Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4693086imu; Tue, 8 Jan 2019 04:48:00 -0800 (PST) X-Google-Smtp-Source: ALg8bN4aUl+pVV2EyNbmTp8/H+dhc/KQTLazt9PRxO1zIOlCRSVmC8fKuv3D6La6CP71xtU47Us2 X-Received: by 2002:a17:902:8d94:: with SMTP id v20mr1644737plo.194.1546951680735; Tue, 08 Jan 2019 04:48:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546951680; cv=none; d=google.com; s=arc-20160816; b=v7/wYt15FN6KiiNnVP5ugL2nNvfZ8IhnmpcEWFApQi5Eg24nmkcwVi98UPFZ42iOzk /ecaZRUu0HkfWDDgttmhMZIiVZUdB+BQA6AtrQrO9D0TD6JfjY82EY6S3zU6fSbpQZP8 PH5yL6qSOvLeMdtjuth3iVyi0drODEmSo9fEuTjlkJjy69ogPsOOIQCawcwoENWnelnc QodzkppWYwmIbwtdq+uHIh74fqj5UqOqxlM4J1W6StMqzCBcLHwHzJrRfoifxS/oYjcX UAivq1k/hIzxXfrseftDIemEyWrf8/bjBDwiqMH5eMMpo9l5bK1gi1ZpCxJPQ8vboxhi bUgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=rBcF/qpb7sv+0HGh3EXqXiXdG51s3dVZfqIbkSsGFTg=; b=AETqIh7lgMt0syyjdLocP3qGQU+wLHqcyM71w1+8jeRBYNlx0Q/9ZPzznGAHfnIPO2 7z5akJtlsZB//2i1LE1Z960Xe6oyAzmdWEcZ+SfhYn7TuuzwxqSeIyNDenTf1MurUpom EJLRgluel0ZJ3DHbLDeON76ILF1sSlMGbbGs47W4oI38iydkhTirAEpyxPGkZGZ74Iev Rglfn3IjHxV3q475F7JveUdGnTQWFFDn4o69hpSDURimnuZ9p9z762HubuR2YQ9FjBOp C6Quc6Guu/bIpW7T+QC8NZ6eaNMZ+P9Aj+3Jzc98rNZ2RbImh7IbVY02LFYgCorKhg8Y kG5w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=i6djmrIR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d9si60421973pgv.123.2019.01.08.04.47.44; Tue, 08 Jan 2019 04:48:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=i6djmrIR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727870AbfAHMpd (ORCPT + 99 others); Tue, 8 Jan 2019 07:45:33 -0500 Received: from mail-pl1-f195.google.com ([209.85.214.195]:38881 "EHLO mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727236AbfAHMpc (ORCPT ); Tue, 8 Jan 2019 07:45:32 -0500 Received: by mail-pl1-f195.google.com with SMTP id e5so1860545plb.5; Tue, 08 Jan 2019 04:45:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=rBcF/qpb7sv+0HGh3EXqXiXdG51s3dVZfqIbkSsGFTg=; b=i6djmrIRt6CZtWS5bXsApCvksZ8Q3KO4GMXLD6OvZxO+W45eNa811jL8ueQnQrOmG8 k3IAYxRLHgPQDFecENQmRL4fCVhMMnWPKa3vUzp8U2CevVdVxQYWM5pPrgK0Qr6ICgj0 ogcH5aDDeFOXwAMb7e50ch4qamTjX/709R19zfdXWqK+AxA8Vz1Tf1krw3on1kvpu7wN 0WeOEk3826Grbw6uqlwTIGdrOwW+/c7+OAlU6RUg6y11t5v7LpkbVFKj4n5R8f5ZKkaX aaRDdCr59/pi9w1X1Fyg/pw4zUgFbqIk2LvDedPMwZNmzxI7MpkT7CTNZkTuhuvLUjch mUNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=rBcF/qpb7sv+0HGh3EXqXiXdG51s3dVZfqIbkSsGFTg=; b=bWmpNb2PmhUx4Hfs4ugF3COm+p88i+Fidn8Ddtlm/nge0nr0WIJwOqkBAaKLdDUhDb D9P2u/7biZkRiZQCI1gcSkMdOdX4IPzChbneO8OilbirQyWnXD6ZHB1CNyh/moACaBiT 6Gor0tj6s/AJHtCCHU4tBhqv7Vt3KWOuV5e8QEzi1WVmo4pLFRg74WnR+NK0I/9hWvb5 pKAKHn2W91ZwaIkdTigQ7ovSEiljqaODw+3ZNOJZJN4DtsPen/mOfW/Tnkyif9Yzhb5X lxStvR+stR8WOqfk/QfwiTSlI8c/RDDS7j2LpjAYfEgJOseL3ynk9mKyR5P6II6SyoHO 32/w== X-Gm-Message-State: AJcUukebqNVisE3FRuiyFF6MBStgCUyB6mkMuR0GyeiCEae30v9SKfyV 7lg8aQulcNIDKVN7DrOF2c4= X-Received: by 2002:a17:902:70c6:: with SMTP id l6mr1708662plt.30.1546951531922; Tue, 08 Jan 2019 04:45:31 -0800 (PST) Received: from localhost.localdomain ([2402:f000:1:4414:811b:a348:3027:e3a0]) by smtp.gmail.com with ESMTPSA id d18sm105622235pfj.47.2019.01.08.04.45.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 08 Jan 2019 04:45:31 -0800 (PST) From: Jia-Ju Bai To: davem@davemloft.net, yanjun.zhu@oracle.com, keescook@chromium.org Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Jia-Ju Bai Subject: [PATCH] net: nvidia: forcedeth: Fix two possible concurrency use-after-free bugs Date: Tue, 8 Jan 2019 20:45:18 +0800 Message-Id: <20190108124518.21986-1-baijiaju1990@gmail.com> X-Mailer: git-send-email 2.17.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In drivers/net/ethernet/nvidia/forcedeth.c, the functions nv_start_xmit() and nv_start_xmit_optimized() can be concurrently executed with nv_poll_controller(). nv_start_xmit line 2321: prev_tx_ctx->skb = skb; nv_start_xmit_optimized line 2479: prev_tx_ctx->skb = skb; nv_poll_controller nv_do_nic_poll line 4134: spin_lock(&np->lock); nv_drain_rxtx nv_drain_tx nv_release_txskb line 2004: dev_kfree_skb_any(tx_skb->skb); Thus, two possible concurrency use-after-free bugs may occur. To fix these possible bugs, the calls to spin_lock_irqsave() in nv_start_xmit() and nv_start_xmit_optimized() are moved to the front of "prev_tx_ctx->skb = skb;" Signed-off-by: Jia-Ju Bai --- drivers/net/ethernet/nvidia/forcedeth.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/nvidia/forcedeth.c b/drivers/net/ethernet/nvidia/forcedeth.c index 1d9b0d44ddb6..48fa5a0bd2cb 100644 --- a/drivers/net/ethernet/nvidia/forcedeth.c +++ b/drivers/net/ethernet/nvidia/forcedeth.c @@ -2317,6 +2317,8 @@ static netdev_tx_t nv_start_xmit(struct sk_buff *skb, struct net_device *dev) /* set last fragment flag */ prev_tx->flaglen |= cpu_to_le32(tx_flags_extra); + spin_lock_irqsave(&np->lock, flags); + /* save skb in this slot's context area */ prev_tx_ctx->skb = skb; @@ -2326,8 +2328,6 @@ static netdev_tx_t nv_start_xmit(struct sk_buff *skb, struct net_device *dev) tx_flags_extra = skb->ip_summed == CHECKSUM_PARTIAL ? NV_TX2_CHECKSUM_L3 | NV_TX2_CHECKSUM_L4 : 0; - spin_lock_irqsave(&np->lock, flags); - /* set tx flags */ start_tx->flaglen |= cpu_to_le32(tx_flags | tx_flags_extra); @@ -2475,6 +2475,8 @@ static netdev_tx_t nv_start_xmit_optimized(struct sk_buff *skb, /* set last fragment flag */ prev_tx->flaglen |= cpu_to_le32(NV_TX2_LASTPACKET); + spin_lock_irqsave(&np->lock, flags); + /* save skb in this slot's context area */ prev_tx_ctx->skb = skb; @@ -2491,8 +2493,6 @@ static netdev_tx_t nv_start_xmit_optimized(struct sk_buff *skb, else start_tx->txvlan = 0; - spin_lock_irqsave(&np->lock, flags); - if (np->tx_limit) { /* Limit the number of outstanding tx. Setup all fragments, but * do not set the VALID bit on the first descriptor. Save a pointer -- 2.17.0