| Message ID | 20230414152306.18150-1-dinghui@sangfor.com.cn |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp465742vqo;
Fri, 14 Apr 2023 08:27:28 -0700 (PDT)
X-Google-Smtp-Source:
AKy350botS9/QxFN3cuSUD9g18xucKEtQID7N+xksg2pRLzgfLpbHR8mcOmXwZ/m9tNjiWgzXaf5
X-Received: by 2002:a05:6a20:144b:b0:ee:5625:662f with SMTP id
a11-20020a056a20144b00b000ee5625662fmr2489505pzi.22.1681486048044;
Fri, 14 Apr 2023 08:27:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1681486048; cv=none;
d=google.com; s=arc-20160816;
b=JU5d+d2ujtCGXvk6yITHOKPis/hi9JBo4odEa5x0OARNpdpZyXH71zTe6aATax7+/3
LcKOBwEZFnjgFi8SUT4q2aBWTGwVqSAo5o465XqrUA6fTFrrwyoFq2xeKSptUg2O0BnD
z2oDfNinEf/WtZ7O3Q6t4sUd0rmd2kruACI0+KSaw3d4OkyW54rJi92WjwBnUYbrBaVX
cZKj0z9RpbwUbnUZ3pM38F2vkt0oXib4qj2x02nTNzIumghNuEH4gkU13ETy4qWemUjX
ZM85ofywg2Pio7O4mEzUoWp14FZrPPBOWdwFgXjLS7nBl52Kl04kGTbCpBNmfRoClprf
4rTQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:message-id:date:subject:cc:to:from;
bh=13T6+iXiBdblqMVS97zCPXktEvBniNymzQ38OWCs2mM=;
b=B8RsW35CtvbnNeowqN4CcjCKJbyMX68FdanNUgMFyzy20r92J45JulRKgU3P4gE0/y
t+RkXZpJLxKNOpse96ZSravp9l2roi8K63U0CsIjMYI5+FX6Kwx2BLEHPw4/Nbf8qK4v
JXJUI7vI6t+j6cRFbGgYaOXaE2QD4L5pmez3D0hzoBe7hS0NIkTPbpyJYtVdZiCYyas5
oFqt1vBPqt/WSTAXqKBx701hMLe8F9NsO37m6kq3rO79sFK6vI4CRuBZW/uNiA8rqFYF
8PBNJpVqEqTXZyJaJWRajQ/pQecKcL/Ve0uYya8TShmhSSvLrp2mmI2/gUsmVlCxKQyQ
r98w==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sangfor.com.cn
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
b8-20020a63d808000000b0051948f1993fsi5095792pgh.40.2023.04.14.08.27.13;
Fri, 14 Apr 2023 08:27:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sangfor.com.cn
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230210AbjDNPX6 (ORCPT <rfc822;leviz.kernel.dev@gmail.com>
+ 99 others); Fri, 14 Apr 2023 11:23:58 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42930 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229469AbjDNPX5 (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 14 Apr 2023 11:23:57 -0400
Received: from mail-m11875.qiye.163.com (mail-m11875.qiye.163.com
[115.236.118.75])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2B5B3AD29;
Fri, 14 Apr 2023 08:23:55 -0700 (PDT)
Received: from localhost.localdomain (unknown
[IPV6:240e:3b7:3271:b060:b145:6016:5b08:4ebc])
by mail-m11875.qiye.163.com (Hmail) with ESMTPA id C120D281066;
Fri, 14 Apr 2023 23:23:48 +0800 (CST)
From: Ding Hui <dinghui@sangfor.com.cn>
To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, ecree.xilinx@gmail.com, habetsm.xilinx@gmail.com
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
pengdonglin@sangfor.com.cn, huangcun@sangfor.com.cn,
Ding Hui <dinghui@sangfor.com.cn>
Subject: [PATCH net v2] sfc: Fix use-after-free due to selftest_work
Date: Fri, 14 Apr 2023 23:23:06 +0800
Message-Id: <20230414152306.18150-1-dinghui@sangfor.com.cn>
X-Mailer: git-send-email 2.17.1
X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly
tZV1koWUFITzdXWS1ZQUlXWQ8JGhUIEh9ZQVlCSExPVh5PTU0fQx8YGkMaSFUTARMWGhIXJBQOD1
lXWRgSC1lBWUlPSx5BSBlMQUhJTEpBGUtNS0EZSk9OQU1LSk1BThlLQ0FPHhkYWVdZFhoPEhUdFF
lBWU9LSFVKSktISkxVSktLVUtZBg++
X-HM-Tid: 0a87805d94042eb1kusnc120d281066
X-HM-MType: 1
X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6NRA6PRw6Az0cHhpPDjU3C08i
DAMwCS1VSlVKTUNKT0NOQ0lCTkNMVTMWGhIXVR8SFRwTDhI7CBoVHB0UCVUYFBZVGBVFWVdZEgtZ
QVlJT0seQUgZTEFISUxKQRlLTUtBGUpPTkFNS0pNQU4ZS0NBTx4ZGFlXWQgBWUFPSEhJNwY+
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE,
RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1763165914059379997?=
X-GMAIL-MSGID: =?utf-8?q?1763165914059379997?=
|
| Series |
[net,v2] sfc: Fix use-after-free due to selftest_work
|
|
Commit Message
Ding Hui
April 14, 2023, 3:23 p.m. UTC
There is a use-after-free scenario that is:
When the NIC is down, user set mac address or vlan tag to VF,
the xxx_set_vf_mac() or xxx_set_vf_vlan() will invoke efx_net_stop()
and efx_net_open(), since netif_running() is false, the port will not
start and keep port_enabled false, but selftest_work is scheduled
in efx_net_open().
If we remove the device before selftest_work run, the efx_stop_port()
will not be called since the NIC is down, and then efx is freed,
we will soon get a UAF in run_timer_softirq() like this:
[ 1178.907941] ==================================================================
[ 1178.907948] BUG: KASAN: use-after-free in run_timer_softirq+0xdea/0xe90
[ 1178.907950] Write of size 8 at addr ff11001f449cdc80 by task swapper/47/0
[ 1178.907950]
[ 1178.907953] CPU: 47 PID: 0 Comm: swapper/47 Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1
[ 1178.907954] Hardware name: SANGFOR X620G40/WI2HG-208T1061A, BIOS SPYH051032-U01 04/01/2022
[ 1178.907955] Call Trace:
[ 1178.907956] <IRQ>
[ 1178.907960] dump_stack+0x71/0xab
[ 1178.907963] print_address_description+0x6b/0x290
[ 1178.907965] ? run_timer_softirq+0xdea/0xe90
[ 1178.907967] kasan_report+0x14a/0x2b0
[ 1178.907968] run_timer_softirq+0xdea/0xe90
[ 1178.907971] ? init_timer_key+0x170/0x170
[ 1178.907973] ? hrtimer_cancel+0x20/0x20
[ 1178.907976] ? sched_clock+0x5/0x10
[ 1178.907978] ? sched_clock_cpu+0x18/0x170
[ 1178.907981] __do_softirq+0x1c8/0x5fa
[ 1178.907985] irq_exit+0x213/0x240
[ 1178.907987] smp_apic_timer_interrupt+0xd0/0x330
[ 1178.907989] apic_timer_interrupt+0xf/0x20
[ 1178.907990] </IRQ>
[ 1178.907991] RIP: 0010:mwait_idle+0xae/0x370
If the NIC is not actually brought up, there is no need to schedule
selftest_work, so let's move invoking efx_selftest_async_start()
into efx_start_all(), and it will be canceled by broughting down.
Fixes: dd40781e3a4e ("sfc: Run event/IRQ self-test asynchronously when interface is brought up")
Fixes: e340be923012 ("sfc: add ndo_set_vf_mac() function for EF10")
Debugged-by: Huang Cun <huangcun@sangfor.com.cn>
Cc: Donglin Peng <pengdonglin@sangfor.com.cn>
Suggested-by: Martin Habets <habetsm.xilinx@gmail.com>
Signed-off-by: Ding Hui <dinghui@sangfor.com.cn>
---
drivers/net/ethernet/sfc/efx.c | 1 -
drivers/net/ethernet/sfc/efx_common.c | 2 ++
2 files changed, 2 insertions(+), 1 deletion(-)
Comments
Hello: This patch was applied to netdev/net.git (main) by David S. Miller <davem@davemloft.net>: On Fri, 14 Apr 2023 23:23:06 +0800 you wrote: > There is a use-after-free scenario that is: > > When the NIC is down, user set mac address or vlan tag to VF, > the xxx_set_vf_mac() or xxx_set_vf_vlan() will invoke efx_net_stop() > and efx_net_open(), since netif_running() is false, the port will not > start and keep port_enabled false, but selftest_work is scheduled > in efx_net_open(). > > [...] Here is the summary with links: - [net,v2] sfc: Fix use-after-free due to selftest_work https://git.kernel.org/netdev/net/c/a80bb8e7233b You are awesome, thank you!
diff --git a/drivers/net/ethernet/sfc/efx.c b/drivers/net/ethernet/sfc/efx.c index 884d8d168862..1eceffa02b55 100644 --- a/drivers/net/ethernet/sfc/efx.c +++ b/drivers/net/ethernet/sfc/efx.c @@ -541,7 +541,6 @@ int efx_net_open(struct net_device *net_dev) else efx->state = STATE_NET_UP; - efx_selftest_async_start(efx); return 0; } diff --git a/drivers/net/ethernet/sfc/efx_common.c b/drivers/net/ethernet/sfc/efx_common.c index cc30524c2fe4..361687de308d 100644 --- a/drivers/net/ethernet/sfc/efx_common.c +++ b/drivers/net/ethernet/sfc/efx_common.c @@ -544,6 +544,8 @@ void efx_start_all(struct efx_nic *efx) /* Start the hardware monitor if there is one */ efx_start_monitor(efx); + efx_selftest_async_start(efx); + /* Link state detection is normally event-driven; we have * to poll now because we could have missed a change */