leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
79514ef670
linux/drivers/net
History
Eugeniu Rosca 79514ef670 ravb: Fix use-after-free on ifconfig eth0 down 
Commit a47b70ea86 ("ravb: unmap descriptors when freeing rings") has
introduced the issue seen in [1] reproduced on H3ULCB board.

Fix this by relocating the RX skb ringbuffer free operation, so that
swiotlb page unmapping can be done first. Freeing of aligned TX buffers
is not relevant to the issue seen in [1]. Still, reposition TX free
calls as well, to have all kfree() operations performed consistently
_after_ dma_unmap_*()/dma_free_*().

[1] Console screenshot with the problem reproduced:

salvator-x login: root
root@salvator-x:~# ifconfig eth0 up
Micrel KSZ9031 Gigabit PHY e6800000.ethernet-ffffffff:00: \
       attached PHY driver [Micrel KSZ9031 Gigabit PHY]   \
       (mii_bus:phy_addr=e6800000.ethernet-ffffffff:00, irq=235)
IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
root@salvator-x:~#
root@salvator-x:~# ifconfig eth0 down

==================================================================
BUG: KASAN: use-after-free in swiotlb_tbl_unmap_single+0xc4/0x35c
Write of size 1538 at addr ffff8006d884f780 by task ifconfig/1649

CPU: 0 PID: 1649 Comm: ifconfig Not tainted 4.12.0-rc4-00004-g112eb07287d1 #32
Hardware name: Renesas H3ULCB board based on r8a7795 (DT)
Call trace:
[<ffff20000808f11c>] dump_backtrace+0x0/0x3a4
[<ffff20000808f4d4>] show_stack+0x14/0x1c
[<ffff20000865970c>] dump_stack+0xf8/0x150
[<ffff20000831f8b0>] print_address_description+0x7c/0x330
[<ffff200008320010>] kasan_report+0x2e0/0x2f4
[<ffff20000831eac0>] check_memory_region+0x20/0x14c
[<ffff20000831f054>] memcpy+0x48/0x68
[<ffff20000869ed50>] swiotlb_tbl_unmap_single+0xc4/0x35c
[<ffff20000869fcf4>] unmap_single+0x90/0xa4
[<ffff20000869fd14>] swiotlb_unmap_page+0xc/0x14
[<ffff2000080a2974>] __swiotlb_unmap_page+0xcc/0xe4
[<ffff2000088acdb8>] ravb_ring_free+0x514/0x870
[<ffff2000088b25dc>] ravb_close+0x288/0x36c
[<ffff200008aaf8c4>] __dev_close_many+0x14c/0x174
[<ffff200008aaf9b4>] __dev_close+0xc8/0x144
[<ffff200008ac2100>] __dev_change_flags+0xd8/0x194
[<ffff200008ac221c>] dev_change_flags+0x60/0xb0
[<ffff200008ba2dec>] devinet_ioctl+0x484/0x9d4
[<ffff200008ba7b78>] inet_ioctl+0x190/0x194
[<ffff200008a78c44>] sock_do_ioctl+0x78/0xa8
[<ffff200008a7a128>] sock_ioctl+0x110/0x3c4
[<ffff200008365a70>] vfs_ioctl+0x90/0xa0
[<ffff200008365dbc>] do_vfs_ioctl+0x148/0xc38
[<ffff2000083668f0>] SyS_ioctl+0x44/0x74
[<ffff200008083770>] el0_svc_naked+0x24/0x28

The buggy address belongs to the page:
page:ffff7e001b6213c0 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x4000000000000000()
raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 ffff7e001b6213e0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8006d884f680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8006d884f700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8006d884f780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff8006d884f800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8006d884f880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Disabling lock debugging due to kernel taint
root@salvator-x:~#

Fixes: a47b70ea86 ("ravb: unmap descriptors when freeing rings")
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Acked-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-06 16:02:22 -04:00
..
appletalk Annotate hardware config module parameters in drivers/net/appletalk/ 2017-04-20 12:02:32 +01:00
arcnet Annotate hardware config module parameters in drivers/net/arcnet/ 2017-04-20 12:02:32 +01:00
bonding bonding: Don't update slave->link until ready to commit 2017-05-25 14:47:35 -04:00
caif virtio: wrap find_vqs 2017-05-02 23:41:42 +03:00
can Annotation of module parameters that specify device settings 2017-05-10 19:13:03 -07:00
cris net: cris: eth_v10: use new api ethtool_{get|set}_link_ksettings 2017-03-27 15:53:19 -07:00
dsa net: dsa: mv88e6xxx: Add missing static to stub functions 2017-05-30 14:07:53 -04:00
ethernet ravb: Fix use-after-free on ifconfig eth0 down 2017-06-06 16:02:22 -04:00
fddi format-security: move static strings to const 2017-05-08 17:15:14 -07:00
fjes Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-03-23 16:41:27 -07:00
hamradio hdlcdrv: Fix divide by zero in hdlcdrv_ioctl 2017-05-27 18:44:17 -04:00
hippi Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-05-09 15:42:31 -07:00
hyperv netvsc: make sure napi enabled before vmbus_open 2017-05-04 11:08:36 -04:00
ieee802154 ieee802154: don't select COMMON_CLK 2017-04-22 10:28:40 +02:00
ipvlan ipvlan: use pernet operations and restrict l3s hooks to master netns 2017-04-25 10:43:22 -04:00
irda Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-05-15 15:50:49 -07:00
phy net: phy: fix kernel-doc warnings 2017-06-05 11:28:50 -04:00
plip
ppp
slip
team Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-04-26 22:39:08 -04:00
usb cdc-ether: divorce initialisation with a filter reset and a generic method 2017-05-23 11:01:28 -04:00
vmxnet3 vmxnet3: ensure that adapter is in proper state during force_close 2017-05-12 12:23:52 -04:00
wan Annotation of module parameters that specify device settings 2017-05-10 19:13:03 -07:00
wimax drivers: net: wimax: i2400m: i2400m-usb: Use time_after for time comparison 2017-05-09 09:40:33 -04:00
wireless Fixes for 4.12: 2017-06-05 22:21:25 +03:00
xen-netback
dummy.c
eql.c
geneve.c geneve: fix needed_headroom and max_mtu for collect_metadata 2017-06-04 20:03:09 -04:00
gtp.c net: fix potential null pointer dereference 2017-05-25 12:54:02 -04:00
ifb.c
Kconfig VSOCK: Add vsockmon device 2017-04-24 12:35:56 -04:00
LICENSE.SRC
loopback.c
macsec.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-04-26 22:39:08 -04:00
macvlan.c macvlan: Fix performance issues with vlan tagged packets 2017-05-15 14:18:11 -04:00
macvtap.c
Makefile VSOCK: Add vsockmon device 2017-04-24 12:35:56 -04:00
mdio.c
mii.c
netconsole.c
nlmon.c
ntb_netdev.c
rionet.c
sb1000.c
Space.c
sungem_phy.c
tap.c
tun.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-03-23 16:41:27 -07:00
veth.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
virtio_net.c virtio_net: lower limit on buffer size 2017-06-02 14:32:34 -04:00
vrf.c driver: vrf: Fix one possible use-after-free issue 2017-05-11 12:13:11 -04:00
vsockmon.c VSOCK: Add vsockmon device 2017-04-24 12:35:56 -04:00
vxlan.c vxlan: fix use-after-free on deletion 2017-06-02 14:29:16 -04:00
xen-netfront.c xen-netfront: avoid crashing on resume after a failure in talk_to_netback() 2017-05-11 21:38:50 -04:00