| Message ID | 20221115172407.72863-1-wanghai38@huawei.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp2782489wru;
Tue, 15 Nov 2022 07:11:28 -0800 (PST)
X-Google-Smtp-Source:
AA0mqf6eRBUhyatoT8YaiZQ23PetrJ/AVc/AII8RBLWSzPHQk6hmt6QRTK6Gsr1lwS88VINXjOVt
X-Received: by 2002:a17:902:9883:b0:188:a1eb:9a8a with SMTP id
s3-20020a170902988300b00188a1eb9a8amr4284781plp.153.1668525088295;
Tue, 15 Nov 2022 07:11:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1668525088; cv=none;
d=google.com; s=arc-20160816;
b=0ItV8PZA7/Z5qKjvtObcsxjDOmyj067Izg6+wZmqf6im7e1TXrY0cE7irlqOuYSSV7
/6Yr+ngE9PO5vJz6RXKSpH1jzU11MP7YzDKt2/w+SDndnM1zd3sgczyEWiNfW95wsXVG
RYo6QYc2MCHG9qcetvJGIkZGFv7jVK2+F9veatvvYEsxNz6i/XeNG2XNSjrt2nEzeuy2
tSPDXCmhWWj3V+lohrNni2+27IaUr2VzXvzccZKFnPu+/Mx8XXeCTh0jewx153QZdwdc
4t3NWNNZCd7tb+dKt+s5zuPqNK7HMEMaifihLvY4IsRKHXGroKnZTgJXuIfHlq1rqjN3
/1Jw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from;
bh=9d0wuO3WJnbTgAyhcOmY6Ks6p0C4EOU/MhP1yNx4NDM=;
b=mW3s8N6UfmwNV/1nYooyPV5Th36FGKb0EBFl3/lsyTEuq0ACab405UED5LQH2sKgqU
Mg50yRp33HFwNTPxKIJarnS2n804SWQvN9w919aVO+pUW9GpZ2Ilmdt2F5dIwC3wvQzC
F8ZblaYjykhTHLlbtd3VH6wRtCBH+q8qRL9C6p/RgOs90iV3HU09r+aN3F2fHZe+BLUr
iW9qrSWxVF1/ecwuFBQ7PQnLnexFy5zbD4z7kRmSmKr+3WrPBpA7de4+aAgxc0ywF3vu
ZpA4Razjx/JoKL7t9R/iTFT3upsiY7IQgPVLVM+lSAn20b39w42+alcBqb5NZoLWqM/Q
Yh9Q==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
l6-20020a170902f68600b0018683763131si14045859plg.501.2022.11.15.07.11.12;
Tue, 15 Nov 2022 07:11:28 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229915AbiKOPC0 (ORCPT <rfc822;maxim.cournoyer@gmail.com>
+ 99 others); Tue, 15 Nov 2022 10:02:26 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43712 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229556AbiKOPCY (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 15 Nov 2022 10:02:24 -0500
Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7208A248CB;
Tue, 15 Nov 2022 07:02:23 -0800 (PST)
Received: from dggemv703-chm.china.huawei.com (unknown [172.30.72.55])
by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4NBTt008XCzmVv1;
Tue, 15 Nov 2022 23:02:00 +0800 (CST)
Received: from kwepemm600001.china.huawei.com (7.193.23.3) by
dggemv703-chm.china.huawei.com (10.3.19.46) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
15.1.2375.31; Tue, 15 Nov 2022 23:02:21 +0800
Received: from huawei.com (10.175.113.133) by kwepemm600001.china.huawei.com
(7.193.23.3) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Tue, 15 Nov
2022 23:02:20 +0800
From: Wang Hai <wanghai38@huawei.com>
To: <jesse.brandeburg@intel.com>, <anthony.l.nguyen@intel.com>,
<baijiaju1990@163.com>, <jeffrey.t.kirsher@intel.com>,
<davem@davemloft.net>, <edumazet@google.com>, <kuba@kernel.org>,
<pabeni@redhat.com>
CC: <linux-kernel@vger.kernel.org>, <netdev@vger.kernel.org>,
<intel-wired-lan@lists.osuosl.org>
Subject: [PATCH net] e100: Fix possible use after free in e100_xmit_prepare
Date: Wed, 16 Nov 2022 01:24:07 +0800
Message-ID: <20221115172407.72863-1-wanghai38@huawei.com>
X-Mailer: git-send-email 2.17.1
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.175.113.133]
X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To
kwepemm600001.china.huawei.com (7.193.23.3)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1749575363182530654?=
X-GMAIL-MSGID: =?utf-8?q?1749575363182530654?=
|
| Series |
[net] e100: Fix possible use after free in e100_xmit_prepare
|
|
Commit Message
Wang Hai
Nov. 15, 2022, 5:24 p.m. UTC
In e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so
e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will
resend the skb. But the skb is already freed, which will cause UAF bug
when the upper layer resends the skb.
Remove the harmful free.
Fixes: 5e5d49422dfb ("e100: Release skb when DMA mapping is failed in e100_xmit_prepare")
Signed-off-by: Wang Hai <wanghai38@huawei.com>
---
drivers/net/ethernet/intel/e100.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
Comments
On Wed, 2022-11-16 at 01:24 +0800, Wang Hai wrote: > In e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so > e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will > resend the skb. But the skb is already freed, which will cause UAF bug > when the upper layer resends the skb. > > Remove the harmful free. > > Fixes: 5e5d49422dfb ("e100: Release skb when DMA mapping is failed in e100_xmit_prepare") > Signed-off-by: Wang Hai <wanghai38@huawei.com> > --- > drivers/net/ethernet/intel/e100.c | 5 +---- > 1 file changed, 1 insertion(+), 4 deletions(-) > > diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c > index 560d1d442232..d3fdc290937f 100644 > --- a/drivers/net/ethernet/intel/e100.c > +++ b/drivers/net/ethernet/intel/e100.c > @@ -1741,11 +1741,8 @@ static int e100_xmit_prepare(struct nic *nic, struct cb *cb, > dma_addr = dma_map_single(&nic->pdev->dev, skb->data, skb->len, > DMA_TO_DEVICE); > /* If we can't map the skb, have the upper layer try later */ > - if (dma_mapping_error(&nic->pdev->dev, dma_addr)) { > - dev_kfree_skb_any(skb); > - skb = NULL; > + if (dma_mapping_error(&nic->pdev->dev, dma_addr)) > return -ENOMEM; > - } > > /* > * Use the last 4 bytes of the SKB payload packet as the CRC, used for I'm surprised the original patch that this essentially reverts was even accepted. Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c index 560d1d442232..d3fdc290937f 100644 --- a/drivers/net/ethernet/intel/e100.c +++ b/drivers/net/ethernet/intel/e100.c @@ -1741,11 +1741,8 @@ static int e100_xmit_prepare(struct nic *nic, struct cb *cb, dma_addr = dma_map_single(&nic->pdev->dev, skb->data, skb->len, DMA_TO_DEVICE); /* If we can't map the skb, have the upper layer try later */ - if (dma_mapping_error(&nic->pdev->dev, dma_addr)) { - dev_kfree_skb_any(skb); - skb = NULL; + if (dma_mapping_error(&nic->pdev->dev, dma_addr)) return -ENOMEM; - } /* * Use the last 4 bytes of the SKB payload packet as the CRC, used for