Commit 74d6529b authored by Heng Qi's avatar Heng Qi Committed by David S. Miller
Browse files

net: ethtool: Fix the panic caused by dev being null when dumping coalesce 



syzbot reported a general protection fault caused by a null pointer
dereference in coalesce_fill_reply(). The issue occurs when req_base->dev
is null, leading to an invalid memory access.

This panic occurs if dumping coalesce when no device name is specified.

Fixes: f750dfe8 ("ethtool: provide customized dim profile management")
Reported-by: default avatar <syzbot+e77327e34cdc8c36b7d3@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=e77327e34cdc8c36b7d3


Signed-off-by: default avatarHeng Qi <hengqi@linux.alibaba.com>
Reviewed-by: default avatarSimon Horman <horms@kernel.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent f61c72be

net/ethtool/coalesce.c

+3 −2
Original line number Diff line number Diff line
@@ -211,9 +211,9 @@ static int coalesce_fill_reply(struct sk_buff *skb, 
{

	const struct coalesce_reply_data *data = COALESCE_REPDATA(reply_base);

	const struct kernel_ethtool_coalesce *kcoal = &data->kernel_coalesce;

	struct dim_irq_moder *moder = req_base->dev->irq_moder;

	const struct ethtool_coalesce *coal = &data->coalesce;

	u32 supported = data->supported_params;

	struct dim_irq_moder *moder;

	int ret = 0;



	if (coalesce_put_u32(skb, ETHTOOL_A_COALESCE_RX_USECS,
@@ -272,9 +272,10 @@ static int coalesce_fill_reply(struct sk_buff *skb, 
			     kcoal->tx_aggr_time_usecs, supported))

		return -EMSGSIZE;



	if (!moder)

	if (!req_base->dev || !req_base->dev->irq_moder)

		return 0;



	moder = req_base->dev->irq_moder;

	rcu_read_lock();

	if (moder->profile_flags & DIM_PROFILE_RX) {

		ret = coalesce_put_profile(skb, ETHTOOL_A_COALESCE_RX_PROFILE,