From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Pavel Belous <pbelous@marvell.com>,
Christophe Vu-Brugier <cvubrugier@fastmail.fm>,
Igor Russkikh <irusskikh@marvell.com>,
Dmitry Bogdanov <dbogdanov@marvell.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 14/32] net: atlantic: fix use after free kasan warn
Date: Mon, 2 Mar 2020 21:48:33 -0500 [thread overview]
Message-ID: <20200303024851.10054-14-sashal@kernel.org> (raw)
In-Reply-To: <20200303024851.10054-1-sashal@kernel.org>
From: Pavel Belous <pbelous@marvell.com>
[ Upstream commit a4980919ad6a7be548d499bc5338015e1a9191c6 ]
skb->len is used to calculate statistics after xmit invocation.
Under a stress load it may happen that skb will be xmited,
rx interrupt will come and skb will be freed, all before xmit function
is even returned.
Eventually, skb->len will access unallocated area.
Moving stats calculation into tx_clean routine.
Fixes: 018423e90bee ("net: ethernet: aquantia: Add ring support code")
Reported-by: Christophe Vu-Brugier <cvubrugier@fastmail.fm>
Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
Signed-off-by: Pavel Belous <pbelous@marvell.com>
Signed-off-by: Dmitry Bogdanov <dbogdanov@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 4 ----
drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 7 +++++--
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
index 8cc34b0bedc3a..d1de11b575f44 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
@@ -530,10 +530,6 @@ int aq_nic_xmit(struct aq_nic_s *self, struct sk_buff *skb)
if (likely(frags)) {
err = self->aq_hw_ops->hw_ring_tx_xmit(self->aq_hw,
ring, frags);
- if (err >= 0) {
- ++ring->stats.tx.packets;
- ring->stats.tx.bytes += skb->len;
- }
} else {
err = NETDEV_TX_BUSY;
}
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
index b3c7994d73eb1..b03e5fd4327e3 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
@@ -162,9 +162,12 @@ bool aq_ring_tx_clean(struct aq_ring_s *self)
}
}
- if (unlikely(buff->is_eop))
- dev_kfree_skb_any(buff->skb);
+ if (unlikely(buff->is_eop)) {
+ ++self->stats.rx.packets;
+ self->stats.tx.bytes += buff->skb->len;
+ dev_kfree_skb_any(buff->skb);
+ }
buff->pa = 0U;
buff->eop_index = 0xffffU;
self->sw_head = aq_ring_next_dx(self, self->sw_head);
--
2.20.1
next prev parent reply other threads:[~2020-03-03 2:55 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200303024851.10054-1-sashal@kernel.org>
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 04/32] selftests: fix too long argument Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 13/32] selftests: forwarding: use proto icmp for {gretap, ip6gretap}_mac testing Sasha Levin
2020-03-03 2:48 ` Sasha Levin [this message]
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 15/32] net: atlantic: fix potential error handling Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 16/32] net: phy: restore mdio regs in the iproc mdio driver Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 17/32] net: dsa: b53: Ensure the default VID is untagged Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 18/32] net: ks8851-ml: Remove 8-bit bus accessors Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 19/32] net: ks8851-ml: Fix 16-bit data access Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 20/32] net: ks8851-ml: Fix 16-bit IO operation Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 24/32] net: mscc: fix in frame extraction Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 28/32] nfc: pn544: Fix occasional HW initialization failure Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 29/32] ice: Don't tell the OS that link is going down Sasha Levin
2020-03-03 2:48 ` [PATCH AUTOSEL 4.19 32/32] net: thunderx: workaround BGX TX Underflow issue Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200303024851.10054-14-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=cvubrugier@fastmail.fm \
--cc=davem@davemloft.net \
--cc=dbogdanov@marvell.com \
--cc=irusskikh@marvell.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pbelous@marvell.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).