net: ethtool: Fix the panic caused by dev being null when dumping coa…

…lesce syzbot reported a general protection fault caused by a null pointer dereference in coalesce_fill_reply(). The issue occurs when req_base->dev is null, leading to an invalid memory access. This panic occurs if dumping coalesce when no device name is specified. Fixes: f750dfe ("ethtool: provide customized dim profile management") Reported-by: syzbot+e77327e34cdc8c36b7d3@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=e77327e34cdc8c36b7d3 Signed-off-by: Heng Qi <hengqi@linux.alibaba.com> Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
mariux64 · Jul 1, 2024 · 74d6529 · 74d6529
1 parent f61c72b
commit 74d6529
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/net/ethtool/coalesce.c b/net/ethtool/coalesce.c
@@ -211,9 +211,9 @@ static int coalesce_fill_reply(struct sk_buff *skb,
 {
 	const struct coalesce_reply_data *data = COALESCE_REPDATA(reply_base);
 	const struct kernel_ethtool_coalesce *kcoal = &data->kernel_coalesce;
-	struct dim_irq_moder *moder = req_base->dev->irq_moder;
 	const struct ethtool_coalesce *coal = &data->coalesce;
 	u32 supported = data->supported_params;
+	struct dim_irq_moder *moder;
 	int ret = 0;
 
 	if (coalesce_put_u32(skb, ETHTOOL_A_COALESCE_RX_USECS,
@@ -272,9 +272,10 @@ static int coalesce_fill_reply(struct sk_buff *skb,
 			     kcoal->tx_aggr_time_usecs, supported))
 		return -EMSGSIZE;
 
-	if (!moder)
+	if (!req_base->dev || !req_base->dev->irq_moder)
 		return 0;
 
+	moder = req_base->dev->irq_moder;
 	rcu_read_lock();
 	if (moder->profile_flags & DIM_PROFILE_RX) {
 		ret = coalesce_put_profile(skb, ETHTOOL_A_COALESCE_RX_PROFILE,