| Message ID | 20231214152247.3482788-1-alexious@zju.edu.cn |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:3b04:b0:fb:cd0c:d3e with SMTP id c4csp8624491dys;
Thu, 14 Dec 2023 07:23:34 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IHaHuwglcUzyxKW0hVhNailZau0u69WXPhyCYqlJkhV29XBPiC5x9BUp9EH5QQMOF06rBMf
X-Received: by 2002:a05:6a00:234c:b0:6ce:38d4:273e with SMTP id
j12-20020a056a00234c00b006ce38d4273emr5920876pfj.58.1702567414299;
Thu, 14 Dec 2023 07:23:34 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1702567414; cv=none;
d=google.com; s=arc-20160816;
b=N/VuTEwaFihjm5gW2gIyx2X7tfzEajEImXsjNoJ8FYLGWlj732phml+TFT6PZXLWJl
oh/EIbexWKNmmt8gOaTKPDTY062uha5EYsMv06W7ayIH504NFhDj6Rt8HSK2TVJ98Auf
kMyLNiXhX/TiYlYLehb5iAIixyZxEvnx/FtJ5IzT/0IEQ8cL/ZcLf42u7bRlmJabU49M
QEmrZxZW0N61i58WoLAQhG5W+aE3DIxZzqbHi2sr4GQiLuS9chSWowKnZkgFGEIjk19s
VX0AgVmhxBfhnWVCXLziDqXcBmbG/pypPADJLCrORcXpk+lBPJEDuzUxd+aMq+1uz+4c
vvuw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from;
bh=TfpsMDa+7NIuTMIiZ4voiSJo8fcoNkY+Wxb6vFRB74c=;
fh=VHZ/VxpQkxLHkypn8mVY9uAzvZ+adV31ghnQBuXcTTM=;
b=NsC1wwrklquzncyFP3nCI5HI1T3jlWoD/5pJFKmXi1DB2fcLmF+/XVMaUKSYvhseRH
dXXxQ5njimExGSs8wc5bc6KLb7th8zLiTaMZF05uRESATYsnPtdyf/2LQlxPIkzvnldA
UXpmPjGdkqfVskyx12VUSyOlyEw+YlFlAb7NShHOB8uH0MuEhhnOZz6/H6OkNMIprV9X
Zfq4+Wu9GsqNF0xNRZjLEtmu3vjDoYRiusPguifvtEK2KvyV/uEwMpaLe2NHFp7gGuwn
dFY214Fc0/AmCq1G/4lpFk5Mx2NTgGtnMyo0Qp2CaaYeCS7tBJJLXYGFN0Z5erkO3wva
w7oQ==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.38 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from fry.vger.email (fry.vger.email. [23.128.96.38])
by mx.google.com with ESMTPS id
u33-20020a056a0009a100b0068e2d888713si11350190pfg.167.2023.12.14.07.23.33
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 14 Dec 2023 07:23:34 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.38 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by fry.vger.email (Postfix) with ESMTP id B69F281C3D48;
Thu, 14 Dec 2023 07:23:29 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at fry.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1573777AbjLNPXR (ORCPT <rfc822;dexuan.linux@gmail.com>
+ 99 others); Thu, 14 Dec 2023 10:23:17 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48458 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1573729AbjLNPXL (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 14 Dec 2023 10:23:11 -0500
Received: from zg8tndyumtaxlji0oc4xnzya.icoremail.net
(zg8tndyumtaxlji0oc4xnzya.icoremail.net [46.101.248.176])
by lindbergh.monkeyblade.net (Postfix) with ESMTP id 5E32A1B9;
Thu, 14 Dec 2023 07:23:14 -0800 (PST)
Received: from luzhipeng.223.5.5.5 (unknown [183.128.132.216])
by mail-app3 (Coremail) with SMTP id cC_KCgCnERjUHXtlJKHhAA--.55199S2;
Thu, 14 Dec 2023 23:23:01 +0800 (CST)
From: Zhipeng Lu <alexious@zju.edu.cn>
To: alexious@zju.edu.cn
Cc: Edward Cree <ecree.xilinx@gmail.com>,
Martin Habets <habetsm.xilinx@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>, netdev@vger.kernel.org,
linux-net-drivers@amd.com, linux-kernel@vger.kernel.org
Subject: [PATCH] sfc: fix a double-free bug in efx_probe_filters
Date: Thu, 14 Dec 2023 23:22:46 +0800
Message-Id: <20231214152247.3482788-1-alexious@zju.edu.cn>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CM-TRANSID: cC_KCgCnERjUHXtlJKHhAA--.55199S2
X-Coremail-Antispam: 1UD129KBjvdXoWrKw48uF1xuFy8JFWrKrWUXFb_yoWktFbE9r
92gFn5Jr15AryFyw4jqw43Z3429r1Yvr1rAas7KFW3twnrJa47trZ09F93X347WFy7CF9r
X39rtry3Aa429jkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT
9fnUUIcSsGvfJTRUUUbx8FF20E14v26r4j6ryUM7CY07I20VC2zVCF04k26cxKx2IYs7xG
6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48ve4kI8w
A2z4x0Y4vE2Ix0cI8IcVAFwI0_tr0E3s1l84ACjcxK6xIIjxv20xvEc7CjxVAFwI0_Gr1j
6F4UJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oV
Cq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv7VC0
I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r1j6r
4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwACI402YVCY1x02628v
n2kIc2xKxwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F4
0E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jw0_GFyl
IxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxV
AFwI0_Jr0_Gr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j
6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x0JUdHU
DUUUUU=
X-CM-SenderInfo: qrsrjiarszq6lmxovvfxof0/
X-Spam-Status: No,
score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]);
Thu, 14 Dec 2023 07:23:29 -0800 (PST)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1785271329176429663
X-GMAIL-MSGID: 1785271329176429663
|
| Series |
sfc: fix a double-free bug in efx_probe_filters
|
|
Commit Message
Zhipeng Lu
Dec. 14, 2023, 3:22 p.m. UTC
In efx_probe_filters, the channel->rps_flow_id is freed in a
efx_for_each_channel marco when success equals to 0.
However, after the following call chain:
efx_probe_filters
|-> ef100_net_open
|-> ef100_net_stop
|-> efx_remove_filters
The channel->rps_flow_id is freed again in the efx_for_each_channel of
efx_remove_filters, triggering a double-free bug.
Fixes: a9dc3d5612ce ("sfc_ef100: RX filter table management and related gubbins")
Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
---
drivers/net/ethernet/sfc/rx_common.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
Comments
On Thu, Dec 14, 2023 at 11:22:46PM +0800, Zhipeng Lu wrote: > In efx_probe_filters, the channel->rps_flow_id is freed in a > efx_for_each_channel marco when success equals to 0. > However, after the following call chain: > > efx_probe_filters > |-> ef100_net_open > |-> ef100_net_stop > |-> efx_remove_filters I think the call chain may be a bit more like: ef100_net_open |-> efx_probe_filters |-> ef100_net_stop |-> efx_remove_filters > > The channel->rps_flow_id is freed again in the efx_for_each_channel of > efx_remove_filters, triggering a double-free bug. > > Fixes: a9dc3d5612ce ("sfc_ef100: RX filter table management and related gubbins") > Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn> The above nit not withstanding, I agree with your reasoning. And that the problem was introduced in the cited commit. Reviewed-by: Simon Horman <horms@kernel.org> ...
Hi, On Thu, 2023-12-14 at 23:22 +0800, Zhipeng Lu wrote: > In efx_probe_filters, the channel->rps_flow_id is freed in a > efx_for_each_channel marco when success equals to 0. > However, after the following call chain: > > efx_probe_filters > |-> ef100_net_open > |-> ef100_net_stop > |-> efx_remove_filters > > The channel->rps_flow_id is freed again in the efx_for_each_channel of > efx_remove_filters, triggering a double-free bug. > > Fixes: a9dc3d5612ce ("sfc_ef100: RX filter table management and related gubbins") > Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn> The patch LGTM, but could you please update the commit message as per Simon's suggestions make it more consistent? You can retain Simon's RB tag. Thanks! Paolo
On 14/12/2023 15:22, Zhipeng Lu wrote: > In efx_probe_filters, the channel->rps_flow_id is freed in a > efx_for_each_channel marco when success equals to 0. > However, after the following call chain: > > efx_probe_filters > |-> ef100_net_open > |-> ef100_net_stop > |-> efx_remove_filters > > The channel->rps_flow_id is freed again in the efx_for_each_channel of > efx_remove_filters, triggering a double-free bug. > > Fixes: a9dc3d5612ce ("sfc_ef100: RX filter table management and related gubbins") > Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn> Subject line should probably say [PATCH net] to specify the tree. Modulo that, and Simon's correction to the commit message, Reviewed-by: Edward Cree <ecree.xilinx@gmail.com>
> On Thu, Dec 14, 2023 at 11:22:46PM +0800, Zhipeng Lu wrote: > > In efx_probe_filters, the channel->rps_flow_id is freed in a > > efx_for_each_channel marco when success equals to 0. > > However, after the following call chain: > > > > efx_probe_filters > > |-> ef100_net_open > > |-> ef100_net_stop > > |-> efx_remove_filters > > I think the call chain may be a bit more like: > > ef100_net_open > |-> efx_probe_filters > |-> ef100_net_stop > |-> efx_remove_filters > > > > > The channel->rps_flow_id is freed again in the efx_for_each_channel of > > efx_remove_filters, triggering a double-free bug. > > > > Fixes: a9dc3d5612ce ("sfc_ef100: RX filter table management and related gubbins") > > Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn> > > The above nit not withstanding, I agree with your reasoning. > And that the problem was introduced in the cited commit. > > Reviewed-by: Simon Horman <horms@kernel.org> Sorry for the call-chain's problem, I was not familiar with it at that time. Thanks for Simon's correction. Appreciate! I'll soon send a v2 patch with the corrected call-chain and RB tags.
diff --git a/drivers/net/ethernet/sfc/rx_common.c b/drivers/net/ethernet/sfc/rx_common.c index d2f35ee15eff..fac227d372db 100644 --- a/drivers/net/ethernet/sfc/rx_common.c +++ b/drivers/net/ethernet/sfc/rx_common.c @@ -823,8 +823,10 @@ int efx_probe_filters(struct efx_nic *efx) } if (!success) { - efx_for_each_channel(channel, efx) + efx_for_each_channel(channel, efx) { kfree(channel->rps_flow_id); + channel->rps_flow_id = NULL; + } efx->type->filter_table_remove(efx); rc = -ENOMEM; goto out_unlock;