Received: by 10.223.185.82 with SMTP id b18csp15004wrg; Thu, 8 Mar 2018 18:09:09 -0800 (PST) X-Google-Smtp-Source: AG47ELu2296vD4AKQWJ2yjkDRutg7/OBk+TM6cUPA1o3dGbVcPccUqERufl3ZRN9qeuwbRyxb7yR X-Received: by 10.101.93.82 with SMTP id e18mr22606714pgt.371.1520561349065; Thu, 08 Mar 2018 18:09:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520561349; cv=none; d=google.com; s=arc-20160816; b=BqnXke5TIhOgV7ESlqV4TsNvMaCNmXs2a2/H4O6Gwi68CfbAMBXT47Gts9Vx8610mb 1NuWFcD1KlAfGO2QjZMJGSRJGKuORArFb2EN9rDDRdyEGE74MZL5n74Jkl9PltIXEPAo miENraawjS68e13uIXKKEvGipTnSMADfhVUfgv0xcgyWM3mFFvZehO+W9AaRW+anb2bR Ag/POY3BAVxcHRe3tyGWC/qdEpp0jXIeyNBzrGF0b7u5Cyiqr+uJ3WLMg4O91nChpDvY 9dTPJ7CorRlMxBToNvuRLsRo8WiOkUst+jKALDVLS1WKQVAxM3BZxLw66iRZM6zLn3QC z4DQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:arc-authentication-results; bh=iGhPwnZe01WJuh3gct8s2a2lT3MEOv1ghySaQFsDVGo=; b=JpQealtr3qBFO3StiVbzq8I/IGvz6WYpb+PtDPBIKZFG+v/wpn1mk8GqXq4mgioneU MENXkq1pUCziGiaRFXsxRoJBoEmY1MwiJiTdGKcURsBbccvLYfHQqOENBSOu4hWU++nK QG3MPehH+SClHA47g9q/Uf3sbNClrdF3ET09hxIhmDD4VdrgsOku/yTiyhgF4wnpMwSc afYYi2B6jzHMKTaZLDDeVV8qbbC44eaD0XfSnL5gNFQR8Y4iydpcsi+yZEBR77YUaBhT PyzLn7DkEf7hossq5LLeWx5kaP8tlsY3/QqHPxOZMb8KzSiTfHsEB2ZK86ukCxtEs9ql wtSA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b8si6679603pgt.710.2018.03.08.18.08.54; Thu, 08 Mar 2018 18:09:09 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751599AbeCICHR (ORCPT + 99 others); Thu, 8 Mar 2018 21:07:17 -0500 Received: from szxga06-in.huawei.com ([45.249.212.32]:38061 "EHLO huawei.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1750996AbeCICFE (ORCPT ); Thu, 8 Mar 2018 21:05:04 -0500 Received: from DGGEMS406-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id D598228C9724C; Fri, 9 Mar 2018 10:04:49 +0800 (CST) Received: from linux-ioko.site (10.71.200.31) by DGGEMS406-HUB.china.huawei.com (10.3.19.206) with Microsoft SMTP Server id 14.3.361.1; Fri, 9 Mar 2018 10:04:43 +0800 From: Peng Li To: CC: , , , , Subject: [PATCH net-next 5/9] net: hns3: fix for use-after-free when setting ring parameter Date: Fri, 9 Mar 2018 10:37:00 +0800 Message-ID: <1520563024-94811-6-git-send-email-lipeng321@huawei.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1520563024-94811-1-git-send-email-lipeng321@huawei.com> References: <1520563024-94811-1-git-send-email-lipeng321@huawei.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.71.200.31] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Yunsheng Lin In hns3_set_ringparam, hns3_uninit_all_ring frees the memory pointed by priv->ring_data[i].ring, and hns3_change_all_ring_bd_num use that pointer without mallocing, which will cause a use-after-free problem. The patch fixes it by not freeing the memory in hns3_uninit_all_ring, and uses hns3_put_ring_config to free it when necessary. Signed-off-by: Yunsheng Lin Signed-off-by: Peng Li --- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c index c936945..e0ab161 100644 --- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c @@ -2967,13 +2967,8 @@ int hns3_uninit_all_ring(struct hns3_nic_priv *priv) h->ae_algo->ops->reset_queue(h, i); hns3_fini_ring(priv->ring_data[i].ring); - devm_kfree(priv->dev, priv->ring_data[i].ring); hns3_fini_ring(priv->ring_data[i + h->kinfo.num_tqps].ring); - devm_kfree(priv->dev, - priv->ring_data[i + h->kinfo.num_tqps].ring); } - devm_kfree(priv->dev, priv->ring_data); - return 0; } @@ -3111,6 +3106,8 @@ static void hns3_client_uninit(struct hnae3_handle *handle, bool reset) if (ret) netdev_err(netdev, "uninit ring error\n"); + hns3_put_ring_config(priv); + priv->ring_data = NULL; free_netdev(netdev); @@ -3316,6 +3313,8 @@ static int hns3_reset_notify_uninit_enet(struct hnae3_handle *handle) if (ret) netdev_err(netdev, "uninit ring error\n"); + hns3_put_ring_config(priv); + priv->ring_data = NULL; return ret; @@ -3422,6 +3421,7 @@ int hns3_set_channels(struct net_device *netdev, } hns3_uninit_all_ring(priv); + hns3_put_ring_config(priv); org_tqp_num = h->kinfo.num_tqps; ret = hns3_modify_tqp_num(netdev, new_tqp_num); -- 2.9.3