2021-12-10 13:14:22

by Guangbin Huang

[permalink] [raw]
Subject: [PATCH net 0/2] net: hns3: add some fixes for -net

This series adds some fixes for the HNS3 ethernet driver.

Jie Wang (1):
net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg

Yufeng Mo (1):
net: hns3: fix race condition in debugfs

drivers/net/ethernet/hisilicon/hns3/hnae3.h | 2 ++
.../ethernet/hisilicon/hns3/hns3_debugfs.c | 20 +++++++++++++------
.../hisilicon/hns3/hns3vf/hclgevf_mbx.c | 3 ++-
3 files changed, 18 insertions(+), 7 deletions(-)

--
2.33.0



2021-12-10 13:14:24

by Guangbin Huang

[permalink] [raw]
Subject: [PATCH net 1/2] net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg

From: Jie Wang <[email protected]>

Currently, the hns3_remove function firstly uninstall client instance,
and then uninstall acceletion engine device. The netdevice is freed in
client instance uninstall process, but acceletion engine device uninstall
process still use it to trace runtime information. This causes a use after
free problem.

So fixes it by check the instance register state to avoid use after free.

Fixes: d8355240cf8f ("net: hns3: add trace event support for PF/VF mailbox")
Signed-off-by: Jie Wang <[email protected]>
Signed-off-by: Guangbin Huang <[email protected]>
---
drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c
index fdc66fae0960..c5ac6ecf36e1 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c
@@ -114,7 +114,8 @@ int hclgevf_send_mbx_msg(struct hclgevf_dev *hdev,

memcpy(&req->msg, send_msg, sizeof(struct hclge_vf_to_pf_msg));

- trace_hclge_vf_mbx_send(hdev, req);
+ if (test_bit(HCLGEVF_STATE_NIC_REGISTERED, &hdev->state))
+ trace_hclge_vf_mbx_send(hdev, req);

/* synchronous send */
if (need_resp) {
--
2.33.0


2021-12-10 13:14:25

by Guangbin Huang

[permalink] [raw]
Subject: [PATCH net 2/2] net: hns3: fix race condition in debugfs

From: Yufeng Mo <[email protected]>

When multiple threads concurrently access the debugfs content, data
and pointer exceptions may occur. Therefore, mutex lock protection is
added for debugfs.

Fixes: 5e69ea7ee2a6 ("net: hns3: refactor the debugfs process")
Signed-off-by: Yufeng Mo <[email protected]>
Signed-off-by: Guangbin Huang <[email protected]>
---
drivers/net/ethernet/hisilicon/hns3/hnae3.h | 2 ++
.../ethernet/hisilicon/hns3/hns3_debugfs.c | 20 +++++++++++++------
2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hnae3.h b/drivers/net/ethernet/hisilicon/hns3/hnae3.h
index 3f7a9a4c59d5..63f5abcc6bf4 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.h
+++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.h
@@ -839,6 +839,8 @@ struct hnae3_handle {

u8 netdev_flags;
struct dentry *hnae3_dbgfs;
+ /* protects concurrent contention between debugfs commands */
+ struct mutex dbgfs_lock;

/* Network interface message level enabled bits */
u32 msg_enable;
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
index 081295bff765..c381f8af67f0 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
@@ -1226,6 +1226,7 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer,
if (ret)
return ret;

+ mutex_lock(&handle->dbgfs_lock);
save_buf = &hns3_dbg_cmd[index].buf;

if (!test_bit(HNS3_NIC_STATE_INITED, &priv->state) ||
@@ -1238,15 +1239,15 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer,
read_buf = *save_buf;
} else {
read_buf = kvzalloc(hns3_dbg_cmd[index].buf_len, GFP_KERNEL);
- if (!read_buf)
- return -ENOMEM;
+ if (!read_buf) {
+ ret = -ENOMEM;
+ goto out;
+ }

/* save the buffer addr until the last read operation */
*save_buf = read_buf;
- }

- /* get data ready for the first time to read */
- if (!*ppos) {
+ /* get data ready for the first time to read */
ret = hns3_dbg_read_cmd(dbg_data, hns3_dbg_cmd[index].cmd,
read_buf, hns3_dbg_cmd[index].buf_len);
if (ret)
@@ -1255,8 +1256,10 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer,

size = simple_read_from_buffer(buffer, count, ppos, read_buf,
strlen(read_buf));
- if (size > 0)
+ if (size > 0) {
+ mutex_unlock(&handle->dbgfs_lock);
return size;
+ }

out:
/* free the buffer for the last read operation */
@@ -1265,6 +1268,7 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer,
*save_buf = NULL;
}

+ mutex_unlock(&handle->dbgfs_lock);
return ret;
}

@@ -1337,6 +1341,8 @@ int hns3_dbg_init(struct hnae3_handle *handle)
debugfs_create_dir(hns3_dbg_dentry[i].name,
handle->hnae3_dbgfs);

+ mutex_init(&handle->dbgfs_lock);
+
for (i = 0; i < ARRAY_SIZE(hns3_dbg_cmd); i++) {
if ((hns3_dbg_cmd[i].cmd == HNAE3_DBG_CMD_TM_NODES &&
ae_dev->dev_version <= HNAE3_DEVICE_VERSION_V2) ||
@@ -1363,6 +1369,7 @@ int hns3_dbg_init(struct hnae3_handle *handle)
return 0;

out:
+ mutex_destroy(&handle->dbgfs_lock);
debugfs_remove_recursive(handle->hnae3_dbgfs);
handle->hnae3_dbgfs = NULL;
return ret;
@@ -1378,6 +1385,7 @@ void hns3_dbg_uninit(struct hnae3_handle *handle)
hns3_dbg_cmd[i].buf = NULL;
}

+ mutex_destroy(&handle->dbgfs_lock);
debugfs_remove_recursive(handle->hnae3_dbgfs);
handle->hnae3_dbgfs = NULL;
}
--
2.33.0


2021-12-12 16:30:14

by patchwork-bot+netdevbpf

[permalink] [raw]
Subject: Re: [PATCH net 0/2] net: hns3: add some fixes for -net

Hello:

This series was applied to netdev/net.git (master)
by David S. Miller <[email protected]>:

On Fri, 10 Dec 2021 21:09:32 +0800 you wrote:
> This series adds some fixes for the HNS3 ethernet driver.
>
> Jie Wang (1):
> net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg
>
> Yufeng Mo (1):
> net: hns3: fix race condition in debugfs
>
> [...]

Here is the summary with links:
- [net,1/2] net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg
https://git.kernel.org/netdev/net/c/27cbf64a766e
- [net,2/2] net: hns3: fix race condition in debugfs
https://git.kernel.org/netdev/net/c/6dde452bceca

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html