[PATCH 4.9 28/28] net: hns: Fix a skb used after free bug

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Yunsheng Lin <linyunsheng@huawei.com>,
	lipeng <lipeng321@huawei.com>, Jun He <hjat2005@huawei.com>,
	"David S. Miller" <davem@davemloft.net>,
	Erick Reyes <erickreyes@google.com>
Subject: [PATCH 4.9 28/28] net: hns: Fix a skb used after free bug
Date: Thu, 29 Mar 2018 20:00:47 +0200	[thread overview]
Message-ID: <20180329175736.812183587@linuxfoundation.org> (raw)
In-Reply-To: <20180329175733.447823703@linuxfoundation.org>

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Yunsheng Lin <linyunsheng@huawei.com>

commit 27463ad99f738ed93c7c8b3e2e5bc8c4853a2ff2 upstream.

skb maybe freed in hns_nic_net_xmit_hw() and return NETDEV_TX_OK,
which cause hns_nic_net_xmit to use a freed skb.

BUG: KASAN: use-after-free in hns_nic_net_xmit_hw+0x62c/0x940...
	[17659.112635]      alloc_debug_processing+0x18c/0x1a0
	[17659.117208]      __slab_alloc+0x52c/0x560
	[17659.120909]      kmem_cache_alloc_node+0xac/0x2c0
	[17659.125309]      __alloc_skb+0x6c/0x260
	[17659.128837]      tcp_send_ack+0x8c/0x280
	[17659.132449]      __tcp_ack_snd_check+0x9c/0xf0
	[17659.136587]      tcp_rcv_established+0x5a4/0xa70
	[17659.140899]      tcp_v4_do_rcv+0x27c/0x620
	[17659.144687]      tcp_prequeue_process+0x108/0x170
	[17659.149085]      tcp_recvmsg+0x940/0x1020
	[17659.152787]      inet_recvmsg+0x124/0x180
	[17659.156488]      sock_recvmsg+0x64/0x80
	[17659.160012]      SyS_recvfrom+0xd8/0x180
	[17659.163626]      __sys_trace_return+0x0/0x4
	[17659.167506] INFO: Freed in kfree_skbmem+0xa0/0xb0 age=23 cpu=1 pid=13
	[17659.174000]      free_debug_processing+0x1d4/0x2c0
	[17659.178486]      __slab_free+0x240/0x390
	[17659.182100]      kmem_cache_free+0x24c/0x270
	[17659.186062]      kfree_skbmem+0xa0/0xb0
	[17659.189587]      __kfree_skb+0x28/0x40
	[17659.193025]      napi_gro_receive+0x168/0x1c0
	[17659.197074]      hns_nic_rx_up_pro+0x58/0x90
	[17659.201038]      hns_nic_rx_poll_one+0x518/0xbc0
	[17659.205352]      hns_nic_common_poll+0x94/0x140
	[17659.209576]      net_rx_action+0x458/0x5e0
	[17659.213363]      __do_softirq+0x1b8/0x480
	[17659.217062]      run_ksoftirqd+0x64/0x80
	[17659.220679]      smpboot_thread_fn+0x224/0x310
	[17659.224821]      kthread+0x150/0x170
	[17659.228084]      ret_from_fork+0x10/0x40

	BUG: KASAN: use-after-free in hns_nic_net_xmit+0x8c/0xc0...
	[17751.080490]      __slab_alloc+0x52c/0x560
	[17751.084188]      kmem_cache_alloc+0x244/0x280
	[17751.088238]      __build_skb+0x40/0x150
	[17751.091764]      build_skb+0x28/0x100
	[17751.095115]      __alloc_rx_skb+0x94/0x150
	[17751.098900]      __napi_alloc_skb+0x34/0x90
	[17751.102776]      hns_nic_rx_poll_one+0x180/0xbc0
	[17751.107097]      hns_nic_common_poll+0x94/0x140
	[17751.111333]      net_rx_action+0x458/0x5e0
	[17751.115123]      __do_softirq+0x1b8/0x480
	[17751.118823]      run_ksoftirqd+0x64/0x80
	[17751.122437]      smpboot_thread_fn+0x224/0x310
	[17751.126575]      kthread+0x150/0x170
	[17751.129838]      ret_from_fork+0x10/0x40
	[17751.133454] INFO: Freed in kfree_skbmem+0xa0/0xb0 age=19 cpu=7 pid=43
	[17751.139951]      free_debug_processing+0x1d4/0x2c0
	[17751.144436]      __slab_free+0x240/0x390
	[17751.148051]      kmem_cache_free+0x24c/0x270
	[17751.152014]      kfree_skbmem+0xa0/0xb0
	[17751.155543]      __kfree_skb+0x28/0x40
	[17751.159022]      napi_gro_receive+0x168/0x1c0
	[17751.163074]      hns_nic_rx_up_pro+0x58/0x90
	[17751.167041]      hns_nic_rx_poll_one+0x518/0xbc0
	[17751.171358]      hns_nic_common_poll+0x94/0x140
	[17751.175585]      net_rx_action+0x458/0x5e0
	[17751.179373]      __do_softirq+0x1b8/0x480
	[17751.183076]      run_ksoftirqd+0x64/0x80
	[17751.186691]      smpboot_thread_fn+0x224/0x310
	[17751.190826]      kthread+0x150/0x170
	[17751.194093]      ret_from_fork+0x10/0x40

Fixes: 13ac695e7ea1 ("net:hns: Add support of Hip06 SoC to the Hislicon Network Subsystem")
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: lipeng <lipeng321@huawei.com>
Reported-by: Jun He <hjat2005@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Erick Reyes <erickreyes@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/ethernet/hisilicon/hns/hns_enet.c |   22 ++++++++++------------
 drivers/net/ethernet/hisilicon/hns/hns_enet.h |    6 +++---
 2 files changed, 13 insertions(+), 15 deletions(-)

--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
@@ -299,9 +299,9 @@ static void fill_tso_desc(struct hnae_ri
 			     mtu);
 }
 
-int hns_nic_net_xmit_hw(struct net_device *ndev,
-			struct sk_buff *skb,
-			struct hns_nic_ring_data *ring_data)
+netdev_tx_t hns_nic_net_xmit_hw(struct net_device *ndev,
+				struct sk_buff *skb,
+				struct hns_nic_ring_data *ring_data)
 {
 	struct hns_nic_priv *priv = netdev_priv(ndev);
 	struct hnae_ring *ring = ring_data->ring;
@@ -360,6 +360,10 @@ int hns_nic_net_xmit_hw(struct net_devic
 	dev_queue = netdev_get_tx_queue(ndev, skb->queue_mapping);
 	netdev_tx_sent_queue(dev_queue, skb->len);
 
+	netif_trans_update(ndev);
+	ndev->stats.tx_bytes += skb->len;
+	ndev->stats.tx_packets++;
+
 	wmb(); /* commit all data before submit */
 	assert(skb->queue_mapping < priv->ae_handle->q_num);
 	hnae_queue_xmit(priv->ae_handle->qs[skb->queue_mapping], buf_num);
@@ -1408,17 +1412,11 @@ static netdev_tx_t hns_nic_net_xmit(stru
 				    struct net_device *ndev)
 {
 	struct hns_nic_priv *priv = netdev_priv(ndev);
-	int ret;
 
 	assert(skb->queue_mapping < ndev->ae_handle->q_num);
-	ret = hns_nic_net_xmit_hw(ndev, skb,
-				  &tx_ring_data(priv, skb->queue_mapping));
-	if (ret == NETDEV_TX_OK) {
-		netif_trans_update(ndev);
-		ndev->stats.tx_bytes += skb->len;
-		ndev->stats.tx_packets++;
-	}
-	return (netdev_tx_t)ret;
+
+	return hns_nic_net_xmit_hw(ndev, skb,
+				   &tx_ring_data(priv, skb->queue_mapping));
 }
 
 static int hns_nic_change_mtu(struct net_device *ndev, int new_mtu)
--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.h
+++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.h
@@ -91,8 +91,8 @@ void hns_ethtool_set_ops(struct net_devi
 void hns_nic_net_reset(struct net_device *ndev);
 void hns_nic_net_reinit(struct net_device *netdev);
 int hns_nic_init_phy(struct net_device *ndev, struct hnae_handle *h);
-int hns_nic_net_xmit_hw(struct net_device *ndev,
-			struct sk_buff *skb,
-			struct hns_nic_ring_data *ring_data);
+netdev_tx_t hns_nic_net_xmit_hw(struct net_device *ndev,
+				struct sk_buff *skb,
+				struct hns_nic_ring_data *ring_data);
 
 #endif	/**__HNS_ENET_H */

next prev parent reply	other threads:[~2018-03-29 18:00 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-03-29 18:00 [PATCH 4.9 00/28] 4.9.92-stable review Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 01/28] scsi: sg: dont return bogus Sg_requests Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 02/28] genirq: Track whether the trigger type has been set Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 03/28] net sched actions: return explicit error when tunnel_key mode is not specified Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 04/28] ppp: avoid loop in xmit recursion detection code Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 05/28] rhashtable: Fix rhlist duplicates insertion Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 06/28] sch_netem: fix skb leak in netem_enqueue() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 07/28] ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 08/28] net: use skb_to_full_sk() in skb_update_prio() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 09/28] net: Fix hlist corruptions in inet_evict_bucket() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 10/28] dccp: check sk for closed state in dccp_sendmsg() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 11/28] ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 12/28] l2tp: do not accept arbitrary sockets Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 13/28] net: ethernet: arc: Fix a potential memory leak if an optional regulator is deferred Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 14/28] net: ethernet: ti: cpsw: add check for in-band mode setting with RGMII PHY interface Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 15/28] net: fec: Fix unbalanced PM runtime calls Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 16/28] net/iucv: Free memory obtained by kzalloc Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 17/28] netlink: avoid a double skb free in genlmsg_mcast() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 18/28] net: Only honor ifindex in IP_PKTINFO if non-0 Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 19/28] skbuff: Fix not waking applications when errors are enqueued Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 20/28] team: Fix double free in error path Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 21/28] soc/fsl/qbman: fix issue in qman_delete_cgr_safe() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 22/28] s390/qeth: free netdevice when removing a card Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 23/28] s390/qeth: when thread completes, wake up all waiters Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 24/28] s390/qeth: lock read device while queueing next buffer Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 25/28] s390/qeth: on channel error, reject further cmd requests Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 26/28] net: systemport: Rewrite __bcm_sysport_tx_reclaim() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 27/28] kcm: lock lower socket in kcm_attach Greg Kroah-Hartman
2018-03-29 18:00 ` Greg Kroah-Hartman [this message]
2018-03-29 22:01 ` [PATCH 4.9 00/28] 4.9.92-stable review kernelci.org bot
2018-03-29 22:08   ` Guenter Roeck
2018-03-29 23:11 ` Shuah Khan
2018-03-30  6:21 ` Naresh Kamboju
2018-03-30  9:08   ` Greg Kroah-Hartman
2018-03-30 15:10     ` Naresh Kamboju
2018-03-30  9:00 ` Greg Kroah-Hartman
2018-03-30 15:19 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180329175736.812183587@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=erickreyes@google.com \
    --cc=hjat2005@huawei.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linyunsheng@huawei.com \
    --cc=lipeng321@huawei.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.