From: Vadim Fedorenko <vadim.fedorenko@linux.dev>
To: Arthur Kiyanovski <akiyano@amazon.com>,
David Miller <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
netdev@vger.kernel.org
Cc: Richard Cochran <richardcochran@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>,
Miroslav Lichvar <mlichvar@redhat.com>,
Andrew Lunn <andrew+netdev@lunn.ch>,
Wen Gu <guwen@linux.alibaba.com>,
Xuan Zhuo <xuanzhuo@linux.alibaba.com>,
David Woodhouse <dwmw@amazon.com>,
Yonatan Sarna <ysarna@amazon.com>,
Zorik Machulsky <zorik@amazon.com>,
Alexander Matushevsky <matua@amazon.com>,
Saeed Bshara <saeedb@amazon.com>, Matt Wilson <msw@amazon.com>,
Anthony Liguori <aliguori@amazon.com>,
Nafea Bshara <nafea@amazon.com>,
Evgeny Schmeilin <evgenys@amazon.com>,
Netanel Belgazal <netanel@amazon.com>,
Ali Saidi <alisaidi@amazon.com>,
Benjamin Herrenschmidt <benh@amazon.com>,
Noam Dagan <ndagan@amazon.com>,
David Arinzon <darinzon@amazon.com>,
Evgeny Ostrovsky <evostrov@amazon.com>,
Ofir Tabachnik <ofirt@amazon.com>,
Amit Bernstein <amitbern@amazon.com>,
stable@vger.kernel.org
Subject: Re: [PATCH net] net: ena: PHC: Fix potential use-after-free in get_timestamp
Date: Fri, 8 May 2026 10:28:24 +0100 [thread overview]
Message-ID: <33d3f804-2877-490e-b59f-5464e51bbf74@linux.dev> (raw)
In-Reply-To: <20260508062126.7273-1-akiyano@amazon.com>
On 08/05/2026 07:21, Arthur Kiyanovski wrote:
> Move the phc->active check and resp pointer assignment to after
> acquiring the spinlock. Previously, phc->active was checked without
> holding the lock, and resp was cached from ena_dev->phc.virt_addr
> before the lock was acquired.
>
> If ena_com_phc_destroy() runs between the lockless active check and
> the lock acquisition, it sets active=false, releases the lock, frees
> the DMA memory, and sets virt_addr=NULL. The get_timestamp path would
> then read a NULL virt_addr and dereference it.
>
> With both the active check and the pointer read under the lock,
> destroy cannot free the memory while get_timestamp is using it.
>
> Fixes: e0ea34158ee8 ("net: ena: Add PHC support in the ENA driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
> ---
> drivers/net/ethernet/amazon/ena/ena_com.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/amazon/ena/ena_com.c b/drivers/net/ethernet/amazon/ena/ena_com.c
> index e67b592..8c86789 100644
> --- a/drivers/net/ethernet/amazon/ena/ena_com.c
> +++ b/drivers/net/ethernet/amazon/ena/ena_com.c
> @@ -1782,20 +1782,23 @@ void ena_com_phc_destroy(struct ena_com_dev *ena_dev)
>
> int ena_com_phc_get_timestamp(struct ena_com_dev *ena_dev, u64 *timestamp)
> {
> - volatile struct ena_admin_phc_resp *resp = ena_dev->phc.virt_addr;
> const ktime_t zero_system_time = ktime_set(0, 0);
> struct ena_com_phc_info *phc = &ena_dev->phc;
> + volatile struct ena_admin_phc_resp *resp;
> ktime_t expire_time;
> ktime_t block_time;
> unsigned long flags = 0;
> int ret = 0;
>
> + spin_lock_irqsave(&phc->lock, flags);
> +
> if (!phc->active) {
> + spin_unlock_irqrestore(&phc->lock, flags);
> netdev_err(ena_dev->net_device, "PHC feature is not active in the device\n");
> return -EOPNOTSUPP;
> }
>
> - spin_lock_irqsave(&phc->lock, flags);
> + resp = ena_dev->phc.virt_addr;
>
> /* Check if PHC is in blocked state */
> if (unlikely(ktime_compare(phc->system_time, zero_system_time))) {
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
next prev parent reply other threads:[~2026-05-08 9:28 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-08 6:21 [PATCH net] net: ena: PHC: Fix potential use-after-free in get_timestamp Arthur Kiyanovski
2026-05-08 9:28 ` Vadim Fedorenko [this message]
2026-05-10 17:10 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=33d3f804-2877-490e-b59f-5464e51bbf74@linux.dev \
--to=vadim.fedorenko@linux.dev \
--cc=akiyano@amazon.com \
--cc=aliguori@amazon.com \
--cc=alisaidi@amazon.com \
--cc=amitbern@amazon.com \
--cc=andrew+netdev@lunn.ch \
--cc=benh@amazon.com \
--cc=darinzon@amazon.com \
--cc=davem@davemloft.net \
--cc=dwmw2@infradead.org \
--cc=dwmw@amazon.com \
--cc=edumazet@google.com \
--cc=evgenys@amazon.com \
--cc=evostrov@amazon.com \
--cc=guwen@linux.alibaba.com \
--cc=kuba@kernel.org \
--cc=matua@amazon.com \
--cc=mlichvar@redhat.com \
--cc=msw@amazon.com \
--cc=nafea@amazon.com \
--cc=ndagan@amazon.com \
--cc=netanel@amazon.com \
--cc=netdev@vger.kernel.org \
--cc=ofirt@amazon.com \
--cc=pabeni@redhat.com \
--cc=richardcochran@gmail.com \
--cc=saeedb@amazon.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=xuanzhuo@linux.alibaba.com \
--cc=ysarna@amazon.com \
--cc=zorik@amazon.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.