rpms/kernel
9
4
Fork 6
Code Issues Pull Requests Releases Activity
a10
kernel/1235-dpaa2-switch-prevent-zero-size-ptr-dereference-when-num-ifs-.patch
Andrew Lukoshko b9d46fff46 Recreate RHEL 6.12.0-211.18.1 from CS10/upstream backports 
Add the RHEL 211.17.1..211.18.1 backports (1162-1244) from centos-stream-10 and
upstream, on top of 211.16.1. Includes the lpfc 14.4.0.x revert batch and the
RHEL-only lpfc_nlp_get UAF guard. Bump to 211.18.1.
2026-06-07 00:04:03 +00:00

60 lines
2.4 KiB
Diff
Raw Permalink Blame History

From a62505231a34f83c11618b0922e5b09739252a2b Mon Sep 17 00:00:00 2001
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
Date: Mon, 11 May 2026 19:40:32 +0000
Subject: [PATCH] dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs
is zero
JIRA: https://redhat.atlassian.net/browse/RHEL-174253
CVE: CVE-2026-43205
commit ed48a84a72fefb20a82dd90a7caa7807e90c6f66
Author: Junrui Luo <moonafterrain@outlook.com>
Date: Wed Jan 28 16:07:34 2026 +0800
dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero
The driver allocates arrays for ports, FDBs, and filter blocks using
kcalloc() with ethsw->sw_attr.num_ifs as the element count. When the
device reports zero interfaces (either due to hardware configuration
or firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10)
instead of NULL.
Later in dpaa2_switch_probe(), the NAPI initialization unconditionally
accesses ethsw->ports[0]->netdev, which attempts to dereference
ZERO_SIZE_PTR (address 0x10), resulting in a kernel panic.
Add a check to ensure num_ifs is greater than zero after retrieving
device attributes. This prevents the zero-sized allocations and
subsequent invalid pointer dereference.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 0b1b71370458 ("staging: dpaa2-switch: handle Rx path on control interface")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/SYBPR01MB7881BEABA8DA896947962470AF91A@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
index a293b08f36d4..527c78f4d27d 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
@@ -3014,6 +3014,12 @@ static int dpaa2_switch_init(struct fsl_mc_device *sw_dev)
goto err_close;
}
+ if (!ethsw->sw_attr.num_ifs) {
+ dev_err(dev, "DPSW device has no interfaces\n");
+ err = -ENODEV;
+ goto err_close;
+ }
+
err = dpsw_get_api_version(ethsw->mc_io, 0,
&ethsw->major,
&ethsw->minor);
--
2.50.1 (Apple Git-155)
Reference in New Issue View Git Blame Copy Permalink