linux/drivers
Eugeniu Rosca 79514ef670 ravb: Fix use-after-free on ifconfig eth0 down
Commit a47b70ea86 ("ravb: unmap descriptors when freeing rings") has
introduced the issue seen in [1] reproduced on H3ULCB board.

Fix this by relocating the RX skb ringbuffer free operation, so that
swiotlb page unmapping can be done first. Freeing of aligned TX buffers
is not relevant to the issue seen in [1]. Still, reposition TX free
calls as well, to have all kfree() operations performed consistently
_after_ dma_unmap_*()/dma_free_*().

[1] Console screenshot with the problem reproduced:

salvator-x login: root
root@salvator-x:~# ifconfig eth0 up
Micrel KSZ9031 Gigabit PHY e6800000.ethernet-ffffffff:00: \
       attached PHY driver [Micrel KSZ9031 Gigabit PHY]   \
       (mii_bus:phy_addr=e6800000.ethernet-ffffffff:00, irq=235)
IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
root@salvator-x:~#
root@salvator-x:~# ifconfig eth0 down

==================================================================
BUG: KASAN: use-after-free in swiotlb_tbl_unmap_single+0xc4/0x35c
Write of size 1538 at addr ffff8006d884f780 by task ifconfig/1649

CPU: 0 PID: 1649 Comm: ifconfig Not tainted 4.12.0-rc4-00004-g112eb07287d1 #32
Hardware name: Renesas H3ULCB board based on r8a7795 (DT)
Call trace:
[<ffff20000808f11c>] dump_backtrace+0x0/0x3a4
[<ffff20000808f4d4>] show_stack+0x14/0x1c
[<ffff20000865970c>] dump_stack+0xf8/0x150
[<ffff20000831f8b0>] print_address_description+0x7c/0x330
[<ffff200008320010>] kasan_report+0x2e0/0x2f4
[<ffff20000831eac0>] check_memory_region+0x20/0x14c
[<ffff20000831f054>] memcpy+0x48/0x68
[<ffff20000869ed50>] swiotlb_tbl_unmap_single+0xc4/0x35c
[<ffff20000869fcf4>] unmap_single+0x90/0xa4
[<ffff20000869fd14>] swiotlb_unmap_page+0xc/0x14
[<ffff2000080a2974>] __swiotlb_unmap_page+0xcc/0xe4
[<ffff2000088acdb8>] ravb_ring_free+0x514/0x870
[<ffff2000088b25dc>] ravb_close+0x288/0x36c
[<ffff200008aaf8c4>] __dev_close_many+0x14c/0x174
[<ffff200008aaf9b4>] __dev_close+0xc8/0x144
[<ffff200008ac2100>] __dev_change_flags+0xd8/0x194
[<ffff200008ac221c>] dev_change_flags+0x60/0xb0
[<ffff200008ba2dec>] devinet_ioctl+0x484/0x9d4
[<ffff200008ba7b78>] inet_ioctl+0x190/0x194
[<ffff200008a78c44>] sock_do_ioctl+0x78/0xa8
[<ffff200008a7a128>] sock_ioctl+0x110/0x3c4
[<ffff200008365a70>] vfs_ioctl+0x90/0xa0
[<ffff200008365dbc>] do_vfs_ioctl+0x148/0xc38
[<ffff2000083668f0>] SyS_ioctl+0x44/0x74
[<ffff200008083770>] el0_svc_naked+0x24/0x28

The buggy address belongs to the page:
page:ffff7e001b6213c0 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x4000000000000000()
raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 ffff7e001b6213e0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8006d884f680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8006d884f700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8006d884f780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff8006d884f800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8006d884f880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Disabling lock debugging due to kernel taint
root@salvator-x:~#

Fixes: a47b70ea86 ("ravb: unmap descriptors when freeing rings")
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Acked-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-06 16:02:22 -04:00
..
accessibility
acpi Merge branches 'acpi-button' and 'acpi-tools' 2017-05-22 20:29:06 +02:00
amba
android
ata ARM: SoC driver updates 2017-05-09 10:01:15 -07:00
atm
auxdisplay
base Merge branches 'pm-sleep' and 'powercap' 2017-05-22 20:32:05 +02:00
bcma
block Merge branch 'for-linus' of git://git.kernel.dk/linux-block 2017-05-20 16:12:30 -07:00
bluetooth Bluetooth: hci_ldisc: Add protocol check to hci_uart_tx_wakeup() 2017-04-30 12:22:14 +02:00
bus
cdrom
char drivers: char: mem: Check for address space wraparound with mmap() 2017-05-18 16:53:55 +02:00
clk Sort of on the quieter side this time, which is probably due more 2017-05-10 13:38:18 -07:00
clocksource Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-05-12 10:43:25 -07:00
connector
cpufreq Merge branches 'intel_pstate', 'pm-cpufreq' and 'pm-cpufreq-sched' 2017-05-22 20:28:22 +02:00
cpuidle Merge branches 'pm-domains', 'pm-cpuidle', 'pm-sleep' and 'powercap' 2017-05-09 23:21:46 +02:00
crypto virtio: fixes, cleanups, performance 2017-05-10 11:33:08 -07:00
dax dax: fix false CONFIG_BLOCK dependency 2017-05-13 16:18:21 -07:00
dca
devfreq
dio
dma dmaengine updates for 4.12-rc1 2017-05-09 15:40:28 -07:00
dma-buf
edac EDAC, amd64: Fix reporting of Chip Select sizes on Fam17h 2017-05-03 16:27:36 +02:00
eisa
extcon
firewire
firmware More, and hopefully final, fixes after refactor for EFI pstore backend. 2017-05-22 19:31:07 -07:00
fmc
fpga fpga fr br: update supported version numbers 2017-04-26 11:38:56 +02:00
fsi
gpio Annotation of module parameters that specify device settings 2017-05-10 19:13:03 -07:00
gpu Merge branch 'drm-fixes-4.12' of git://people.freedesktop.org/~agd5f/linux into drm-fixes 2017-05-26 11:51:55 +10:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2017-05-02 19:09:35 -07:00
hsi
hv char/misc patches for 4.12-rc1 2017-05-04 19:15:35 -07:00
hwmon hwmon: (coretemp) Handle frozen hotplug state correctly 2017-05-14 07:49:32 -07:00
hwspinlock
hwtracing drivers/hwtracing/intel_th/msu.c: use set_memory.h header 2017-05-08 17:15:14 -07:00
i2c i2c: designware: Fix bogus sda_hold_time due to uninitialized vars 2017-05-22 19:22:19 -07:00
ide ide: don't call memcpy with the same source and destination 2017-05-08 17:36:39 -04:00
idle x86/intel_idle: add Gemini Lake support 2017-05-01 23:17:37 +02:00
iio Annotation of module parameters that specify device settings 2017-05-10 19:13:03 -07:00
infiniband Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2017-05-12 11:44:13 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2017-05-13 10:25:05 -07:00
iommu iommu/mediatek: Include linux/dma-mapping.h 2017-05-17 14:51:54 +02:00
ipack
irqchip Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-05-21 11:45:26 -07:00
isdn mISDN: Fix a sleep-in-atomic bug 2017-06-01 14:49:47 -04:00
leds leds: pca955x: Correct I2C Functionality 2017-05-22 21:12:44 +02:00
lguest
lightnvm lightnvm: fix bad back free on error path 2017-05-04 07:53:04 -06:00
macintosh DeviceTree for 4.12: 2017-05-05 19:33:07 -07:00
mailbox mailbox: handle empty message in tx_tick 2017-04-27 16:20:04 +05:30
mcb
md Merge tag 'md/4.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md 2017-05-18 12:04:41 -07:00
media Annotation of module parameters that specify device settings 2017-05-10 19:13:03 -07:00
memory memory: omap-gpmc: Fix debug output for access width 2017-05-16 08:12:47 -07:00
memstick
message scsi: mpt: Move scsi_remove_host() out of mptscsih_remove_host() 2017-04-24 18:21:17 -04:00
mfd mfd: axp20x: Support AXP803 variant 2017-04-27 11:54:49 +01:00
misc misc: pci_endpoint_test: select CRC32 2017-05-16 23:05:40 +02:00
mmc This pull request contains fixes to make the WiFi work again for the ARM64 2017-05-26 09:05:35 -07:00
mtd This pull request contains updates for both UBI and UBIFS: 2017-05-13 10:23:12 -07:00
net ravb: Fix use-after-free on ifconfig eth0 down 2017-06-06 16:02:22 -04:00
nfc
ntb
nubus
nvdimm Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm 2017-05-12 15:43:10 -07:00
nvme nvme: Quirk APST on Intel 600P/P3100 devices 2017-05-26 11:53:02 +03:00
nvmem ARM: SoC driver updates 2017-05-09 10:01:15 -07:00
of MMC host: 2017-05-24 08:21:56 -07:00
oprofile
parisc
parport
pci PCI/PM: Add needs_resume flag to avoid suspend complete optimization 2017-05-23 14:18:17 -05:00
pcmcia Annotation of module parameters that specify device settings 2017-05-10 19:13:03 -07:00
perf
phy
pinctrl Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2017-05-02 19:09:35 -07:00
platform char/misc patches for 4.12-rc1 2017-05-04 19:15:35 -07:00
pnp
power power supply and reset changes for the v4.12 series (part 2) 2017-05-12 12:02:21 -07:00
powercap PowerCap: Fix an error code in powercap_register_zone() 2017-05-14 13:30:05 +02:00
pps
ps3
ptp Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-05-01 16:15:18 -07:00
pwm
rapidio char/misc patches for 4.12-rc1 2017-05-04 19:15:35 -07:00
ras
regulator Merge remote-tracking branch 'regulator/topic/vctrl' into regulator-next 2017-04-30 22:17:44 +09:00
remoteproc virtio: fixes, cleanups, performance 2017-05-10 11:33:08 -07:00
reset ARM: SoC driver updates 2017-05-09 10:01:15 -07:00
rpmsg virtio: fixes, cleanups, performance 2017-05-10 11:33:08 -07:00
rtc Merge branches 'pm-sleep' and 'powercap' 2017-05-22 20:32:05 +02:00
s390 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux 2017-05-16 09:24:44 -07:00
sbus
scsi SCSI fixes on 20170524 2017-05-24 20:29:53 -07:00
sfi
sh
sn
soc ARM: SoC fixes (and a cross-arch dt-include fix) 2017-05-19 13:36:56 -07:00
spi Merge remote-tracking branches 'spi/topic/ti-qspi' and 'spi/topic/xlp' into spi-next 2017-04-26 15:58:22 +01:00
spmi
ssb
staging staging: fsl-dpaa2/eth: add ETHERNET dependency 2017-05-16 14:23:31 +02:00
target Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2017-05-12 11:44:13 -07:00
tc
tee Linux 4.12-rc1 2017-05-18 23:54:47 -07:00
thermal Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux 2017-05-12 11:58:45 -07:00
thunderbolt
tty Annotation of module parameters that specify device settings 2017-05-10 19:13:03 -07:00
uio uio: fix incorrect memory leak cleanup 2017-05-16 23:06:41 +02:00
usb USB-serial fixes for v4.12-rc2 2017-05-19 10:10:07 +02:00
uwb uwb: fix device quirk on big-endian hosts 2017-05-17 11:27:41 +02:00
vfio powerpc updates for 4.12 part 1. 2017-05-05 11:36:44 -07:00
vhost mm: support __GFP_REPEAT in kvmalloc_node for >32kB 2017-05-08 17:15:12 -07:00
video fbdev changes for v4.12: 2017-05-11 11:12:26 -07:00
virt drivers/virt/fsl_hypervisor.c: use get_user_pages_unlocked() 2017-05-08 17:15:10 -07:00
virtio virtio: allow extra context per descriptor 2017-05-02 23:41:43 +03:00
vlynq
vme
w1
watchdog watchdog: bcm281xx: Fix use of uninitialized spinlock. 2017-05-19 10:42:25 +02:00
xen Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-05-09 09:12:53 -07:00
zorro
Kconfig
Makefile Merge branch 'tee/initial-merge' into fixes 2017-05-10 21:03:31 +02:00