From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Pavel Belous <pbelous@marvell.com>,
Christophe Vu-Brugier <cvubrugier@fastmail.fm>,
Igor Russkikh <irusskikh@marvell.com>,
Dmitry Bogdanov <dbogdanov@marvell.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 14/32] net: atlantic: fix use after free kasan warn
Date: Mon, 2 Mar 2020 21:48:33 -0500 [thread overview]
Message-ID: <20200303024851.10054-14-sashal@kernel.org> (raw)
In-Reply-To: <20200303024851.10054-1-sashal@kernel.org>
From: Pavel Belous <pbelous@marvell.com>
[ Upstream commit a4980919ad6a7be548d499bc5338015e1a9191c6 ]
skb->len is used to calculate statistics after xmit invocation.
Under a stress load it may happen that skb will be xmited,
rx interrupt will come and skb will be freed, all before xmit function
is even returned.
Eventually, skb->len will access unallocated area.
Moving stats calculation into tx_clean routine.
Fixes: 018423e90bee ("net: ethernet: aquantia: Add ring support code")
Reported-by: Christophe Vu-Brugier <cvubrugier@fastmail.fm>
Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
Signed-off-by: Pavel Belous <pbelous@marvell.com>
Signed-off-by: Dmitry Bogdanov <dbogdanov@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 4 ----
drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 7 +++++--
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
index 8cc34b0bedc3a..d1de11b575f44 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
@@ -530,10 +530,6 @@ int aq_nic_xmit(struct aq_nic_s *self, struct sk_buff *skb)
if (likely(frags)) {
err = self->aq_hw_ops->hw_ring_tx_xmit(self->aq_hw,
ring, frags);
- if (err >= 0) {
- ++ring->stats.tx.packets;
- ring->stats.tx.bytes += skb->len;
- }
} else {
err = NETDEV_TX_BUSY;
}
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
index b3c7994d73eb1..b03e5fd4327e3 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
@@ -162,9 +162,12 @@ bool aq_ring_tx_clean(struct aq_ring_s *self)
}
}
- if (unlikely(buff->is_eop))
- dev_kfree_skb_any(buff->skb);
+ if (unlikely(buff->is_eop)) {
+ ++self->stats.rx.packets;
+ self->stats.tx.bytes += buff->skb->len;
+ dev_kfree_skb_any(buff->skb);
+ }
buff->pa = 0U;
buff->eop_index = 0xffffU;
self->sw_head = aq_ring_next_dx(self, self->sw_head);
--
2.20.1
next prev parent reply other threads:[~2020-03-03 2:49 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-03 2:48 [PATCH AUTOSEL 4.19 01/32] ALSA: hda: do not override bus codec_mask in link_get() Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 02/32] usb: charger: assign specific number for enum value Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 03/32] serial: ar933x_uart: set UART_CS_{RX,TX}_READY_ORIDE Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 04/32] selftests: fix too long argument Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 05/32] usb: gadget: composite: Support more than 500mA MaxPower Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 06/32] usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 07/32] usb: gadget: serial: fix Tx stall after buffer overflow Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 08/32] drm/msm/mdp5: rate limit pp done timeout warnings Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 09/32] drm: msm: Fix return type of dsi_mgr_connector_mode_valid for kCFI Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 10/32] scsi: megaraid_sas: silence a warning Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 11/32] drm/msm/dsi: save pll state before dsi host is powered off Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 12/32] drm/msm/dsi/pll: call vco set rate explicitly Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 13/32] selftests: forwarding: use proto icmp for {gretap, ip6gretap}_mac testing Sasha Levin
2020-03-03 2:48 ` Sasha Levin [this message]
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 15/32] net: atlantic: fix potential error handling Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 16/32] net: phy: restore mdio regs in the iproc mdio driver Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 17/32] net: dsa: b53: Ensure the default VID is untagged Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 18/32] net: ks8851-ml: Remove 8-bit bus accessors Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 19/32] net: ks8851-ml: Fix 16-bit data access Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 20/32] net: ks8851-ml: Fix 16-bit IO operation Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 21/32] watchdog: da9062: do not ping the hw during stop() Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 22/32] s390/cio: cio_ignore_proc_seq_next should increase position index Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 23/32] s390: make 'install' not depend on vmlinux Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 24/32] net: mscc: fix in frame extraction Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 25/32] x86/boot/compressed: Don't declare __force_order in kaslr_64.c Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 26/32] s390/qdio: fill SL with absolute addresses Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 27/32] nvme: Fix uninitialized-variable warning Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 28/32] nfc: pn544: Fix occasional HW initialization failure Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 29/32] ice: Don't tell the OS that link is going down Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 30/32] x86/xen: Distribute switch variables for initialization Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 31/32] s390/qeth: vnicc Fix EOPNOTSUPP precedence Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 32/32] net: thunderx: workaround BGX TX Underflow issue Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200303024851.10054-14-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=cvubrugier@fastmail.fm \
--cc=davem@davemloft.net \
--cc=dbogdanov@marvell.com \
--cc=irusskikh@marvell.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pbelous@marvell.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox