Received: by 10.223.185.116 with SMTP id b49csp5788250wrg; Wed, 7 Mar 2018 18:42:03 -0800 (PST) X-Google-Smtp-Source: AG47ELsqLL7HO3vTgmkiNU4xdpCBo1DOvYr8snEP/XgBvBPT2AeaQpJWu0SqmsVCXC813e1TssmE X-Received: by 10.99.95.201 with SMTP id t192mr20201949pgb.313.1520476922992; Wed, 07 Mar 2018 18:42:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520476922; cv=none; d=google.com; s=arc-20160816; b=y4iXTulrSDPT/wUWDj83XIWwq51Eq3FspzvuWQ39448F0+F9hbq8pqWaecepNLE+Uu SMqcm8pG5fqpDrqLpoQkHoI2MWBa7yGoP+DLFsd6h1kvJ3CmXGkUpzC9Xt5y0wICoScj WT2M43/2wh1huwbWZtP+klpUbYLeYfNRrDaXuycFSdjCRIEeyQ7UVXd+Qm0LQe2CN9vc SL9HcxOVURBvX7lg9H7/3jlwhEtj8eUOfEGfnrJgOofwUwiYP3suEnEQlDp82kddhWYX nG1RZpGyN1/UoUOV5sTA5xSd7d//q7vPouPtSMCtA+Qc45IIcm+gBuopjkoSImAsqPb0 RvLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:arc-authentication-results; bh=KjgTRsCvKAqvSjkFIHOWKdLacAUjeVx3c6W/xE2Eu5U=; b=eDCOaV0lKR+tRxMdGAAFIvl3j8TQtUE4NyGqEa8UbZqnJpxCtYj3mgyeIpPWhwvtCW 06oqrjaPwXvwjsYpfKEPGhZb7uVQexsm+MYFzOzmnrH0IkKAxBitUGq3X12ZJpy5RC7B wcgJzpqNlMy0B/MRtka/17uK3U5DThy7NwDQvkZZRnYErhJFccuB9p7DeG9p4GGSLbti FrXLXTunLmx9jPbh0l1vlGOTbJ6UNbhnHjyAhOFVboppmmhXwBiLyiZh2jAlW0nuL8bS ypUgmPlHb2w5UL7NQGyDJRm9k7bdyGx868aL8Wt7sCwFNkMSbd9KuLKu8xGIvc3g+Ul6 NdLg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l77si15015907pfk.210.2018.03.07.18.41.47; Wed, 07 Mar 2018 18:42:02 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964905AbeCHCkD (ORCPT + 99 others); Wed, 7 Mar 2018 21:40:03 -0500 Received: from szxga05-in.huawei.com ([45.249.212.191]:5753 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S934770AbeCHCfA (ORCPT ); Wed, 7 Mar 2018 21:35:00 -0500 Received: from DGGEMS408-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id 0A424E37D313; Thu, 8 Mar 2018 10:34:44 +0800 (CST) Received: from linux-ioko.site (10.71.200.31) by DGGEMS408-HUB.china.huawei.com (10.3.19.208) with Microsoft SMTP Server id 14.3.361.1; Thu, 8 Mar 2018 10:34:39 +0800 From: Peng Li To: CC: , , , , Subject: [PATCH net-next 14/23] {topost} net: hns3: fix for use-after-free when setting ring parameter Date: Thu, 8 Mar 2018 11:06:39 +0800 Message-ID: <1520478408-116992-15-git-send-email-lipeng321@huawei.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1520478408-116992-1-git-send-email-lipeng321@huawei.com> References: <1520478408-116992-1-git-send-email-lipeng321@huawei.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.71.200.31] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Yunsheng Lin In hns3_set_ringparam, hns3_uninit_all_ring frees the memory pointed by priv->ring_data[i].ring, and hns3_change_all_ring_bd_num use that pointer without mallocing, which will cause a use-after-free problem. The patch fixes it by not freeing the memory in hns3_uninit_all_ring, and uses hns3_put_ring_config to free it when necessary. Signed-off-by: Yunsheng Lin Signed-off-by: Peng Li --- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c index f50245d..2bed73e 100644 --- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c @@ -2955,13 +2955,8 @@ int hns3_uninit_all_ring(struct hns3_nic_priv *priv) h->ae_algo->ops->reset_queue(h, i); hns3_fini_ring(priv->ring_data[i].ring); - devm_kfree(priv->dev, priv->ring_data[i].ring); hns3_fini_ring(priv->ring_data[i + h->kinfo.num_tqps].ring); - devm_kfree(priv->dev, - priv->ring_data[i + h->kinfo.num_tqps].ring); } - devm_kfree(priv->dev, priv->ring_data); - return 0; } @@ -3099,6 +3094,8 @@ static void hns3_client_uninit(struct hnae3_handle *handle, bool reset) if (ret) netdev_err(netdev, "uninit ring error\n"); + hns3_put_ring_config(priv); + priv->ring_data = NULL; free_netdev(netdev); @@ -3304,6 +3301,8 @@ static int hns3_reset_notify_uninit_enet(struct hnae3_handle *handle) if (ret) netdev_err(netdev, "uninit ring error\n"); + hns3_put_ring_config(priv); + priv->ring_data = NULL; return ret; @@ -3421,6 +3420,7 @@ int hns3_set_channels(struct net_device *netdev, } hns3_uninit_all_ring(priv); + hns3_put_ring_config(priv); org_tqp_num = h->kinfo.num_tqps; ret = hns3_modify_tqp_num(netdev, new_tqp_num); -- 2.9.3