* [PATCH net] net: ena: PHC: Fix potential use-after-free in get_timestamp
@ 2026-05-08 6:21 Arthur Kiyanovski
2026-05-08 9:28 ` Vadim Fedorenko
2026-05-10 17:10 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 3+ messages in thread
From: Arthur Kiyanovski @ 2026-05-08 6:21 UTC (permalink / raw)
To: David Miller, Jakub Kicinski, netdev
Cc: Arthur Kiyanovski, Richard Cochran, Eric Dumazet, Paolo Abeni,
David Woodhouse, Thomas Gleixner, Miroslav Lichvar, Andrew Lunn,
Wen Gu, Xuan Zhuo, David Woodhouse, Yonatan Sarna,
Zorik Machulsky, Alexander Matushevsky, Saeed Bshara, Matt Wilson,
Anthony Liguori, Nafea Bshara, Evgeny Schmeilin, Netanel Belgazal,
Ali Saidi, Benjamin Herrenschmidt, Noam Dagan, David Arinzon,
Evgeny Ostrovsky, Ofir Tabachnik, Amit Bernstein, stable
Move the phc->active check and resp pointer assignment to after
acquiring the spinlock. Previously, phc->active was checked without
holding the lock, and resp was cached from ena_dev->phc.virt_addr
before the lock was acquired.
If ena_com_phc_destroy() runs between the lockless active check and
the lock acquisition, it sets active=false, releases the lock, frees
the DMA memory, and sets virt_addr=NULL. The get_timestamp path would
then read a NULL virt_addr and dereference it.
With both the active check and the pointer read under the lock,
destroy cannot free the memory while get_timestamp is using it.
Fixes: e0ea34158ee8 ("net: ena: Add PHC support in the ENA driver")
Cc: stable@vger.kernel.org
Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
---
drivers/net/ethernet/amazon/ena/ena_com.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/amazon/ena/ena_com.c b/drivers/net/ethernet/amazon/ena/ena_com.c
index e67b592..8c86789 100644
--- a/drivers/net/ethernet/amazon/ena/ena_com.c
+++ b/drivers/net/ethernet/amazon/ena/ena_com.c
@@ -1782,20 +1782,23 @@ void ena_com_phc_destroy(struct ena_com_dev *ena_dev)
int ena_com_phc_get_timestamp(struct ena_com_dev *ena_dev, u64 *timestamp)
{
- volatile struct ena_admin_phc_resp *resp = ena_dev->phc.virt_addr;
const ktime_t zero_system_time = ktime_set(0, 0);
struct ena_com_phc_info *phc = &ena_dev->phc;
+ volatile struct ena_admin_phc_resp *resp;
ktime_t expire_time;
ktime_t block_time;
unsigned long flags = 0;
int ret = 0;
+ spin_lock_irqsave(&phc->lock, flags);
+
if (!phc->active) {
+ spin_unlock_irqrestore(&phc->lock, flags);
netdev_err(ena_dev->net_device, "PHC feature is not active in the device\n");
return -EOPNOTSUPP;
}
- spin_lock_irqsave(&phc->lock, flags);
+ resp = ena_dev->phc.virt_addr;
/* Check if PHC is in blocked state */
if (unlikely(ktime_compare(phc->system_time, zero_system_time))) {
--
2.47.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net] net: ena: PHC: Fix potential use-after-free in get_timestamp
2026-05-08 6:21 [PATCH net] net: ena: PHC: Fix potential use-after-free in get_timestamp Arthur Kiyanovski
@ 2026-05-08 9:28 ` Vadim Fedorenko
2026-05-10 17:10 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: Vadim Fedorenko @ 2026-05-08 9:28 UTC (permalink / raw)
To: Arthur Kiyanovski, David Miller, Jakub Kicinski, netdev
Cc: Richard Cochran, Eric Dumazet, Paolo Abeni, David Woodhouse,
Thomas Gleixner, Miroslav Lichvar, Andrew Lunn, Wen Gu, Xuan Zhuo,
David Woodhouse, Yonatan Sarna, Zorik Machulsky,
Alexander Matushevsky, Saeed Bshara, Matt Wilson, Anthony Liguori,
Nafea Bshara, Evgeny Schmeilin, Netanel Belgazal, Ali Saidi,
Benjamin Herrenschmidt, Noam Dagan, David Arinzon,
Evgeny Ostrovsky, Ofir Tabachnik, Amit Bernstein, stable
On 08/05/2026 07:21, Arthur Kiyanovski wrote:
> Move the phc->active check and resp pointer assignment to after
> acquiring the spinlock. Previously, phc->active was checked without
> holding the lock, and resp was cached from ena_dev->phc.virt_addr
> before the lock was acquired.
>
> If ena_com_phc_destroy() runs between the lockless active check and
> the lock acquisition, it sets active=false, releases the lock, frees
> the DMA memory, and sets virt_addr=NULL. The get_timestamp path would
> then read a NULL virt_addr and dereference it.
>
> With both the active check and the pointer read under the lock,
> destroy cannot free the memory while get_timestamp is using it.
>
> Fixes: e0ea34158ee8 ("net: ena: Add PHC support in the ENA driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
> ---
> drivers/net/ethernet/amazon/ena/ena_com.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/amazon/ena/ena_com.c b/drivers/net/ethernet/amazon/ena/ena_com.c
> index e67b592..8c86789 100644
> --- a/drivers/net/ethernet/amazon/ena/ena_com.c
> +++ b/drivers/net/ethernet/amazon/ena/ena_com.c
> @@ -1782,20 +1782,23 @@ void ena_com_phc_destroy(struct ena_com_dev *ena_dev)
>
> int ena_com_phc_get_timestamp(struct ena_com_dev *ena_dev, u64 *timestamp)
> {
> - volatile struct ena_admin_phc_resp *resp = ena_dev->phc.virt_addr;
> const ktime_t zero_system_time = ktime_set(0, 0);
> struct ena_com_phc_info *phc = &ena_dev->phc;
> + volatile struct ena_admin_phc_resp *resp;
> ktime_t expire_time;
> ktime_t block_time;
> unsigned long flags = 0;
> int ret = 0;
>
> + spin_lock_irqsave(&phc->lock, flags);
> +
> if (!phc->active) {
> + spin_unlock_irqrestore(&phc->lock, flags);
> netdev_err(ena_dev->net_device, "PHC feature is not active in the device\n");
> return -EOPNOTSUPP;
> }
>
> - spin_lock_irqsave(&phc->lock, flags);
> + resp = ena_dev->phc.virt_addr;
>
> /* Check if PHC is in blocked state */
> if (unlikely(ktime_compare(phc->system_time, zero_system_time))) {
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net] net: ena: PHC: Fix potential use-after-free in get_timestamp
2026-05-08 6:21 [PATCH net] net: ena: PHC: Fix potential use-after-free in get_timestamp Arthur Kiyanovski
2026-05-08 9:28 ` Vadim Fedorenko
@ 2026-05-10 17:10 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-05-10 17:10 UTC (permalink / raw)
To: Arthur Kiyanovski
Cc: davem, kuba, netdev, richardcochran, edumazet, pabeni, dwmw2,
tglx, mlichvar, andrew+netdev, guwen, xuanzhuo, dwmw, ysarna,
zorik, matua, saeedb, msw, aliguori, nafea, evgenys, netanel,
alisaidi, benh, ndagan, darinzon, evostrov, ofirt, amitbern,
stable
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Fri, 8 May 2026 06:21:21 +0000 you wrote:
> Move the phc->active check and resp pointer assignment to after
> acquiring the spinlock. Previously, phc->active was checked without
> holding the lock, and resp was cached from ena_dev->phc.virt_addr
> before the lock was acquired.
>
> If ena_com_phc_destroy() runs between the lockless active check and
> the lock acquisition, it sets active=false, releases the lock, frees
> the DMA memory, and sets virt_addr=NULL. The get_timestamp path would
> then read a NULL virt_addr and dereference it.
>
> [...]
Here is the summary with links:
- [net] net: ena: PHC: Fix potential use-after-free in get_timestamp
https://git.kernel.org/netdev/net/c/e42c755582f0
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-10 17:11 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-08 6:21 [PATCH net] net: ena: PHC: Fix potential use-after-free in get_timestamp Arthur Kiyanovski
2026-05-08 9:28 ` Vadim Fedorenko
2026-05-10 17:10 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox