Re: [PATCH] net: mediatek: add null pointer check for hardware offloading
From: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Date: 2026-01-02 11:20:49
Also in:
linux-arm-kernel, linux-mediatek, lkml
On 31/12/2025 22:52, Sebastian Roland Wolf wrote:
quoted hunk ↗ jump to hunk
From: Sebastian Roland Wolf <redacted> Add a null pointer check to prevent kernel crashes when hardware offloading is active on MediaTek devices. In some edge cases, the ethernet pointer or its associated netdev element can be NULL. Checking these pointers before access is mandatory to avoid segmentation faults and kernel oops. This improves the robustness of the validation check for mtk_eth ingress devices introduced in commit 73cfd947dbdb ("net: mediatek: add support for ingress traffic offloading"). Fixes: 73cfd947dbdb ("net: mediatek: add support for ingress traffic offloading") net: mediatek: Add null pointer check to prevent crashes with active hardware offloading. Signed-off-by: Sebastian Roland Wolf <redacted> --- drivers/net/ethernet/mediatek/mtk_ppe_offload.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)diff --git a/drivers/net/ethernet/mediatek/mtk_ppe_offload.c b/drivers/net/ethernet/mediatek/mtk_ppe_offload.c index e9bd32741983..6900ac87e1e9 100644 --- a/drivers/net/ethernet/mediatek/mtk_ppe_offload.c +++ b/drivers/net/ethernet/mediatek/mtk_ppe_offload.c@@ -270,7 +270,8 @@ mtk_flow_offload_replace(struct mtk_eth *eth, struct flow_cls_offload *f, flow_rule_match_meta(rule, &match); if (mtk_is_netsys_v2_or_greater(eth)) {
The code dereferences eth here ...
idev = __dev_get_by_index(&init_net, match.key->ingress_ifindex);
- if (idev && idev->netdev_ops == eth->netdev[0]->netdev_ops) {
+ if (idev && eth && eth->netdev[0] &&... but it is checked a couple of lines after. Even more, the function starts with providing rhahstable to lookup cookie. I'm really doubt eth can be NULL. At the same time lack of eth->netdev[0] looks like a design problem, because according to the code there might be up to 3 netdev devices registered for ppe. I'm not familiar with the code, but it would be better to have a splat of crash to check what was exactly missing, and drgn can help you find if there were other netdevs available at the moment of crash.
+ idev->netdev_ops == eth->netdev[0]->netdev_ops) {
struct mtk_mac *mac = netdev_priv(idev);
if (WARN_ON(mac->ppe_idx >= eth->soc->ppe_num))