[net,v3] net: ethernet: fix use after free bug in ns83820_remove_one due to race condition
| Message ID | 20230417013107.360888-1-zyytlz.wz@163.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp1821873vqo;
Sun, 16 Apr 2023 18:35:53 -0700 (PDT)
X-Google-Smtp-Source:
AKy350bC0FCzI6pDRe8pnbcPGyoxDjsYtoSeJPLzFcsr4PPdt4GJNpCibVBHfVHgacWyu7acTrSQ
X-Received: by 2002:a17:902:f684:b0:19f:1871:3dcd with SMTP id
l4-20020a170902f68400b0019f18713dcdmr13333416plg.5.1681695352803;
Sun, 16 Apr 2023 18:35:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1681695352; cv=none;
d=google.com; s=arc-20160816;
b=BLVIHoT+VXIH2mJxBcbyk1M3PDsDV9X9Imjk+DYeLhRGrvylwNyF7OJ+sfyskx2cFL
SoVBMtj0dkleoxRfYFN0pavm/vkQvMKXAzlzKB1C8XV9bUgJSVxe6u9Y5IPNctpQCdZl
8TAoaew1MON52AKjD7hxIdtjWx2Vew7MsPvvRQ3Eb5lQ1H3cZvJ/fgOgH5r6dOKtQ+/Y
JAjWtj+h/QfaK5TTSjaUfDu1eYOfx2zqhKKSWYCHtfTge27soaJfQb2R1Qnb6L8/hZRs
iaxO6xnTlbuuRYjycdH9tya0R2WACXgJu1JNrUemfb4rcUc53SggNKqw4VVn9mLGF1VA
XQ3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=QuIf/EYEkw8pplucBBff2qSL7WeM9vg3Fx4DkoCPDsc=;
b=HinqRCBfavbXTyLbk2SxAgMQtibVNIc640r64kXd5j0Z9NnN8Ww1jUfpna4NMylo5D
DJ2c+5k+NazTpB31E+zkbd9xRJrK0vrZoATtb0Zl2pz5OGu5DoDbjiKZ9Gisy/DIkp8Q
uwysz7Z9JYftEpW9lbsfV6L0mmLDKFt4dY5+27JRPB0jPeEa6dYiDR9Mx4jAjfAP6WdO
RLg4wQITC9pM1/phjNda+ug9jBa/gqF8xtzm7qt4s1eCdwZIyoyMGSEENMVfzrtj5GP9
YP+0/To2/0Sb2xTPvHexuoWrjYCq0q6WU3BOwdjyUzbxevjJfEkB5VjSq557ZrciBQmA
hUTA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@163.com header.s=s110527 header.b=Zo+eOOiS;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
ay15-20020a17090b030f00b00232dd9ab146si10309642pjb.13.2023.04.16.18.35.41;
Sun, 16 Apr 2023 18:35:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@163.com header.s=s110527 header.b=Zo+eOOiS;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229648AbjDQBcE (ORCPT <rfc822;yuanzuo1009@gmail.com>
+ 99 others); Sun, 16 Apr 2023 21:32:04 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34984 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229461AbjDQBcC (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Sun, 16 Apr 2023 21:32:02 -0400
Received: from m12.mail.163.com (m12.mail.163.com [220.181.12.196])
by lindbergh.monkeyblade.net (Postfix) with ESMTP id 22AFA1FFF;
Sun, 16 Apr 2023 18:31:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=QuIf/
EYEkw8pplucBBff2qSL7WeM9vg3Fx4DkoCPDsc=; b=Zo+eOOiSG0uhBtb+QiEca
uipm2Z9k+EX9Q19BokpUNco/HlZNmspY8Ljr77qz+unmgMFthuCzg27hXY3gst4G
MQI0C90JnE6s0dhXafDtjcjn9OCxBNK71MJZhReVAPDqlqTqwZdm0SjKfhNS7m0M
DvQHd5uX9PRGF7aNIjgBO8=
Received: from leanderwang-LC2.localdomain (unknown [111.206.145.21])
by zwqz-smtp-mta-g2-3 (Coremail) with SMTP id
_____wBnGyBcoTxkaj2bBg--.41108S2;
Mon, 17 Apr 2023 09:31:09 +0800 (CST)
From: Zheng Wang <zyytlz.wz@163.com>
To: davem@davemloft.net
Cc: horatiu.vultur@microchip.com, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, hackerzheng666@gmail.com,
1395428693sheep@gmail.com, alex000young@gmail.com,
Zheng Wang <zyytlz.wz@163.com>
Subject: [PATCH net v3] net: ethernet: fix use after free bug in
ns83820_remove_one due to race condition
Date: Mon, 17 Apr 2023 09:31:07 +0800
Message-Id: <20230417013107.360888-1-zyytlz.wz@163.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CM-TRANSID: _____wBnGyBcoTxkaj2bBg--.41108S2
X-Coremail-Antispam: 1Uf129KBjvJXoW7AFykCw1xJr1UWw47Zr1DZFb_yoW8Ww1rp3
yYkaySkr1kJw4jgr18Jr40qry5Xrs8t3yjgayIy34avas5Zr4vgF4UKFWUZr18GrWqvF4f
Aw4UZw43u3Z8ZFJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0ziaZXrUUUUU=
X-Originating-IP: [111.206.145.21]
X-CM-SenderInfo: h2113zf2oz6qqrwthudrp/1tbiXR1UU1WBpQu3oAAAsq
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_MSPIKE_H2,
SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1763385385816311245?=
X-GMAIL-MSGID: =?utf-8?q?1763385385816311245?=
|
| Series |
[net,v3] net: ethernet: fix use after free bug in ns83820_remove_one due to race condition
|
|
Commit Message
Zheng Wang
April 17, 2023, 1:31 a.m. UTC
In ns83820_init_one, dev->tq_refill was bound with queue_refill.
If irq happens, it will call ns83820_irq->ns83820_do_isr.
Then it invokes tasklet_schedule(&dev->rx_tasklet) to start
rx_action function. And rx_action will call ns83820_rx_kick
and finally start queue_refill function.
If we remove the driver without finishing the work, there
may be a race condition between ndev, which may cause UAF
bug.
CPU0 CPU1
|queue_refill
ns83820_remove_one |
free_netdev |
put_device |
free ndev |
|rx_refill
|//use ndev
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
v3:
- add tasklet_kill to stop more task scheduling suggested by
Horatiu Vultur
v2:
- cancel the work after unregister_netdev to make sure there
is no more request suggested by Jakub Kicinski
---
drivers/net/ethernet/natsemi/ns83820.c | 6 ++++++
1 file changed, 6 insertions(+)
Comments
The 04/17/2023 09:31, Zheng Wang wrote: > > In ns83820_init_one, dev->tq_refill was bound with queue_refill. > > If irq happens, it will call ns83820_irq->ns83820_do_isr. > Then it invokes tasklet_schedule(&dev->rx_tasklet) to start > rx_action function. And rx_action will call ns83820_rx_kick > and finally start queue_refill function. > > If we remove the driver without finishing the work, there > may be a race condition between ndev, which may cause UAF > bug. > > CPU0 CPU1 > > |queue_refill > ns83820_remove_one | > free_netdev | > put_device | > free ndev | > |rx_refill > |//use ndev > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> I think it looks OK: Reviewed-by: Horatiu Vultur <horatiu.vultur@microchip.com> > --- > v3: > - add tasklet_kill to stop more task scheduling suggested by > Horatiu Vultur > v2: > - cancel the work after unregister_netdev to make sure there > is no more request suggested by Jakub Kicinski > --- > drivers/net/ethernet/natsemi/ns83820.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/net/ethernet/natsemi/ns83820.c b/drivers/net/ethernet/natsemi/ns83820.c > index 998586872599..af597719795d 100644 > --- a/drivers/net/ethernet/natsemi/ns83820.c > +++ b/drivers/net/ethernet/natsemi/ns83820.c > @@ -2208,8 +2208,14 @@ static void ns83820_remove_one(struct pci_dev *pci_dev) > > ns83820_disable_interrupts(dev); /* paranoia */ > > + netif_carrier_off(ndev); > + netif_tx_disable(ndev); > + > unregister_netdev(ndev); > free_irq(dev->pci_dev->irq, ndev); > + tasklet_kill(&dev->rx_tasklet); > + cancel_work_sync(&dev->tq_refill); > + > iounmap(dev->base); > dma_free_coherent(&dev->pci_dev->dev, 4 * DESC_SIZE * NR_TX_DESC, > dev->tx_descs, dev->tx_phy_descs); > -- > 2.25.1 >
On Mon, 17 Apr 2023 09:31:07 +0800 Zheng Wang wrote: > + netif_carrier_off(ndev); > + netif_tx_disable(ndev); > + > unregister_netdev(ndev It's not immediately obvious to me why disabling carrier and tx are supposed to help. Please elaborate in the commit message if you're confident that this is right.
Jakub Kicinski <kuba@kernel.org> 于2023年4月19日周三 12:33写道: > > On Mon, 17 Apr 2023 09:31:07 +0800 Zheng Wang wrote: > > + netif_carrier_off(ndev); > > + netif_tx_disable(ndev); > > + > > unregister_netdev(ndev > > It's not immediately obvious to me why disabling carrier and tx > are supposed to help. Please elaborate in the commit message if > you're confident that this is right. > Hi Jakub, Thanks for your reply. I'll figure it out to see if it's really necessary. Best regards, Zheng > -- > pw-bot: cr
diff --git a/drivers/net/ethernet/natsemi/ns83820.c b/drivers/net/ethernet/natsemi/ns83820.c index 998586872599..af597719795d 100644 --- a/drivers/net/ethernet/natsemi/ns83820.c +++ b/drivers/net/ethernet/natsemi/ns83820.c @@ -2208,8 +2208,14 @@ static void ns83820_remove_one(struct pci_dev *pci_dev) ns83820_disable_interrupts(dev); /* paranoia */ + netif_carrier_off(ndev); + netif_tx_disable(ndev); + unregister_netdev(ndev); free_irq(dev->pci_dev->irq, ndev); + tasklet_kill(&dev->rx_tasklet); + cancel_work_sync(&dev->tq_refill); + iounmap(dev->base); dma_free_coherent(&dev->pci_dev->dev, 4 * DESC_SIZE * NR_TX_DESC, dev->tx_descs, dev->tx_phy_descs);