From f62457df5cc46ea0729fface07ffa885e85ef404 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Fri, 25 Feb 2022 13:39:36 +0800 Subject: [PATCH 1/3] mctp: Avoid warning if unregister notifies twice Previously if an unregister notify handler ran twice (waiting for netdev to be released) it would print a warning in mctp_unregister() every subsequent time the unregister notify occured. Instead we only need to worry about the case where a mctp_ptr is set on an unknown device type. Signed-off-by: Matt Johnston Signed-off-by: Jakub Kicinski --- net/mctp/device.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/mctp/device.c b/net/mctp/device.c index da13444c632bf..f49be882e98e2 100644 --- a/net/mctp/device.c +++ b/net/mctp/device.c @@ -428,10 +428,10 @@ static void mctp_unregister(struct net_device *dev) struct mctp_dev *mdev; mdev = mctp_dev_get_rtnl(dev); - if (mctp_known(dev) != (bool)mdev) { + if (mdev && !mctp_known(dev)) { // Sanity check, should match what was set in mctp_register - netdev_warn(dev, "%s: mdev pointer %d but type (%d) match is %d", - __func__, (bool)mdev, mctp_known(dev), dev->type); + netdev_warn(dev, "%s: BUG mctp_ptr set for unknown type %d", + __func__, dev->type); return; } if (!mdev) @@ -455,7 +455,7 @@ static int mctp_register(struct net_device *dev) if (mdev) { if (!mctp_known(dev)) - netdev_warn(dev, "%s: mctp_dev set for unknown type %d", + netdev_warn(dev, "%s: BUG mctp_ptr set for unknown type %d", __func__, dev->type); return 0; } From 06bf1ce69d55729dc132d423d626398254fedc58 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Fri, 25 Feb 2022 13:39:37 +0800 Subject: [PATCH 2/3] mctp i2c: Fix potential use-after-free The skb is handed off to netif_rx() which may free it. Found by Smatch. Reported-by: Dan Carpenter Signed-off-by: Matt Johnston Signed-off-by: Jakub Kicinski --- drivers/net/mctp/mctp-i2c.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/mctp/mctp-i2c.c b/drivers/net/mctp/mctp-i2c.c index 365c3dfd4034e..470682c88d7e5 100644 --- a/drivers/net/mctp/mctp-i2c.c +++ b/drivers/net/mctp/mctp-i2c.c @@ -338,7 +338,7 @@ static int mctp_i2c_recv(struct mctp_i2c_dev *midev) if (status == NET_RX_SUCCESS) { ndev->stats.rx_packets++; - ndev->stats.rx_bytes += skb->len; + ndev->stats.rx_bytes += recvlen; } else { ndev->stats.rx_dropped++; } From 33f5d1a9d9707d1c9ab227aadd9498664e0442e4 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Fri, 25 Feb 2022 13:39:38 +0800 Subject: [PATCH 3/3] mctp i2c: Fix hard head TX bounds length check We should be testing the length before fitting into the u8 byte_count. This is just a sanity check, the MCTP stack should have limited to MTU which is checked, and we check consistency later in mctp_i2c_xmit(). Found by Smatch mctp_i2c_header_create() warn: impossible condition '(hdr->byte_count > 255) => (0-255 > 255)' Signed-off-by: Matt Johnston Signed-off-by: Jakub Kicinski --- drivers/net/mctp/mctp-i2c.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/mctp/mctp-i2c.c b/drivers/net/mctp/mctp-i2c.c index 470682c88d7e5..baf7afac7857e 100644 --- a/drivers/net/mctp/mctp-i2c.c +++ b/drivers/net/mctp/mctp-i2c.c @@ -537,6 +537,9 @@ static int mctp_i2c_header_create(struct sk_buff *skb, struct net_device *dev, struct mctp_hdr *mhdr; u8 lldst, llsrc; + if (len > MCTP_I2C_MAXMTU) + return -EMSGSIZE; + lldst = *((u8 *)daddr); llsrc = *((u8 *)saddr); @@ -547,8 +550,6 @@ static int mctp_i2c_header_create(struct sk_buff *skb, struct net_device *dev, hdr->dest_slave = (lldst << 1) & 0xff; hdr->command = MCTP_I2C_COMMANDCODE; hdr->byte_count = len + 1; - if (hdr->byte_count > MCTP_I2C_MAXBLOCK) - return -EMSGSIZE; hdr->source_slave = ((llsrc << 1) & 0xff) | 0x01; mhdr->ver = 0x01;