From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH v2] net/mlx4_en: fix potential use-after-free with dma_unmap_page Date: Fri, 27 Apr 2018 19:48:59 -0400 (EDT) Message-ID: <20180427.194859.554972405986118921.davem@davemloft.net> References: <1524715234-20002-1-git-send-email-srn@prgmr.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: tariqt@mellanox.com, yishaih@mellanox.com, netdev@vger.kernel.org To: srn@prgmr.com Return-path: Received: from shards.monkeyblade.net ([184.105.139.130]:59472 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933029AbeD0XtA (ORCPT ); Fri, 27 Apr 2018 19:49:00 -0400 In-Reply-To: <1524715234-20002-1-git-send-email-srn@prgmr.com> Sender: netdev-owner@vger.kernel.org List-ID: From: Sarah Newman Date: Wed, 25 Apr 2018 21:00:34 -0700 > When swiotlb is in use, calling dma_unmap_page means that > the original page mapped with dma_map_page must still be valid > as swiotlb will copy data from its internal cache back to the > originally requested DMA location. When GRO is enabled, > all references to the original frag may be put before > mlx4_en_free_frag is called, meaning the page has been freed > before the call to dma_unmap_page in mlx4_en_free_frag. > > To fix, unmap the page as soon as possible. > > This can be trivially detected by doing the following: > > Compile the kernel with DEBUG_PAGEALLOC > Run the kernel as a Xen Dom0 > Leave GRO enabled on the interface > Run a 10 second or more test with iperf over the interface. > > Signed-off-by: Sarah Newman Tariq, I assume I will get this from you in the next set of changes you submit to me. Thanks.