From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Tho Vu <tho.vu.wh@rvc.renesas.com>,
Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>,
Simon Horman <horms+renesas@verge.net.au>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org, linux-sh@vger.kernel.org
Subject: [PATCH AUTOSEL 4.4 11/15] ravb: Fix use-after-free ravb_tstamp_skb
Date: Thu, 29 Aug 2019 18:17:58 +0000 [thread overview]
Message-ID: <20190829181802.9619-11-sashal@kernel.org> (raw)
In-Reply-To: <20190829181802.9619-1-sashal@kernel.org>
From: Tho Vu <tho.vu.wh@rvc.renesas.com>
[ Upstream commit cfef46d692efd852a0da6803f920cc756eea2855 ]
When a Tx timestamp is requested, a pointer to the skb is stored in the
ravb_tstamp_skb struct. This was done without an skb_get. There exists
the possibility that the skb could be freed by ravb_tx_free (when
ravb_tx_free is called from ravb_start_xmit) before the timestamp was
processed, leading to a use-after-free bug.
Use skb_get when filling a ravb_tstamp_skb struct, and add appropriate
frees/consumes when a ravb_tstamp_skb struct is freed.
Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
Signed-off-by: Tho Vu <tho.vu.wh@rvc.renesas.com>
Signed-off-by: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/renesas/ravb_main.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
index 29d31eb995d7f..fedfd94699cb8 100644
--- a/drivers/net/ethernet/renesas/ravb_main.c
+++ b/drivers/net/ethernet/renesas/ravb_main.c
@@ -1,6 +1,6 @@
/* Renesas Ethernet AVB device driver
*
- * Copyright (C) 2014-2015 Renesas Electronics Corporation
+ * Copyright (C) 2014-2019 Renesas Electronics Corporation
* Copyright (C) 2015 Renesas Solutions Corp.
* Copyright (C) 2015 Cogent Embedded, Inc. <source@cogentembedded.com>
*
@@ -501,7 +501,10 @@ static void ravb_get_tx_tstamp(struct net_device *ndev)
kfree(ts_skb);
if (tag = tfa_tag) {
skb_tstamp_tx(skb, &shhwtstamps);
+ dev_consume_skb_any(skb);
break;
+ } else {
+ dev_kfree_skb_any(skb);
}
}
ravb_write(ndev, ravb_read(ndev, TCCR) | TCCR_TFR, TCCR);
@@ -1382,7 +1385,7 @@ static netdev_tx_t ravb_start_xmit(struct sk_buff *skb, struct net_device *ndev)
DMA_TO_DEVICE);
goto unmap;
}
- ts_skb->skb = skb;
+ ts_skb->skb = skb_get(skb);
ts_skb->tag = priv->ts_skb_tag++;
priv->ts_skb_tag &= 0x3ff;
list_add_tail(&ts_skb->list, &priv->ts_skb_list);
@@ -1514,6 +1517,7 @@ static int ravb_close(struct net_device *ndev)
/* Clear the timestamp list */
list_for_each_entry_safe(ts_skb, ts_skb2, &priv->ts_skb_list, list) {
list_del(&ts_skb->list);
+ kfree_skb(ts_skb->skb);
kfree(ts_skb);
}
--
2.20.1
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Tho Vu <tho.vu.wh@rvc.renesas.com>,
Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>,
Simon Horman <horms+renesas@verge.net.au>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org, linux-sh@vger.kernel.org
Subject: [PATCH AUTOSEL 4.4 11/15] ravb: Fix use-after-free ravb_tstamp_skb
Date: Thu, 29 Aug 2019 14:17:58 -0400 [thread overview]
Message-ID: <20190829181802.9619-11-sashal@kernel.org> (raw)
In-Reply-To: <20190829181802.9619-1-sashal@kernel.org>
From: Tho Vu <tho.vu.wh@rvc.renesas.com>
[ Upstream commit cfef46d692efd852a0da6803f920cc756eea2855 ]
When a Tx timestamp is requested, a pointer to the skb is stored in the
ravb_tstamp_skb struct. This was done without an skb_get. There exists
the possibility that the skb could be freed by ravb_tx_free (when
ravb_tx_free is called from ravb_start_xmit) before the timestamp was
processed, leading to a use-after-free bug.
Use skb_get when filling a ravb_tstamp_skb struct, and add appropriate
frees/consumes when a ravb_tstamp_skb struct is freed.
Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
Signed-off-by: Tho Vu <tho.vu.wh@rvc.renesas.com>
Signed-off-by: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/renesas/ravb_main.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
index 29d31eb995d7f..fedfd94699cb8 100644
--- a/drivers/net/ethernet/renesas/ravb_main.c
+++ b/drivers/net/ethernet/renesas/ravb_main.c
@@ -1,6 +1,6 @@
/* Renesas Ethernet AVB device driver
*
- * Copyright (C) 2014-2015 Renesas Electronics Corporation
+ * Copyright (C) 2014-2019 Renesas Electronics Corporation
* Copyright (C) 2015 Renesas Solutions Corp.
* Copyright (C) 2015 Cogent Embedded, Inc. <source@cogentembedded.com>
*
@@ -501,7 +501,10 @@ static void ravb_get_tx_tstamp(struct net_device *ndev)
kfree(ts_skb);
if (tag == tfa_tag) {
skb_tstamp_tx(skb, &shhwtstamps);
+ dev_consume_skb_any(skb);
break;
+ } else {
+ dev_kfree_skb_any(skb);
}
}
ravb_write(ndev, ravb_read(ndev, TCCR) | TCCR_TFR, TCCR);
@@ -1382,7 +1385,7 @@ static netdev_tx_t ravb_start_xmit(struct sk_buff *skb, struct net_device *ndev)
DMA_TO_DEVICE);
goto unmap;
}
- ts_skb->skb = skb;
+ ts_skb->skb = skb_get(skb);
ts_skb->tag = priv->ts_skb_tag++;
priv->ts_skb_tag &= 0x3ff;
list_add_tail(&ts_skb->list, &priv->ts_skb_list);
@@ -1514,6 +1517,7 @@ static int ravb_close(struct net_device *ndev)
/* Clear the timestamp list */
list_for_each_entry_safe(ts_skb, ts_skb2, &priv->ts_skb_list, list) {
list_del(&ts_skb->list);
+ kfree_skb(ts_skb->skb);
kfree(ts_skb);
}
--
2.20.1
next prev parent reply other threads:[~2019-08-29 18:17 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-29 18:17 [PATCH AUTOSEL 4.4 01/15] net: tundra: tsi108: use spin_lock_irqsave instead of spin_lock_irq in IRQ context Sasha Levin
2019-08-29 18:17 ` [PATCH AUTOSEL 4.4 02/15] net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx Sasha Levin
2019-08-29 18:17 ` [PATCH AUTOSEL 4.4 03/15] Bluetooth: btqca: Add a short delay before downloading the NVM Sasha Levin
2019-08-29 18:17 ` [PATCH AUTOSEL 4.4 04/15] ibmveth: Convert multicast list size for little-endian system Sasha Levin
2019-08-29 18:17 ` Sasha Levin
2019-08-29 18:17 ` [PATCH AUTOSEL 4.4 05/15] gpio: Fix build error of function redefinition Sasha Levin
2019-08-29 18:17 ` [PATCH AUTOSEL 4.4 06/15] cxgb4: fix a memory leak bug Sasha Levin
2019-08-29 18:17 ` [PATCH AUTOSEL 4.4 07/15] net: myri10ge: fix memory leaks Sasha Levin
2019-08-29 18:17 ` [PATCH AUTOSEL 4.4 08/15] cx82310_eth: fix a memory leak bug Sasha Levin
2019-08-29 18:17 ` [PATCH AUTOSEL 4.4 09/15] net: kalmia: fix memory leaks Sasha Levin
2019-08-29 18:17 ` [PATCH AUTOSEL 4.4 10/15] wimax/i2400m: fix a memory leak bug Sasha Levin
2019-08-29 18:17 ` Sasha Levin [this message]
2019-08-29 18:17 ` [PATCH AUTOSEL 4.4 11/15] ravb: Fix use-after-free ravb_tstamp_skb Sasha Levin
2019-08-29 18:17 ` [PATCH AUTOSEL 4.4 12/15] Tools: hv: kvp: eliminate 'may be used uninitialized' warning Sasha Levin
2019-08-29 18:18 ` [PATCH AUTOSEL 4.4 13/15] IB/mlx4: Fix memory leaks Sasha Levin
2019-08-29 18:18 ` [PATCH AUTOSEL 4.4 14/15] ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr() Sasha Levin
2019-08-29 18:18 ` [PATCH AUTOSEL 4.4 15/15] KVM: arm/arm64: Only skip MMIO insn once Sasha Levin
2019-08-29 18:18 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190829181802.9619-11-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=horms+renesas@verge.net.au \
--cc=kazuya.mizuguchi.ks@renesas.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sh@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tho.vu.wh@rvc.renesas.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.