[PATCH AUTOSEL for 4.4 21/32] bnx2x: prevent crash when accessing PTP with interface down

From: alexander . levin
Date: Wed Nov 29 2017 - 12:37:37 EST

Next message: alexander . levin: "[PATCH AUTOSEL for 4.4 19/32] arm64: KVM: Survive unknown traps from guests"
Previous message: alexander . levin: "[PATCH AUTOSEL for 4.4 22/32] bnx2x: fix possible overrun of VFPF multicast addresses array"
In reply to: alexander . levin: "[PATCH AUTOSEL for 4.4 22/32] bnx2x: fix possible overrun of VFPF multicast addresses array"
Next in thread: alexander . levin: "[PATCH AUTOSEL for 4.4 19/32] arm64: KVM: Survive unknown traps from guests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michal Schmidt <mschmidt@xxxxxxxxxx>

[ Upstream commit 466e8bf10ac104d96e1ea813e8126e11cb72ea20 ]

It is possible to crash the kernel by accessing a PTP device while its
associated bnx2x interface is down. Before the interface is brought up,
the timecounter is not initialized, so accessing it results in NULL
dereference.

Fix it by checking if the interface is up.

Use -ENETDOWN as the error code when the interface is down.
-EFAULT in bnx2x_ptp_adjfreq() did not seem right.

Tested using phc_ctl get/set/adj/freq commands.

Signed-off-by: Michal Schmidt <mschmidt@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <alexander.levin@xxxxxxxxxxx>
---
drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
index 1c8123816745..abb3ff6498dc 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
@@ -13646,7 +13646,7 @@ static int bnx2x_ptp_adjfreq(struct ptp_clock_info *ptp, s32 ppb)
if (!netif_running(bp->dev)) {
DP(BNX2X_MSG_PTP,
"PTP adjfreq called while the interface is down\n");
- return -EFAULT;
+ return -ENETDOWN;
}

if (ppb < 0) {
@@ -13705,6 +13705,12 @@ static int bnx2x_ptp_adjtime(struct ptp_clock_info *ptp, s64 delta)
{
struct bnx2x *bp = container_of(ptp, struct bnx2x, ptp_clock_info);

+ if (!netif_running(bp->dev)) {
+ DP(BNX2X_MSG_PTP,
+ "PTP adjtime called while the interface is down\n");
+ return -ENETDOWN;
+ }
+
DP(BNX2X_MSG_PTP, "PTP adjtime called, delta = %llx\n", delta);

timecounter_adjtime(&bp->timecounter, delta);
@@ -13717,6 +13723,12 @@ static int bnx2x_ptp_gettime(struct ptp_clock_info *ptp, struct timespec64 *ts)
struct bnx2x *bp = container_of(ptp, struct bnx2x, ptp_clock_info);
u64 ns;

+ if (!netif_running(bp->dev)) {
+ DP(BNX2X_MSG_PTP,
+ "PTP gettime called while the interface is down\n");
+ return -ENETDOWN;
+ }
+
ns = timecounter_read(&bp->timecounter);

DP(BNX2X_MSG_PTP, "PTP gettime called, ns = %llu\n", ns);
@@ -13732,6 +13744,12 @@ static int bnx2x_ptp_settime(struct ptp_clock_info *ptp,
struct bnx2x *bp = container_of(ptp, struct bnx2x, ptp_clock_info);
u64 ns;

+ if (!netif_running(bp->dev)) {
+ DP(BNX2X_MSG_PTP,
+ "PTP settime called while the interface is down\n");
+ return -ENETDOWN;
+ }
+
ns = timespec64_to_ns(ts);

DP(BNX2X_MSG_PTP, "PTP settime called, ns = %llu\n", ns);
--
2.11.0

Next message: alexander . levin: "[PATCH AUTOSEL for 4.4 19/32] arm64: KVM: Survive unknown traps from guests"
Previous message: alexander . levin: "[PATCH AUTOSEL for 4.4 22/32] bnx2x: fix possible overrun of VFPF multicast addresses array"
In reply to: alexander . levin: "[PATCH AUTOSEL for 4.4 22/32] bnx2x: fix possible overrun of VFPF multicast addresses array"
Next in thread: alexander . levin: "[PATCH AUTOSEL for 4.4 19/32] arm64: KVM: Survive unknown traps from guests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]