From patchwork Fri Apr 14 15:23:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ding Hui X-Patchwork-Id: 83485 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp465742vqo; Fri, 14 Apr 2023 08:27:28 -0700 (PDT) X-Google-Smtp-Source: AKy350botS9/QxFN3cuSUD9g18xucKEtQID7N+xksg2pRLzgfLpbHR8mcOmXwZ/m9tNjiWgzXaf5 X-Received: by 2002:a05:6a20:144b:b0:ee:5625:662f with SMTP id a11-20020a056a20144b00b000ee5625662fmr2489505pzi.22.1681486048044; Fri, 14 Apr 2023 08:27:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681486048; cv=none; d=google.com; s=arc-20160816; b=JU5d+d2ujtCGXvk6yITHOKPis/hi9JBo4odEa5x0OARNpdpZyXH71zTe6aATax7+/3 LcKOBwEZFnjgFi8SUT4q2aBWTGwVqSAo5o465XqrUA6fTFrrwyoFq2xeKSptUg2O0BnD z2oDfNinEf/WtZ7O3Q6t4sUd0rmd2kruACI0+KSaw3d4OkyW54rJi92WjwBnUYbrBaVX cZKj0z9RpbwUbnUZ3pM38F2vkt0oXib4qj2x02nTNzIumghNuEH4gkU13ETy4qWemUjX ZM85ofywg2Pio7O4mEzUoWp14FZrPPBOWdwFgXjLS7nBl52Kl04kGTbCpBNmfRoClprf 4rTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from; bh=13T6+iXiBdblqMVS97zCPXktEvBniNymzQ38OWCs2mM=; b=B8RsW35CtvbnNeowqN4CcjCKJbyMX68FdanNUgMFyzy20r92J45JulRKgU3P4gE0/y t+RkXZpJLxKNOpse96ZSravp9l2roi8K63U0CsIjMYI5+FX6Kwx2BLEHPw4/Nbf8qK4v JXJUI7vI6t+j6cRFbGgYaOXaE2QD4L5pmez3D0hzoBe7hS0NIkTPbpyJYtVdZiCYyas5 oFqt1vBPqt/WSTAXqKBx701hMLe8F9NsO37m6kq3rO79sFK6vI4CRuBZW/uNiA8rqFYF 8PBNJpVqEqTXZyJaJWRajQ/pQecKcL/Ve0uYya8TShmhSSvLrp2mmI2/gUsmVlCxKQyQ r98w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sangfor.com.cn Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b8-20020a63d808000000b0051948f1993fsi5095792pgh.40.2023.04.14.08.27.13; Fri, 14 Apr 2023 08:27:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sangfor.com.cn Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230210AbjDNPX6 (ORCPT + 99 others); Fri, 14 Apr 2023 11:23:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42930 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229469AbjDNPX5 (ORCPT ); Fri, 14 Apr 2023 11:23:57 -0400 Received: from mail-m11875.qiye.163.com (mail-m11875.qiye.163.com [115.236.118.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2B5B3AD29; Fri, 14 Apr 2023 08:23:55 -0700 (PDT) Received: from localhost.localdomain (unknown [IPV6:240e:3b7:3271:b060:b145:6016:5b08:4ebc]) by mail-m11875.qiye.163.com (Hmail) with ESMTPA id C120D281066; Fri, 14 Apr 2023 23:23:48 +0800 (CST) From: Ding Hui To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, ecree.xilinx@gmail.com, habetsm.xilinx@gmail.com Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, pengdonglin@sangfor.com.cn, huangcun@sangfor.com.cn, Ding Hui Subject: [PATCH net v2] sfc: Fix use-after-free due to selftest_work Date: Fri, 14 Apr 2023 23:23:06 +0800 Message-Id: <20230414152306.18150-1-dinghui@sangfor.com.cn> X-Mailer: git-send-email 2.17.1 X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly tZV1koWUFITzdXWS1ZQUlXWQ8JGhUIEh9ZQVlCSExPVh5PTU0fQx8YGkMaSFUTARMWGhIXJBQOD1 lXWRgSC1lBWUlPSx5BSBlMQUhJTEpBGUtNS0EZSk9OQU1LSk1BThlLQ0FPHhkYWVdZFhoPEhUdFF lBWU9LSFVKSktISkxVSktLVUtZBg++ X-HM-Tid: 0a87805d94042eb1kusnc120d281066 X-HM-MType: 1 X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6NRA6PRw6Az0cHhpPDjU3C08i DAMwCS1VSlVKTUNKT0NOQ0lCTkNMVTMWGhIXVR8SFRwTDhI7CBoVHB0UCVUYFBZVGBVFWVdZEgtZ QVlJT0seQUgZTEFISUxKQRlLTUtBGUpPTkFNS0pNQU4ZS0NBTx4ZGFlXWQgBWUFPSEhJNwY+ X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1763165914059379997?= X-GMAIL-MSGID: =?utf-8?q?1763165914059379997?= There is a use-after-free scenario that is: When the NIC is down, user set mac address or vlan tag to VF, the xxx_set_vf_mac() or xxx_set_vf_vlan() will invoke efx_net_stop() and efx_net_open(), since netif_running() is false, the port will not start and keep port_enabled false, but selftest_work is scheduled in efx_net_open(). If we remove the device before selftest_work run, the efx_stop_port() will not be called since the NIC is down, and then efx is freed, we will soon get a UAF in run_timer_softirq() like this: [ 1178.907941] ================================================================== [ 1178.907948] BUG: KASAN: use-after-free in run_timer_softirq+0xdea/0xe90 [ 1178.907950] Write of size 8 at addr ff11001f449cdc80 by task swapper/47/0 [ 1178.907950] [ 1178.907953] CPU: 47 PID: 0 Comm: swapper/47 Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 [ 1178.907954] Hardware name: SANGFOR X620G40/WI2HG-208T1061A, BIOS SPYH051032-U01 04/01/2022 [ 1178.907955] Call Trace: [ 1178.907956] [ 1178.907960] dump_stack+0x71/0xab [ 1178.907963] print_address_description+0x6b/0x290 [ 1178.907965] ? run_timer_softirq+0xdea/0xe90 [ 1178.907967] kasan_report+0x14a/0x2b0 [ 1178.907968] run_timer_softirq+0xdea/0xe90 [ 1178.907971] ? init_timer_key+0x170/0x170 [ 1178.907973] ? hrtimer_cancel+0x20/0x20 [ 1178.907976] ? sched_clock+0x5/0x10 [ 1178.907978] ? sched_clock_cpu+0x18/0x170 [ 1178.907981] __do_softirq+0x1c8/0x5fa [ 1178.907985] irq_exit+0x213/0x240 [ 1178.907987] smp_apic_timer_interrupt+0xd0/0x330 [ 1178.907989] apic_timer_interrupt+0xf/0x20 [ 1178.907990] [ 1178.907991] RIP: 0010:mwait_idle+0xae/0x370 If the NIC is not actually brought up, there is no need to schedule selftest_work, so let's move invoking efx_selftest_async_start() into efx_start_all(), and it will be canceled by broughting down. Fixes: dd40781e3a4e ("sfc: Run event/IRQ self-test asynchronously when interface is brought up") Fixes: e340be923012 ("sfc: add ndo_set_vf_mac() function for EF10") Debugged-by: Huang Cun Cc: Donglin Peng Suggested-by: Martin Habets Signed-off-by: Ding Hui --- drivers/net/ethernet/sfc/efx.c | 1 - drivers/net/ethernet/sfc/efx_common.c | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/sfc/efx.c b/drivers/net/ethernet/sfc/efx.c index 884d8d168862..1eceffa02b55 100644 --- a/drivers/net/ethernet/sfc/efx.c +++ b/drivers/net/ethernet/sfc/efx.c @@ -541,7 +541,6 @@ int efx_net_open(struct net_device *net_dev) else efx->state = STATE_NET_UP; - efx_selftest_async_start(efx); return 0; } diff --git a/drivers/net/ethernet/sfc/efx_common.c b/drivers/net/ethernet/sfc/efx_common.c index cc30524c2fe4..361687de308d 100644 --- a/drivers/net/ethernet/sfc/efx_common.c +++ b/drivers/net/ethernet/sfc/efx_common.c @@ -544,6 +544,8 @@ void efx_start_all(struct efx_nic *efx) /* Start the hardware monitor if there is one */ efx_start_monitor(efx); + efx_selftest_async_start(efx); + /* Link state detection is normally event-driven; we have * to poll now because we could have missed a change */