[PATCH] net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()
10 views
Skip to first unread message
Jiaming Zhang
Oct 30, 2025, 5:36:32 AMOct 30
to kory.m...@bootlin.com, da...@davemloft.net, edum...@google.com, ho...@kernel.org, ku...@kernel.org, kun...@google.com, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, r7725...@gmail.com, s...@fomichev.me, syzk...@googlegroups.com, vladimi...@nxp.com, sta...@vger.kernel.org
The ethtool tsconfig Netlink path can trigger a null pointer
dereference. A call chain such as:
tsconfig_prepare_data() ->
dev_get_hwtstamp_phylib() ->
vlan_hwtstamp_get() ->
generic_hwtstamp_get_lower() ->
generic_hwtstamp_ioctl_lower()
results in generic_hwtstamp_ioctl_lower() being called with
kernel_cfg->ifr as NULL.
The generic_hwtstamp_ioctl_lower() function does not expect a
NULL ifr and dereferences it, leading to a system crash.
Fix this by adding a NULL check for kernel_cfg->ifr in
generic_hwtstamp_get/set_lower(). If ifr is NULL, return
-EOPNOTSUPP to prevent the call to the legacy IOCTL helper.
Fixes: 6e9e2eed4f39 ("net: ethtool: Add support for tsconfig command to get/set hwtstamp config")
Closes: https://lore.kernel.org/lkml/cd6a7056-fa6d-43f8...@linux.dev/T/#mf5df538e21753e3045de98f25aa18d948be07df3
Signed-off-by: Jiaming Zhang <r7725...@gmail.com>
---
net/core/dev_ioctl.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
index ad54b12d4b4c..39eaf6ba981a 100644
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -474,6 +474,10 @@ int generic_hwtstamp_get_lower(struct net_device *dev,
return err;
}
+ /* Netlink path with unconverted driver */
+ if (!kernel_cfg->ifr)
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCGHWTSTAMP, kernel_cfg);
}
@@ -498,6 +502,10 @@ int generic_hwtstamp_set_lower(struct net_device *dev,
return err;
}
+ /* Netlink path with unconverted driver */
+ if (!kernel_cfg->ifr)
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCSHWTSTAMP, kernel_cfg);
}
--
2.34.1
dereference. A call chain such as:
tsconfig_prepare_data() ->
dev_get_hwtstamp_phylib() ->
vlan_hwtstamp_get() ->
generic_hwtstamp_get_lower() ->
generic_hwtstamp_ioctl_lower()
results in generic_hwtstamp_ioctl_lower() being called with
kernel_cfg->ifr as NULL.
The generic_hwtstamp_ioctl_lower() function does not expect a
NULL ifr and dereferences it, leading to a system crash.
Fix this by adding a NULL check for kernel_cfg->ifr in
generic_hwtstamp_get/set_lower(). If ifr is NULL, return
-EOPNOTSUPP to prevent the call to the legacy IOCTL helper.
Fixes: 6e9e2eed4f39 ("net: ethtool: Add support for tsconfig command to get/set hwtstamp config")
Closes: https://lore.kernel.org/lkml/cd6a7056-fa6d-43f8...@linux.dev/T/#mf5df538e21753e3045de98f25aa18d948be07df3
Signed-off-by: Jiaming Zhang <r7725...@gmail.com>
---
net/core/dev_ioctl.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
index ad54b12d4b4c..39eaf6ba981a 100644
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -474,6 +474,10 @@ int generic_hwtstamp_get_lower(struct net_device *dev,
return err;
}
+ /* Netlink path with unconverted driver */
+ if (!kernel_cfg->ifr)
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCGHWTSTAMP, kernel_cfg);
}
@@ -498,6 +502,10 @@ int generic_hwtstamp_set_lower(struct net_device *dev,
return err;
}
+ /* Netlink path with unconverted driver */
+ if (!kernel_cfg->ifr)
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCSHWTSTAMP, kernel_cfg);
}
--
2.34.1
Kory Maincent
Oct 30, 2025, 6:15:29 AMOct 30
to Jiaming Zhang, da...@davemloft.net, edum...@google.com, ho...@kernel.org, ku...@kernel.org, kun...@google.com, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, s...@fomichev.me, syzk...@googlegroups.com, vladimi...@nxp.com, sta...@vger.kernel.org
With this change:
Reviewed-by: Kory Maincent <kory.m...@bootlin.com>
Thank you!
> + if (!kernel_cfg->ifr)
> + return -EOPNOTSUPP;
> +
> /* Legacy path: unconverted lower driver */
> return generic_hwtstamp_ioctl_lower(dev, SIOCGHWTSTAMP, kernel_cfg);
> }
> @@ -498,6 +502,10 @@ int generic_hwtstamp_set_lower(struct net_device *dev,
> return err;
> }
>
> + /* Netlink path with unconverted driver */
> + if (!kernel_cfg->ifr)
> + return -EOPNOTSUPP;
> +
> /* Legacy path: unconverted lower driver */
> return generic_hwtstamp_ioctl_lower(dev, SIOCSHWTSTAMP, kernel_cfg);
> }
--
Embedded Linux and kernel engineering
https://bootlin.com
Jiaming Zhang
Oct 30, 2025, 6:49:55 AMOct 30
to kory.m...@bootlin.com, da...@davemloft.net, edum...@google.com, ho...@kernel.org, ku...@kernel.org, kun...@google.com, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, r7725...@gmail.com, s...@fomichev.me, sta...@vger.kernel.org, syzk...@googlegroups.com, vladimi...@nxp.com
The ethtool tsconfig Netlink path can trigger a null pointer
dereference. A call chain such as:
tsconfig_prepare_data() ->
dev_get_hwtstamp_phylib() ->
vlan_hwtstamp_get() ->
generic_hwtstamp_get_lower() ->
generic_hwtstamp_ioctl_lower()
results in generic_hwtstamp_ioctl_lower() being called with
kernel_cfg->ifr as NULL.
The generic_hwtstamp_ioctl_lower() function does not expect a
NULL ifr and dereferences it, leading to a system crash.
Fix this by adding a NULL check for kernel_cfg->ifr in
generic_hwtstamp_get/set_lower(). If ifr is NULL, return
-EOPNOTSUPP to prevent the call to the legacy IOCTL helper.
Fixes: 6e9e2eed4f39 ("net: ethtool: Add support for tsconfig command to get/set hwtstamp config")
Closes: https://lore.kernel.org/lkml/cd6a7056-fa6d-43f8...@linux.dev/T/#mf5df538e21753e3045de98f25aa18d948be07df3
Signed-off-by: Jiaming Zhang <r7725...@gmail.com>
---
net/core/dev_ioctl.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
index ad54b12d4b4c..a32e1036f12a 100644
dereference. A call chain such as:
tsconfig_prepare_data() ->
dev_get_hwtstamp_phylib() ->
vlan_hwtstamp_get() ->
generic_hwtstamp_get_lower() ->
generic_hwtstamp_ioctl_lower()
results in generic_hwtstamp_ioctl_lower() being called with
kernel_cfg->ifr as NULL.
The generic_hwtstamp_ioctl_lower() function does not expect a
NULL ifr and dereferences it, leading to a system crash.
Fix this by adding a NULL check for kernel_cfg->ifr in
generic_hwtstamp_get/set_lower(). If ifr is NULL, return
-EOPNOTSUPP to prevent the call to the legacy IOCTL helper.
Fixes: 6e9e2eed4f39 ("net: ethtool: Add support for tsconfig command to get/set hwtstamp config")
Closes: https://lore.kernel.org/lkml/cd6a7056-fa6d-43f8...@linux.dev/T/#mf5df538e21753e3045de98f25aa18d948be07df3
Signed-off-by: Jiaming Zhang <r7725...@gmail.com>
---
net/core/dev_ioctl.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -474,6 +474,10 @@ int generic_hwtstamp_get_lower(struct net_device *dev,
return err;
}
+ /* Netlink path with unconverted lower driver */
+++ b/net/core/dev_ioctl.c
@@ -474,6 +474,10 @@ int generic_hwtstamp_get_lower(struct net_device *dev,
return err;
}
+ if (!kernel_cfg->ifr)
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCGHWTSTAMP, kernel_cfg);
}
@@ -498,6 +502,10 @@ int generic_hwtstamp_set_lower(struct net_device *dev,
return err;
}
+ /* Netlink path with unconverted lower driver */
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCGHWTSTAMP, kernel_cfg);
}
@@ -498,6 +502,10 @@ int generic_hwtstamp_set_lower(struct net_device *dev,
return err;
}
+ if (!kernel_cfg->ifr)
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCSHWTSTAMP, kernel_cfg);
}
--
2.34.1
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCSHWTSTAMP, kernel_cfg);
}
--
Jiaming Zhang
Oct 30, 2025, 8:49:58 AMOct 30
to kory.m...@bootlin.com, da...@davemloft.net, edum...@google.com, ho...@kernel.org, ku...@kernel.org, kun...@google.com, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, r7725...@gmail.com, s...@fomichev.me, syzk...@googlegroups.com, vladimi...@nxp.com
Hi Kory,
Apologies for the resubmission (v3); I forgot to add Reviewed-by tag in
the v2 patch.
v3:
- Add Kory's Reviewed-by tag.
v2:
- Fix typo in comment ("driver" -> "lower driver")
Best Regards,
Jiaming Zhang
Jiaming Zhang (1):
net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()
net/core/dev_ioctl.c | 8 ++++++++
1 file changed, 8 insertions(+)
--
2.34.1
Apologies for the resubmission (v3); I forgot to add Reviewed-by tag in
the v2 patch.
v3:
- Add Kory's Reviewed-by tag.
v2:
- Fix typo in comment ("driver" -> "lower driver")
Best Regards,
Jiaming Zhang
Jiaming Zhang (1):
net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()
net/core/dev_ioctl.c | 8 ++++++++
1 file changed, 8 insertions(+)
2.34.1
Jiaming Zhang
Oct 30, 2025, 8:50:02 AMOct 30
to kory.m...@bootlin.com, da...@davemloft.net, edum...@google.com, ho...@kernel.org, ku...@kernel.org, kun...@google.com, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, r7725...@gmail.com, s...@fomichev.me, syzk...@googlegroups.com, vladimi...@nxp.com
The ethtool tsconfig Netlink path can trigger a null pointer
dereference. A call chain such as:
tsconfig_prepare_data() ->
dev_get_hwtstamp_phylib() ->
vlan_hwtstamp_get() ->
generic_hwtstamp_get_lower() ->
generic_hwtstamp_ioctl_lower()
results in generic_hwtstamp_ioctl_lower() being called with
kernel_cfg->ifr as NULL.
The generic_hwtstamp_ioctl_lower() function does not expect a
NULL ifr and dereferences it, leading to a system crash.
Fix this by adding a NULL check for kernel_cfg->ifr in
generic_hwtstamp_get/set_lower(). If ifr is NULL, return
-EOPNOTSUPP to prevent the call to the legacy IOCTL helper.
Fixes: 6e9e2eed4f39 ("net: ethtool: Add support for tsconfig command to get/set hwtstamp config")
Closes: https://lore.kernel.org/lkml/cd6a7056-fa6d-43f8...@linux.dev/T/#mf5df538e21753e3045de98f25aa18d948be07df3
Signed-off-by: Jiaming Zhang <r7725...@gmail.com>
Reviewed-by: Kory Maincent <kory.m...@bootlin.com>
dereference. A call chain such as:
tsconfig_prepare_data() ->
dev_get_hwtstamp_phylib() ->
vlan_hwtstamp_get() ->
generic_hwtstamp_get_lower() ->
generic_hwtstamp_ioctl_lower()
results in generic_hwtstamp_ioctl_lower() being called with
kernel_cfg->ifr as NULL.
The generic_hwtstamp_ioctl_lower() function does not expect a
NULL ifr and dereferences it, leading to a system crash.
Fix this by adding a NULL check for kernel_cfg->ifr in
generic_hwtstamp_get/set_lower(). If ifr is NULL, return
-EOPNOTSUPP to prevent the call to the legacy IOCTL helper.
Fixes: 6e9e2eed4f39 ("net: ethtool: Add support for tsconfig command to get/set hwtstamp config")
Closes: https://lore.kernel.org/lkml/cd6a7056-fa6d-43f8...@linux.dev/T/#mf5df538e21753e3045de98f25aa18d948be07df3
Signed-off-by: Jiaming Zhang <r7725...@gmail.com>
---
net/core/dev_ioctl.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
1 file changed, 8 insertions(+)
index ad54b12d4b4c..a32e1036f12a 100644
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -474,6 +474,10 @@ int generic_hwtstamp_get_lower(struct net_device *dev,
return err;
}
+ /* Netlink path with unconverted lower driver */
+++ b/net/core/dev_ioctl.c
@@ -474,6 +474,10 @@ int generic_hwtstamp_get_lower(struct net_device *dev,
return err;
}
+ if (!kernel_cfg->ifr)
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCGHWTSTAMP, kernel_cfg);
}
@@ -498,6 +502,10 @@ int generic_hwtstamp_set_lower(struct net_device *dev,
return err;
}
+ /* Netlink path with unconverted lower driver */
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCGHWTSTAMP, kernel_cfg);
}
@@ -498,6 +502,10 @@ int generic_hwtstamp_set_lower(struct net_device *dev,
return err;
}
+ if (!kernel_cfg->ifr)
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCSHWTSTAMP, kernel_cfg);
}
--
2.34.1
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCSHWTSTAMP, kernel_cfg);
}
--
Jakub Kicinski
Nov 3, 2025, 8:16:03 PMNov 3
to Jiaming Zhang, kory.m...@bootlin.com, da...@davemloft.net, edum...@google.com, ho...@kernel.org, kun...@google.com, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, s...@fomichev.me, syzk...@googlegroups.com, vladimi...@nxp.com
On Thu, 30 Oct 2025 12:49:47 +0000 Jiaming Zhang wrote:
> + /* Netlink path with unconverted lower driver */
> + if (!kernel_cfg->ifr)
> + return -EOPNOTSUPP;
> +
> /* Legacy path: unconverted lower driver */
> return generic_hwtstamp_ioctl_lower(dev, SIOCGHWTSTAMP, kernel_cfg);
> }
> @@ -498,6 +502,10 @@ int generic_hwtstamp_set_lower(struct net_device *dev,
> return err;
> }
>
> + /* Netlink path with unconverted lower driver */
> + if (!kernel_cfg->ifr)
> + return -EOPNOTSUPP;
> +
> /* Legacy path: unconverted lower driver */
> return generic_hwtstamp_ioctl_lower(dev, SIOCSHWTSTAMP, kernel_cfg);
Sorry but nit:
> + /* Netlink path with unconverted lower driver */
> + if (!kernel_cfg->ifr)
> + return -EOPNOTSUPP;
> +
> /* Legacy path: unconverted lower driver */
> return generic_hwtstamp_ioctl_lower(dev, SIOCGHWTSTAMP, kernel_cfg);
> }
> @@ -498,6 +502,10 @@ int generic_hwtstamp_set_lower(struct net_device *dev,
> return err;
> }
>
> + /* Netlink path with unconverted lower driver */
> + if (!kernel_cfg->ifr)
> + return -EOPNOTSUPP;
> +
> /* Legacy path: unconverted lower driver */
> return generic_hwtstamp_ioctl_lower(dev, SIOCSHWTSTAMP, kernel_cfg);
instead of adding this to both callers you can add the check in
generic_hwtstamp_ioctl_lower().
--
pw-bot: cr
Jiaming Zhang
Nov 11, 2025, 12:37:15 PMNov 11
to ku...@kernel.org, da...@davemloft.net, edum...@google.com, ho...@kernel.org, kory.m...@bootlin.com, kun...@google.com, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, r7725...@gmail.com, s...@fomichev.me, syzk...@googlegroups.com, vladimi...@nxp.com
Hi Jakub,
Sorry for the late response. I have updated the patch, NULL check
is moved from get/set caller to generic_hwstamp_ioctl_lower().
Please let me know if any change is needed :)
v4:
- Move NULL check from generic_hwtstamp_get/set_lower()
to generic_hwtstamp_ioctl_lower()
v3:
- Add Kory's Reviewed-by tag.
v2:
- Fix typo in comment ("driver" -> "lower driver")
Best Regards,
Jiaming Zhang
Jiaming Zhang (1):
net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()
net/core/dev_ioctl.c | 3 +++
1 file changed, 3 insertions(+)
--
2.34.1
Sorry for the late response. I have updated the patch, NULL check
is moved from get/set caller to generic_hwstamp_ioctl_lower().
Please let me know if any change is needed :)
v4:
- Move NULL check from generic_hwtstamp_get/set_lower()
to generic_hwtstamp_ioctl_lower()
v3:
- Add Kory's Reviewed-by tag.
v2:
- Fix typo in comment ("driver" -> "lower driver")
Best Regards,
Jiaming Zhang
Jiaming Zhang (1):
net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()
1 file changed, 3 insertions(+)
--
2.34.1
Jiaming Zhang
Nov 11, 2025, 12:37:21 PMNov 11
to ku...@kernel.org, da...@davemloft.net, edum...@google.com, ho...@kernel.org, kory.m...@bootlin.com, kun...@google.com, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, r7725...@gmail.com, s...@fomichev.me, syzk...@googlegroups.com, vladimi...@nxp.com
The ethtool tsconfig Netlink path can trigger a null pointer
dereference. A call chain such as:
tsconfig_prepare_data() ->
dev_get_hwtstamp_phylib() ->
vlan_hwtstamp_get() ->
generic_hwtstamp_get_lower() ->
generic_hwtstamp_ioctl_lower()
results in generic_hwtstamp_ioctl_lower() being called with
kernel_cfg->ifr as NULL.
The generic_hwtstamp_ioctl_lower() function does not expect a
NULL ifr and dereferences it, leading to a system crash.
Fix this by adding a NULL check for kernel_cfg->ifr in
generic_hwtstamp_ioctl_lower(). If ifr is NULL, return -EINVAL.
dereference. A call chain such as:
tsconfig_prepare_data() ->
dev_get_hwtstamp_phylib() ->
vlan_hwtstamp_get() ->
generic_hwtstamp_get_lower() ->
generic_hwtstamp_ioctl_lower()
results in generic_hwtstamp_ioctl_lower() being called with
kernel_cfg->ifr as NULL.
The generic_hwtstamp_ioctl_lower() function does not expect a
NULL ifr and dereferences it, leading to a system crash.
Fix this by adding a NULL check for kernel_cfg->ifr in
Fixes: 6e9e2eed4f39 ("net: ethtool: Add support for tsconfig command to get/set hwtstamp config")
Closes: https://lore.kernel.org/lkml/cd6a7056-fa6d-43f8...@linux.dev/T/#mf5df538e21753e3045de98f25aa18d948be07df3
Signed-off-by: Jiaming Zhang <r7725...@gmail.com>
net/core/dev_ioctl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
1 file changed, 3 insertions(+)
index ad54b12d4b4c..8bb71a10dba0 100644
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -443,6 +443,9 @@ static int generic_hwtstamp_ioctl_lower(struct net_device *dev, int cmd,
struct ifreq ifrr;
int err;
+ if (!kernel_cfg->ifr)
+ return -EINVAL;
+
strscpy_pad(ifrr.ifr_name, dev->name, IFNAMSIZ);
ifrr.ifr_ifru = kernel_cfg->ifr->ifr_ifru;
--
2.34.1
Kory Maincent
Nov 12, 2025, 10:56:39 AMNov 12
to Jiaming Zhang, ku...@kernel.org, da...@davemloft.net, edum...@google.com, ho...@kernel.org, kun...@google.com, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, s...@fomichev.me, syzk...@googlegroups.com, vladimi...@nxp.com
On Wed, 12 Nov 2025 01:36:52 +0800
Jiaming Zhang <r7725...@gmail.com> wrote:
> The ethtool tsconfig Netlink path can trigger a null pointer
> dereference. A call chain such as:
>
> tsconfig_prepare_data() ->
> dev_get_hwtstamp_phylib() ->
> vlan_hwtstamp_get() ->
> generic_hwtstamp_get_lower() ->
> generic_hwtstamp_ioctl_lower()
>
> results in generic_hwtstamp_ioctl_lower() being called with
> kernel_cfg->ifr as NULL.
>
> The generic_hwtstamp_ioctl_lower() function does not expect a
> NULL ifr and dereferences it, leading to a system crash.
>
> Fix this by adding a NULL check for kernel_cfg->ifr in
> generic_hwtstamp_ioctl_lower(). If ifr is NULL, return -EINVAL.
>
> Fixes: 6e9e2eed4f39 ("net: ethtool: Add support for tsconfig command to
> get/set hwtstamp config") Closes:
> https://lore.kernel.org/lkml/cd6a7056-fa6d-43f8...@linux.dev/T/#mf5df538e21753e3045de98f25aa18d948be07df3
>
> Signed-off-by: Jiaming Zhang <r7725...@gmail.com>
Jiaming Zhang <r7725...@gmail.com> wrote:
> The ethtool tsconfig Netlink path can trigger a null pointer
> dereference. A call chain such as:
>
> tsconfig_prepare_data() ->
> dev_get_hwtstamp_phylib() ->
> vlan_hwtstamp_get() ->
> generic_hwtstamp_get_lower() ->
> generic_hwtstamp_ioctl_lower()
>
> results in generic_hwtstamp_ioctl_lower() being called with
> kernel_cfg->ifr as NULL.
>
> The generic_hwtstamp_ioctl_lower() function does not expect a
> NULL ifr and dereferences it, leading to a system crash.
>
> Fix this by adding a NULL check for kernel_cfg->ifr in
> generic_hwtstamp_ioctl_lower(). If ifr is NULL, return -EINVAL.
>
> Fixes: 6e9e2eed4f39 ("net: ethtool: Add support for tsconfig command to
> get/set hwtstamp config") Closes:
> https://lore.kernel.org/lkml/cd6a7056-fa6d-43f8...@linux.dev/T/#mf5df538e21753e3045de98f25aa18d948be07df3
>
> Signed-off-by: Jiaming Zhang <r7725...@gmail.com>
patchwork-b...@kernel.org
Nov 13, 2025, 8:40:46 PMNov 13
to Jiaming Zhang, ku...@kernel.org, da...@davemloft.net, edum...@google.com, ho...@kernel.org, kory.m...@bootlin.com, kun...@google.com, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, s...@fomichev.me, syzk...@googlegroups.com, vladimi...@nxp.com
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <ku...@kernel.org>:
On Wed, 12 Nov 2025 01:36:51 +0800 you wrote:
> Hi Jakub,
>
> Sorry for the late response. I have updated the patch, NULL check
> is moved from get/set caller to generic_hwstamp_ioctl_lower().
>
> Please let me know if any change is needed :)
>
> [...]
Here is the summary with links:
- [v4,1/1] net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()
https://git.kernel.org/netdev/net/c/f796a8dec9be
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <ku...@kernel.org>:
On Wed, 12 Nov 2025 01:36:51 +0800 you wrote:
> Hi Jakub,
>
> Sorry for the late response. I have updated the patch, NULL check
> is moved from get/set caller to generic_hwstamp_ioctl_lower().
>
> Please let me know if any change is needed :)
>
Here is the summary with links:
- [v4,1/1] net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()
https://git.kernel.org/netdev/net/c/f796a8dec9be
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
Reply all
Reply to author
Forward
0 new messages