[PATCH] epic100: fix use after free on rmmod

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] epic100: fix use after free on rmmod
@ 2022-06-23  7:40 Tong Zhang
  2022-06-23  9:22 ` Francois Romieu
  0 siblings, 1 reply; 8+ messages in thread
From: Tong Zhang @ 2022-06-23  7:40 UTC (permalink / raw)
  To: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Florian Fainelli, Arnd Bergmann, Jason Gunthorpe, Tong Zhang,
	Jeff Kirsher, netdev, linux-kernel
  Cc: Yilun Wu

epic_close() calls epic_rx() and uses dma buffer, but in epic_remove_one()
we already freed the dma buffer. To fix this issue, reorder function calls
like in the .probe function.

BUG: KASAN: use-after-free in epic_rx+0xa6/0x7e0 [epic100]
Call Trace:
 epic_rx+0xa6/0x7e0 [epic100]
 epic_close+0xec/0x2f0 [epic100]
 unregister_netdev+0x18/0x20
 epic_remove_one+0xaa/0xf0 [epic100]

Fixes: ae150435b59e ("smsc: Move the SMC (SMSC) drivers")
Reported-by: Yilun Wu <yiluwu@cs.stonybrook.edu>
Signed-off-by: Tong Zhang <ztong0001@gmail.com>
---
 drivers/net/ethernet/smsc/epic100.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/smsc/epic100.c b/drivers/net/ethernet/smsc/epic100.c
index a0654e88444c..0329caf63279 100644
--- a/drivers/net/ethernet/smsc/epic100.c
+++ b/drivers/net/ethernet/smsc/epic100.c
@@ -1515,14 +1515,14 @@ static void epic_remove_one(struct pci_dev *pdev)
 	struct net_device *dev = pci_get_drvdata(pdev);
 	struct epic_private *ep = netdev_priv(dev);
 
+	unregister_netdev(dev);
 	dma_free_coherent(&pdev->dev, TX_TOTAL_SIZE, ep->tx_ring,
 			  ep->tx_ring_dma);
 	dma_free_coherent(&pdev->dev, RX_TOTAL_SIZE, ep->rx_ring,
 			  ep->rx_ring_dma);
-	unregister_netdev(dev);
 	pci_iounmap(pdev, ep->ioaddr);
-	pci_release_regions(pdev);
 	free_netdev(dev);
+	pci_release_regions(pdev);
 	pci_disable_device(pdev);
 	/* pci_power_off(pdev, -1); */
 }
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [PATCH] epic100: fix use after free on rmmod
  2022-06-23  7:40 [PATCH] epic100: fix use after free on rmmod Tong Zhang
@ 2022-06-23  9:22 ` Francois Romieu
  2022-06-24 18:41   ` Jakub Kicinski
  0 siblings, 1 reply; 8+ messages in thread
From: Francois Romieu @ 2022-06-23  9:22 UTC (permalink / raw)
  To: Tong Zhang
  Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Florian Fainelli, Arnd Bergmann, Jason Gunthorpe, Jeff Kirsher,
	netdev, linux-kernel, Yilun Wu

Tong Zhang <ztong0001@gmail.com> :
> epic_close() calls epic_rx() and uses dma buffer, but in epic_remove_one()
> we already freed the dma buffer. To fix this issue, reorder function calls
> like in the .probe function.
> 
> BUG: KASAN: use-after-free in epic_rx+0xa6/0x7e0 [epic100]
> Call Trace:
>  epic_rx+0xa6/0x7e0 [epic100]
>  epic_close+0xec/0x2f0 [epic100]
>  unregister_netdev+0x18/0x20
>  epic_remove_one+0xaa/0xf0 [epic100]
> 
> Fixes: ae150435b59e ("smsc: Move the SMC (SMSC) drivers")
> Reported-by: Yilun Wu <yiluwu@cs.stonybrook.edu>
> Signed-off-by: Tong Zhang <ztong0001@gmail.com>

The "Fixes:" tag is a bit misleading: this code path predates the move
by several years. Ignoring pci_* vs dma_* API changes, this is pre-2005
material.

Reviewed-by: Francois Romieu <romieu@fr.zoreil.com>

-- 
Ueimor

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] epic100: fix use after free on rmmod
  2022-06-23  9:22 ` Francois Romieu
@ 2022-06-24 18:41   ` Jakub Kicinski
  2022-06-26  4:45     ` Tong Zhang
  2022-06-27  4:33     ` [PATCH v2] " Tong Zhang
  0 siblings, 2 replies; 8+ messages in thread
From: Jakub Kicinski @ 2022-06-24 18:41 UTC (permalink / raw)
  To: Francois Romieu
  Cc: Tong Zhang, David S. Miller, Eric Dumazet, Paolo Abeni,
	Florian Fainelli, Arnd Bergmann, Jason Gunthorpe, Jeff Kirsher,
	netdev, linux-kernel, Yilun Wu

On Thu, 23 Jun 2022 11:22:28 +0200 Francois Romieu wrote:
> Tong Zhang <ztong0001@gmail.com> :
> > epic_close() calls epic_rx() and uses dma buffer, but in epic_remove_one()
> > we already freed the dma buffer. To fix this issue, reorder function calls
> > like in the .probe function.
> > 
> > BUG: KASAN: use-after-free in epic_rx+0xa6/0x7e0 [epic100]
> > Call Trace:
> >  epic_rx+0xa6/0x7e0 [epic100]
> >  epic_close+0xec/0x2f0 [epic100]
> >  unregister_netdev+0x18/0x20
> >  epic_remove_one+0xaa/0xf0 [epic100]
> > 
> > Fixes: ae150435b59e ("smsc: Move the SMC (SMSC) drivers")
> > Reported-by: Yilun Wu <yiluwu@cs.stonybrook.edu>
> > Signed-off-by: Tong Zhang <ztong0001@gmail.com>  
> 
> The "Fixes:" tag is a bit misleading: this code path predates the move
> by several years. Ignoring pci_* vs dma_* API changes, this is pre-2005
> material.

Yeah, please find the correct Fixes tag.

> Reviewed-by: Francois Romieu <romieu@fr.zoreil.com>

Keep Francois' tag when reposting.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] epic100: fix use after free on rmmod
  2022-06-24 18:41   ` Jakub Kicinski
@ 2022-06-26  4:45     ` Tong Zhang
  2022-06-26 15:07       ` Francois Romieu
  2022-06-27  4:33     ` [PATCH v2] " Tong Zhang
  1 sibling, 1 reply; 8+ messages in thread
From: Tong Zhang @ 2022-06-26  4:45 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: Francois Romieu, David S. Miller, Eric Dumazet, Paolo Abeni,
	Florian Fainelli, Arnd Bergmann, Jason Gunthorpe, Jeff Kirsher,
	Netdev, open list, Yilun Wu

On Fri, Jun 24, 2022 at 11:41 AM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Thu, 23 Jun 2022 11:22:28 +0200 Francois Romieu wrote:
> > Tong Zhang <ztong0001@gmail.com> :
> > > epic_close() calls epic_rx() and uses dma buffer, but in epic_remove_one()
> > > we already freed the dma buffer. To fix this issue, reorder function calls
> > > like in the .probe function.
> > >
> > > BUG: KASAN: use-after-free in epic_rx+0xa6/0x7e0 [epic100]
> > > Call Trace:
> > >  epic_rx+0xa6/0x7e0 [epic100]
> > >  epic_close+0xec/0x2f0 [epic100]
> > >  unregister_netdev+0x18/0x20
> > >  epic_remove_one+0xaa/0xf0 [epic100]
> > >
> > > Fixes: ae150435b59e ("smsc: Move the SMC (SMSC) drivers")
> > > Reported-by: Yilun Wu <yiluwu@cs.stonybrook.edu>
> > > Signed-off-by: Tong Zhang <ztong0001@gmail.com>
> >
> > The "Fixes:" tag is a bit misleading: this code path predates the move
> > by several years. Ignoring pci_* vs dma_* API changes, this is pre-2005
> > material.
>
> Yeah, please find the correct Fixes tag.
>
> > Reviewed-by: Francois Romieu <romieu@fr.zoreil.com>
>
> Keep Francois' tag when reposting.

Looks like drivers/net/ethernet/smsc/epic100.c is renamed from
drivers/net/epic100.c
and this bug has been around since the very initial commit. What would
you suggest ?
Remove the fix tag or use
Fix: 1da177e4c3f4 ("Linux-2.6.12-rc2")

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] epic100: fix use after free on rmmod
  2022-06-26  4:45     ` Tong Zhang
@ 2022-06-26 15:07       ` Francois Romieu
  2022-06-27  4:35         ` Tong Zhang
  0 siblings, 1 reply; 8+ messages in thread
From: Francois Romieu @ 2022-06-26 15:07 UTC (permalink / raw)
  To: Tong Zhang
  Cc: Jakub Kicinski, David S. Miller, Eric Dumazet, Paolo Abeni,
	Florian Fainelli, Arnd Bergmann, Jason Gunthorpe, Jeff Kirsher,
	Netdev, open list, Yilun Wu

Tong Zhang <ztong0001@gmail.com> :
[...]
> Looks like drivers/net/ethernet/smsc/epic100.c is renamed from
> drivers/net/epic100.c and this bug has been around since the very
> initial commit.
> What would you suggest ? Remove the fix tag or use
> Fix: 1da177e4c3f4 ("Linux-2.6.12-rc2")

'Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")' has already been signed-by or
directly used by maintainers, including netdev ones. See:

$ git log --grep='^Fixes: 1da177e4c3f4'

The patch will require some change for pre-5.9 stable kernels due to
63692803899b563f94bf1b4f821b574eb74316ae "epic100: switch from 'pci_' to 'dma_' API".

-- 
Ueimor

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] epic100: fix use after free on rmmod
  2022-06-26 15:07       ` Francois Romieu
@ 2022-06-27  4:35         ` Tong Zhang
  0 siblings, 0 replies; 8+ messages in thread
From: Tong Zhang @ 2022-06-27  4:35 UTC (permalink / raw)
  To: Francois Romieu
  Cc: Jakub Kicinski, David S. Miller, Eric Dumazet, Paolo Abeni,
	Florian Fainelli, Arnd Bergmann, Jason Gunthorpe, Jeff Kirsher,
	Netdev, open list, Yilun Wu

On Sun, Jun 26, 2022 at 8:07 AM Francois Romieu <romieu@fr.zoreil.com> wrote:
>
> Tong Zhang <ztong0001@gmail.com> :
> [...]
> > Looks like drivers/net/ethernet/smsc/epic100.c is renamed from
> > drivers/net/epic100.c and this bug has been around since the very
> > initial commit.
> > What would you suggest ? Remove the fix tag or use
> > Fix: 1da177e4c3f4 ("Linux-2.6.12-rc2")
>
> 'Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")' has already been signed-by or
> directly used by maintainers, including netdev ones. See:
>
> $ git log --grep='^Fixes: 1da177e4c3f4'
>
> The patch will require some change for pre-5.9 stable kernels due to
> 63692803899b563f94bf1b4f821b574eb74316ae "epic100: switch from 'pci_' to 'dma_' API".
>
> --
> Ueimor
Thanks! I amended the fix tag and sent it as v2.
- Tong

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH v2] epic100: fix use after free on rmmod
  2022-06-24 18:41   ` Jakub Kicinski
  2022-06-26  4:45     ` Tong Zhang
@ 2022-06-27  4:33     ` Tong Zhang
  2022-06-28  5:00       ` patchwork-bot+netdevbpf
  1 sibling, 1 reply; 8+ messages in thread
From: Tong Zhang @ 2022-06-27  4:33 UTC (permalink / raw)
  To: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Florian Fainelli, Tong Zhang, Jason Gunthorpe, Arnd Bergmann,
	netdev, linux-kernel
  Cc: Yilun Wu, Francois Romieu

epic_close() calls epic_rx() and uses dma buffer, but in epic_remove_one()
we already freed the dma buffer. To fix this issue, reorder function calls
like in the .probe function.

BUG: KASAN: use-after-free in epic_rx+0xa6/0x7e0 [epic100]
Call Trace:
 epic_rx+0xa6/0x7e0 [epic100]
 epic_close+0xec/0x2f0 [epic100]
 unregister_netdev+0x18/0x20
 epic_remove_one+0xaa/0xf0 [epic100]

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Yilun Wu <yiluwu@cs.stonybrook.edu>
Signed-off-by: Tong Zhang <ztong0001@gmail.com>
Reviewed-by: Francois Romieu <romieu@fr.zoreil.com>
---
v2: amend fix tag
 drivers/net/ethernet/smsc/epic100.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/smsc/epic100.c b/drivers/net/ethernet/smsc/epic100.c
index a0654e88444c..0329caf63279 100644
--- a/drivers/net/ethernet/smsc/epic100.c
+++ b/drivers/net/ethernet/smsc/epic100.c
@@ -1515,14 +1515,14 @@ static void epic_remove_one(struct pci_dev *pdev)
 	struct net_device *dev = pci_get_drvdata(pdev);
 	struct epic_private *ep = netdev_priv(dev);
 
+	unregister_netdev(dev);
 	dma_free_coherent(&pdev->dev, TX_TOTAL_SIZE, ep->tx_ring,
 			  ep->tx_ring_dma);
 	dma_free_coherent(&pdev->dev, RX_TOTAL_SIZE, ep->rx_ring,
 			  ep->rx_ring_dma);
-	unregister_netdev(dev);
 	pci_iounmap(pdev, ep->ioaddr);
-	pci_release_regions(pdev);
 	free_netdev(dev);
+	pci_release_regions(pdev);
 	pci_disable_device(pdev);
 	/* pci_power_off(pdev, -1); */
 }
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] epic100: fix use after free on rmmod
  2022-06-27  4:33     ` [PATCH v2] " Tong Zhang
@ 2022-06-28  5:00       ` patchwork-bot+netdevbpf
  0 siblings, 0 replies; 8+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-06-28  5:00 UTC (permalink / raw)
  To: Tong Zhang
  Cc: davem, edumazet, kuba, pabeni, f.fainelli, jgg, arnd, netdev,
	linux-kernel, yiluwu, romieu

Hello:

This patch was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Sun, 26 Jun 2022 21:33:48 -0700 you wrote:
> epic_close() calls epic_rx() and uses dma buffer, but in epic_remove_one()
> we already freed the dma buffer. To fix this issue, reorder function calls
> like in the .probe function.
> 
> BUG: KASAN: use-after-free in epic_rx+0xa6/0x7e0 [epic100]
> Call Trace:
>  epic_rx+0xa6/0x7e0 [epic100]
>  epic_close+0xec/0x2f0 [epic100]
>  unregister_netdev+0x18/0x20
>  epic_remove_one+0xaa/0xf0 [epic100]
> 
> [...]

Here is the summary with links:
  - [v2] epic100: fix use after free on rmmod
    https://git.kernel.org/netdev/net/c/8ee9d82cd0a4

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2022-06-28  5:00 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-06-23  7:40 [PATCH] epic100: fix use after free on rmmod Tong Zhang
2022-06-23  9:22 ` Francois Romieu
2022-06-24 18:41   ` Jakub Kicinski
2022-06-26  4:45     ` Tong Zhang
2022-06-26 15:07       ` Francois Romieu
2022-06-27  4:35         ` Tong Zhang
2022-06-27  4:33     ` [PATCH v2] " Tong Zhang
2022-06-28  5:00       ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).