx_stats_init(struct sparx5 *sparx5)
snprintf(queue_name, sizeof(queue_name), "%s-stats",
dev_name(sparx5->dev));
sparx5->stats_queue = create_singlethread_workqueue(queue_name);
if (!sparx5->stats_queue)
return -ENOMEM;

INIT_DELAYED_WORK(&sparx5->stats_work, sparx5_check_stats_work);
queue_delayed_work(sparx5->stats_queue, &sparx5->stats_work,
SPX5_STATS_CHECK_DELAY);
Expand Down
3 changes: 3 additions & 0 deletions drivers/net/ethernet/microchip/sparx5/sparx5_main.c
View file
Expand Up @@ -657,6 +657,9 @@ static int sparx5_start(struct sparx5 *sparx5)
snprintf(queue_name, sizeof(queue_name), "%s-mact",
dev_name(sparx5->dev));
sparx5->mact_queue = create_singlethread_workqueue(queue_name);
if (!sparx5->mact_queue)
return -ENOMEM;

INIT_DELAYED_WORK(&sparx5->mact_work, sparx5_mact_pull_work);
queue_delayed_work(sparx5->mact_queue, &sparx5->mact_work,
SPX5_MACT_PULL_DELAY);
Expand Down

0 comments on commit 456327e

Please sign in to comment.