[PATCH] net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()
4 views
Skip to first unread message
Jiaming Zhang
Oct 30, 2025, 5:36:32 AM (11 days ago) Oct 30
to kory.m...@bootlin.com, da...@davemloft.net, edum...@google.com, ho...@kernel.org, ku...@kernel.org, kun...@google.com, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, r7725...@gmail.com, s...@fomichev.me, syzk...@googlegroups.com, vladimi...@nxp.com, sta...@vger.kernel.org
The ethtool tsconfig Netlink path can trigger a null pointer
dereference. A call chain such as:
tsconfig_prepare_data() ->
dev_get_hwtstamp_phylib() ->
vlan_hwtstamp_get() ->
generic_hwtstamp_get_lower() ->
generic_hwtstamp_ioctl_lower()
results in generic_hwtstamp_ioctl_lower() being called with
kernel_cfg->ifr as NULL.
The generic_hwtstamp_ioctl_lower() function does not expect a
NULL ifr and dereferences it, leading to a system crash.
Fix this by adding a NULL check for kernel_cfg->ifr in
generic_hwtstamp_get/set_lower(). If ifr is NULL, return
-EOPNOTSUPP to prevent the call to the legacy IOCTL helper.
Fixes: 6e9e2eed4f39 ("net: ethtool: Add support for tsconfig command to get/set hwtstamp config")
Closes: https://lore.kernel.org/lkml/cd6a7056-fa6d-43f8...@linux.dev/T/#mf5df538e21753e3045de98f25aa18d948be07df3
Signed-off-by: Jiaming Zhang <r7725...@gmail.com>
---
net/core/dev_ioctl.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
index ad54b12d4b4c..39eaf6ba981a 100644
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -474,6 +474,10 @@ int generic_hwtstamp_get_lower(struct net_device *dev,
return err;
}
+ /* Netlink path with unconverted driver */
+ if (!kernel_cfg->ifr)
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCGHWTSTAMP, kernel_cfg);
}
@@ -498,6 +502,10 @@ int generic_hwtstamp_set_lower(struct net_device *dev,
return err;
}
+ /* Netlink path with unconverted driver */
+ if (!kernel_cfg->ifr)
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCSHWTSTAMP, kernel_cfg);
}
--
2.34.1
dereference. A call chain such as:
tsconfig_prepare_data() ->
dev_get_hwtstamp_phylib() ->
vlan_hwtstamp_get() ->
generic_hwtstamp_get_lower() ->
generic_hwtstamp_ioctl_lower()
results in generic_hwtstamp_ioctl_lower() being called with
kernel_cfg->ifr as NULL.
The generic_hwtstamp_ioctl_lower() function does not expect a
NULL ifr and dereferences it, leading to a system crash.
Fix this by adding a NULL check for kernel_cfg->ifr in
generic_hwtstamp_get/set_lower(). If ifr is NULL, return
-EOPNOTSUPP to prevent the call to the legacy IOCTL helper.
Fixes: 6e9e2eed4f39 ("net: ethtool: Add support for tsconfig command to get/set hwtstamp config")
Closes: https://lore.kernel.org/lkml/cd6a7056-fa6d-43f8...@linux.dev/T/#mf5df538e21753e3045de98f25aa18d948be07df3
Signed-off-by: Jiaming Zhang <r7725...@gmail.com>
---
net/core/dev_ioctl.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
index ad54b12d4b4c..39eaf6ba981a 100644
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -474,6 +474,10 @@ int generic_hwtstamp_get_lower(struct net_device *dev,
return err;
}
+ /* Netlink path with unconverted driver */
+ if (!kernel_cfg->ifr)
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCGHWTSTAMP, kernel_cfg);
}
@@ -498,6 +502,10 @@ int generic_hwtstamp_set_lower(struct net_device *dev,
return err;
}
+ /* Netlink path with unconverted driver */
+ if (!kernel_cfg->ifr)
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCSHWTSTAMP, kernel_cfg);
}
--
2.34.1
Kory Maincent
Oct 30, 2025, 6:15:29 AM (11 days ago) Oct 30
to Jiaming Zhang, da...@davemloft.net, edum...@google.com, ho...@kernel.org, ku...@kernel.org, kun...@google.com, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, s...@fomichev.me, syzk...@googlegroups.com, vladimi...@nxp.com, sta...@vger.kernel.org
With this change:
Reviewed-by: Kory Maincent <kory.m...@bootlin.com>
Thank you!
> + if (!kernel_cfg->ifr)
> + return -EOPNOTSUPP;
> +
> /* Legacy path: unconverted lower driver */
> return generic_hwtstamp_ioctl_lower(dev, SIOCGHWTSTAMP, kernel_cfg);
> }
> @@ -498,6 +502,10 @@ int generic_hwtstamp_set_lower(struct net_device *dev,
> return err;
> }
>
> + /* Netlink path with unconverted driver */
> + if (!kernel_cfg->ifr)
> + return -EOPNOTSUPP;
> +
> /* Legacy path: unconverted lower driver */
> return generic_hwtstamp_ioctl_lower(dev, SIOCSHWTSTAMP, kernel_cfg);
> }
--
Embedded Linux and kernel engineering
https://bootlin.com
Jiaming Zhang
Oct 30, 2025, 6:49:55 AM (11 days ago) Oct 30
to kory.m...@bootlin.com, da...@davemloft.net, edum...@google.com, ho...@kernel.org, ku...@kernel.org, kun...@google.com, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, r7725...@gmail.com, s...@fomichev.me, sta...@vger.kernel.org, syzk...@googlegroups.com, vladimi...@nxp.com
The ethtool tsconfig Netlink path can trigger a null pointer
dereference. A call chain such as:
tsconfig_prepare_data() ->
dev_get_hwtstamp_phylib() ->
vlan_hwtstamp_get() ->
generic_hwtstamp_get_lower() ->
generic_hwtstamp_ioctl_lower()
results in generic_hwtstamp_ioctl_lower() being called with
kernel_cfg->ifr as NULL.
The generic_hwtstamp_ioctl_lower() function does not expect a
NULL ifr and dereferences it, leading to a system crash.
Fix this by adding a NULL check for kernel_cfg->ifr in
generic_hwtstamp_get/set_lower(). If ifr is NULL, return
-EOPNOTSUPP to prevent the call to the legacy IOCTL helper.
Fixes: 6e9e2eed4f39 ("net: ethtool: Add support for tsconfig command to get/set hwtstamp config")
Closes: https://lore.kernel.org/lkml/cd6a7056-fa6d-43f8...@linux.dev/T/#mf5df538e21753e3045de98f25aa18d948be07df3
Signed-off-by: Jiaming Zhang <r7725...@gmail.com>
---
net/core/dev_ioctl.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
index ad54b12d4b4c..a32e1036f12a 100644
dereference. A call chain such as:
tsconfig_prepare_data() ->
dev_get_hwtstamp_phylib() ->
vlan_hwtstamp_get() ->
generic_hwtstamp_get_lower() ->
generic_hwtstamp_ioctl_lower()
results in generic_hwtstamp_ioctl_lower() being called with
kernel_cfg->ifr as NULL.
The generic_hwtstamp_ioctl_lower() function does not expect a
NULL ifr and dereferences it, leading to a system crash.
Fix this by adding a NULL check for kernel_cfg->ifr in
generic_hwtstamp_get/set_lower(). If ifr is NULL, return
-EOPNOTSUPP to prevent the call to the legacy IOCTL helper.
Fixes: 6e9e2eed4f39 ("net: ethtool: Add support for tsconfig command to get/set hwtstamp config")
Closes: https://lore.kernel.org/lkml/cd6a7056-fa6d-43f8...@linux.dev/T/#mf5df538e21753e3045de98f25aa18d948be07df3
Signed-off-by: Jiaming Zhang <r7725...@gmail.com>
---
net/core/dev_ioctl.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -474,6 +474,10 @@ int generic_hwtstamp_get_lower(struct net_device *dev,
return err;
}
+ /* Netlink path with unconverted lower driver */
+++ b/net/core/dev_ioctl.c
@@ -474,6 +474,10 @@ int generic_hwtstamp_get_lower(struct net_device *dev,
return err;
}
+ if (!kernel_cfg->ifr)
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCGHWTSTAMP, kernel_cfg);
}
@@ -498,6 +502,10 @@ int generic_hwtstamp_set_lower(struct net_device *dev,
return err;
}
+ /* Netlink path with unconverted lower driver */
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCGHWTSTAMP, kernel_cfg);
}
@@ -498,6 +502,10 @@ int generic_hwtstamp_set_lower(struct net_device *dev,
return err;
}
+ if (!kernel_cfg->ifr)
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCSHWTSTAMP, kernel_cfg);
}
--
2.34.1
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCSHWTSTAMP, kernel_cfg);
}
--
Jiaming Zhang
Oct 30, 2025, 8:49:58 AM (11 days ago) Oct 30
to kory.m...@bootlin.com, da...@davemloft.net, edum...@google.com, ho...@kernel.org, ku...@kernel.org, kun...@google.com, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, r7725...@gmail.com, s...@fomichev.me, syzk...@googlegroups.com, vladimi...@nxp.com
Hi Kory,
Apologies for the resubmission (v3); I forgot to add Reviewed-by tag in
the v2 patch.
v3:
- Add Kory's Reviewed-by tag.
v2:
- Fix typo in comment ("driver" -> "lower driver")
Best Regards,
Jiaming Zhang
Jiaming Zhang (1):
net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()
net/core/dev_ioctl.c | 8 ++++++++
1 file changed, 8 insertions(+)
--
2.34.1
Apologies for the resubmission (v3); I forgot to add Reviewed-by tag in
the v2 patch.
v3:
- Add Kory's Reviewed-by tag.
v2:
- Fix typo in comment ("driver" -> "lower driver")
Best Regards,
Jiaming Zhang
Jiaming Zhang (1):
net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()
net/core/dev_ioctl.c | 8 ++++++++
1 file changed, 8 insertions(+)
2.34.1
Jiaming Zhang
Oct 30, 2025, 8:50:02 AM (11 days ago) Oct 30
to kory.m...@bootlin.com, da...@davemloft.net, edum...@google.com, ho...@kernel.org, ku...@kernel.org, kun...@google.com, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, r7725...@gmail.com, s...@fomichev.me, syzk...@googlegroups.com, vladimi...@nxp.com
The ethtool tsconfig Netlink path can trigger a null pointer
dereference. A call chain such as:
tsconfig_prepare_data() ->
dev_get_hwtstamp_phylib() ->
vlan_hwtstamp_get() ->
generic_hwtstamp_get_lower() ->
generic_hwtstamp_ioctl_lower()
results in generic_hwtstamp_ioctl_lower() being called with
kernel_cfg->ifr as NULL.
The generic_hwtstamp_ioctl_lower() function does not expect a
NULL ifr and dereferences it, leading to a system crash.
Fix this by adding a NULL check for kernel_cfg->ifr in
generic_hwtstamp_get/set_lower(). If ifr is NULL, return
-EOPNOTSUPP to prevent the call to the legacy IOCTL helper.
Fixes: 6e9e2eed4f39 ("net: ethtool: Add support for tsconfig command to get/set hwtstamp config")
Closes: https://lore.kernel.org/lkml/cd6a7056-fa6d-43f8...@linux.dev/T/#mf5df538e21753e3045de98f25aa18d948be07df3
Signed-off-by: Jiaming Zhang <r7725...@gmail.com>
Reviewed-by: Kory Maincent <kory.m...@bootlin.com>
dereference. A call chain such as:
tsconfig_prepare_data() ->
dev_get_hwtstamp_phylib() ->
vlan_hwtstamp_get() ->
generic_hwtstamp_get_lower() ->
generic_hwtstamp_ioctl_lower()
results in generic_hwtstamp_ioctl_lower() being called with
kernel_cfg->ifr as NULL.
The generic_hwtstamp_ioctl_lower() function does not expect a
NULL ifr and dereferences it, leading to a system crash.
Fix this by adding a NULL check for kernel_cfg->ifr in
generic_hwtstamp_get/set_lower(). If ifr is NULL, return
-EOPNOTSUPP to prevent the call to the legacy IOCTL helper.
Fixes: 6e9e2eed4f39 ("net: ethtool: Add support for tsconfig command to get/set hwtstamp config")
Closes: https://lore.kernel.org/lkml/cd6a7056-fa6d-43f8...@linux.dev/T/#mf5df538e21753e3045de98f25aa18d948be07df3
Signed-off-by: Jiaming Zhang <r7725...@gmail.com>
---
net/core/dev_ioctl.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
1 file changed, 8 insertions(+)
index ad54b12d4b4c..a32e1036f12a 100644
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -474,6 +474,10 @@ int generic_hwtstamp_get_lower(struct net_device *dev,
return err;
}
+ /* Netlink path with unconverted lower driver */
+++ b/net/core/dev_ioctl.c
@@ -474,6 +474,10 @@ int generic_hwtstamp_get_lower(struct net_device *dev,
return err;
}
+ if (!kernel_cfg->ifr)
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCGHWTSTAMP, kernel_cfg);
}
@@ -498,6 +502,10 @@ int generic_hwtstamp_set_lower(struct net_device *dev,
return err;
}
+ /* Netlink path with unconverted lower driver */
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCGHWTSTAMP, kernel_cfg);
}
@@ -498,6 +502,10 @@ int generic_hwtstamp_set_lower(struct net_device *dev,
return err;
}
+ if (!kernel_cfg->ifr)
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCSHWTSTAMP, kernel_cfg);
}
--
2.34.1
+ return -EOPNOTSUPP;
+
/* Legacy path: unconverted lower driver */
return generic_hwtstamp_ioctl_lower(dev, SIOCSHWTSTAMP, kernel_cfg);
}
--
Jakub Kicinski
Nov 3, 2025, 8:16:03 PM (6 days ago) Nov 3
to Jiaming Zhang, kory.m...@bootlin.com, da...@davemloft.net, edum...@google.com, ho...@kernel.org, kun...@google.com, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, s...@fomichev.me, syzk...@googlegroups.com, vladimi...@nxp.com
On Thu, 30 Oct 2025 12:49:47 +0000 Jiaming Zhang wrote:
> + /* Netlink path with unconverted lower driver */
> + if (!kernel_cfg->ifr)
> + return -EOPNOTSUPP;
> +
> /* Legacy path: unconverted lower driver */
> return generic_hwtstamp_ioctl_lower(dev, SIOCGHWTSTAMP, kernel_cfg);
> }
> @@ -498,6 +502,10 @@ int generic_hwtstamp_set_lower(struct net_device *dev,
> return err;
> }
>
> + /* Netlink path with unconverted lower driver */
> + if (!kernel_cfg->ifr)
> + return -EOPNOTSUPP;
> +
> /* Legacy path: unconverted lower driver */
> return generic_hwtstamp_ioctl_lower(dev, SIOCSHWTSTAMP, kernel_cfg);
Sorry but nit:
> + /* Netlink path with unconverted lower driver */
> + if (!kernel_cfg->ifr)
> + return -EOPNOTSUPP;
> +
> /* Legacy path: unconverted lower driver */
> return generic_hwtstamp_ioctl_lower(dev, SIOCGHWTSTAMP, kernel_cfg);
> }
> @@ -498,6 +502,10 @@ int generic_hwtstamp_set_lower(struct net_device *dev,
> return err;
> }
>
> + /* Netlink path with unconverted lower driver */
> + if (!kernel_cfg->ifr)
> + return -EOPNOTSUPP;
> +
> /* Legacy path: unconverted lower driver */
> return generic_hwtstamp_ioctl_lower(dev, SIOCSHWTSTAMP, kernel_cfg);
instead of adding this to both callers you can add the check in
generic_hwtstamp_ioctl_lower().
--
pw-bot: cr
Reply all
Reply to author
Forward
0 new messages