Commit cedc1bf3 authored Mar 29, 2026 by Lorenzo Bianconi Committed by Jakub Kicinski Mar 30, 2026

net: airoha: Delay offloading until all net_devices are fully registered

Netfilter flowtable can theoretically try to offload flower rules as soon
as a net_device is registered while all the other ones are not
registered or initialized, triggering a possible NULL pointer dereferencing
of qdma pointer in airoha_ppe_set_cpu_port routine. Moreover, if
register_netdev() fails for a particular net_device, there is a small
race if Netfilter tries to offload flowtable rules before all the
net_devices are properly unregistered in airoha_probe() error patch,
triggering a NULL pointer dereferencing in airoha_ppe_set_cpu_port
routine. In order to avoid any possible race, delay offloading until
all net_devices are registered in the networking subsystem.

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260329-airoha-regiser-race-fix-v2-1-f4ebb139277b@kernel.org

Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent e6e3eb5e

drivers/net/ethernet/airoha/airoha_eth.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -2962,6 +2962,8 @@ static int airoha_register_gdm_devices(struct airoha_eth *eth)
		return err;
		}

		set_bit(DEV_STATE_REGISTERED, &eth->state);

		return 0;
		}

drivers/net/ethernet/airoha/airoha_eth.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -88,6 +88,7 @@ enum {

		enum {
		DEV_STATE_INITIALIZED,
		DEV_STATE_REGISTERED,
		};

		enum {

drivers/net/ethernet/airoha/airoha_ppe.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -1368,6 +1368,13 @@ int airoha_ppe_setup_tc_block_cb(struct airoha_ppe_dev dev, void type_data)
		struct airoha_eth *eth = ppe->eth;
		int err = 0;

		/* Netfilter flowtable can try to offload flower rules while not all
		* the net_devices are registered or initialized. Delay offloading
		* until all net_devices are registered in the system.
		*/
		if (!test_bit(DEV_STATE_REGISTERED, &eth->state))
		return -EBUSY;

		mutex_lock(&flow_offload_mutex);

		if (!eth->npu)