Commit af1b19b1 authored Nov 13, 2020 by Subash Abhinov Kasiviswanathan Committed by Greg Kroah-Hartman Nov 24, 2020

net: qualcomm: rmnet: Fix incorrect receive packet handling during cleanup



[ Upstream commit fc70f5bf5e525dde81565f0a30d5e39168062eba ]

During rmnet unregistration, the real device rx_handler is first cleared
followed by the removal of rx_handler_data after the rcu synchronization.

Any packets in the receive path may observe that the rx_handler is NULL.
However, there is no check when dereferencing this value to use the
rmnet_port information.

This fixes following splat by adding the NULL check.

Unable to handle kernel NULL pointer dereference at virtual
address 000000000000000d
pc : rmnet_rx_handler+0x124/0x284
lr : rmnet_rx_handler+0x124/0x284
 rmnet_rx_handler+0x124/0x284
 __netif_receive_skb_core+0x758/0xd74
 __netif_receive_skb+0x50/0x17c
 process_backlog+0x15c/0x1b8
 napi_poll+0x88/0x284
 net_rx_action+0xbc/0x23c
 __do_softirq+0x20c/0x48c

Fixes: ceed73a2 ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation")
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Link: https://lore.kernel.org/r/1605298325-3705-1-git-send-email-subashab@codeaurora.org


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 32515a27

drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -197,6 +197,11 @@ rx_handler_result_t rmnet_rx_handler(struct sk_buff **pskb)

		dev = skb->dev;
		port = rmnet_get_port_rcu(dev);
		if (unlikely(!port)) {
		atomic_long_inc(&skb->dev->rx_nohandler);
		kfree_skb(skb);
		goto done;
		}

		switch (port->rmnet_mode) {
		case RMNET_EPMODE_VND: