Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp263522imu; Tue, 8 Jan 2019 19:24:36 -0800 (PST) X-Google-Smtp-Source: ALg8bN5e/yIo08mkqVoyzh6KgKuICmkzSi06w2XESSQI3H3KmpX+gS3CjmFhKqyQnmgysHOJxitt X-Received: by 2002:a65:6148:: with SMTP id o8mr3868175pgv.451.1547004276683; Tue, 08 Jan 2019 19:24:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547004276; cv=none; d=google.com; s=arc-20160816; b=Pz0yUgy34jr+AE57Kc8zO6a64x3KZQwOHNN5Tt/GJ38dIsn5UrtDNxQjlDvKWZ5lBa RqtzLV+Xm5FkuFOeyjqSQ1FAn8X5cvQ/ZxbTWuX32Mx2Yuxk6fdWGWxuNhe2121ViIYe 2s66ByZy/IYqIapjCGfCfVa9DJu7HaMDBTapXFcv1mKM/307tjm9p8tqk2MtTvDHZRBR XzSlZdx7BIYqXvBzOj/E5hcqIm8vasA4jnFGkhNOMNQEl2AiN1+UJjgInjJ4moPbdoWV Iw5Zxg40GMyGSpB52mhnA/P37i+Wcu5RFffC8ovA61I0iBOaMQS2g2ZJHy1YRyC0foRn rHIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:organization:from:references:cc:to:subject :dkim-signature; bh=nDTuGwzb2ztOT657bQQ05B52gaR+nwKF5TCGqEJRaRw=; b=EllhzB1PRHLQk21l7N9kSPMZO7zEVW/H/2XibsmVE0K5fx4/Qpfue/bI3rzdKYzu1g 4SKooAxsDn/wKW1FrdL1017mdmIxTWug2IAiNZzNQvFSsQCWN/8kStk7grjGeOyVFrz3 6C/jU0137FZ9/WUwfax10g8w/0j6Bg/jgOZUNhBjRwnD/6oENxkS17dIePgvt25zBNhW A2spOkvqhO8OE5Nz9nJALVxinZBltIXbqrZ2bMzyLSCEFon+Jw5nSfbOCugOdnr3c9xD RjPLka4TVL/Pv7cv3uw/AoAZezJF+5pS+rtFbEbcaLWJTZW02OzD25V+Axs7AW1M6+7P DMxw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=PmqOlPMd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a6si11620620pgc.137.2019.01.08.19.24.21; Tue, 08 Jan 2019 19:24:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=PmqOlPMd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728964AbfAIDXP (ORCPT + 99 others); Tue, 8 Jan 2019 22:23:15 -0500 Received: from userp2120.oracle.com ([156.151.31.85]:53744 "EHLO userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727828AbfAIDXO (ORCPT ); Tue, 8 Jan 2019 22:23:14 -0500 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id x093IkIk006372; Wed, 9 Jan 2019 03:23:09 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=nDTuGwzb2ztOT657bQQ05B52gaR+nwKF5TCGqEJRaRw=; b=PmqOlPMdKOwkFkOnPSS16CNR0zZgZ0OrmgZaVM41YbLY4Ora0f3OboFvHJL/2WsISwqy ZPsrNJBRQjA39tSOP7VIiWkMTyFkuRJ7GHPj4OKQN7NiSKNBlsjoEBar7lcfMYgATWEW 8nlP3eiBkAJyROzQIM/ONALdb4KdZy4zXa4Y2ICGLjPDRBl/Hvmdz45Zpc29JekNKCJ3 eE1uzyEXlnQywRVHLxlMUG63nWOSDavMgfFZAT4qexKyojY+bLeIqlojIs2hJRcIaZMX 9RixgNSmbvMAp+Lf4s5+mxaAZJdH0mjYw/hC/BDuiebiX1pNmmAjqif/ePlMeXEOMV41 mA== Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp2120.oracle.com with ESMTP id 2ptn7qxwn5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 09 Jan 2019 03:23:09 +0000 Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id x093N9ek012544 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 9 Jan 2019 03:23:09 GMT Received: from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x093N8oP002607; Wed, 9 Jan 2019 03:23:08 GMT Received: from [10.182.69.170] (/10.182.69.170) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 08 Jan 2019 19:23:08 -0800 Subject: Re: [PATCH] net: nvidia: forcedeth: Fix two possible concurrency use-after-free bugs To: Jia-Ju Bai , davem@davemloft.net, keescook@chromium.org Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org References: <20190108124518.21986-1-baijiaju1990@gmail.com> <27392ae0-2c0f-f099-05d8-f9cdbfbd313e@oracle.com> <54c2efce-18ac-46d4-7fb5-8510699b528e@gmail.com> From: Yanjun Zhu Organization: Oracle Corporation Message-ID: Date: Wed, 9 Jan 2019 11:24:47 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: <54c2efce-18ac-46d4-7fb5-8510699b528e@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9130 signatures=668680 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=2 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=659 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901090025 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2019/1/9 11:20, Jia-Ju Bai wrote: > > > On 2019/1/9 10:35, Yanjun Zhu wrote: >> >> On 2019/1/9 10:03, Jia-Ju Bai wrote: >>> >>> >>> On 2019/1/9 9:24, Yanjun Zhu wrote: >>>> >>>> On 2019/1/8 20:57, Jia-Ju Bai wrote: >>>>> >>>>> >>>>> On 2019/1/8 20:54, Zhu Yanjun wrote: >>>>>> >>>>>> 在 2019/1/8 20:45, Jia-Ju Bai 写道: >>>>>>> In drivers/net/ethernet/nvidia/forcedeth.c, the functions >>>>>>> nv_start_xmit() and nv_start_xmit_optimized() can be concurrently >>>>>>> executed with nv_poll_controller(). >>>>>>> >>>>>>> nv_start_xmit >>>>>>>    line 2321: prev_tx_ctx->skb = skb; >>>>>>> >>>>>>> nv_start_xmit_optimized >>>>>>>    line 2479: prev_tx_ctx->skb = skb; >>>>>>> >>>>>>> nv_poll_controller >>>>>>>    nv_do_nic_poll >>>>>>>      line 4134: spin_lock(&np->lock); >>>>>>>      nv_drain_rxtx >>>>>>>        nv_drain_tx >>>>>>>          nv_release_txskb >>>>>>>            line 2004: dev_kfree_skb_any(tx_skb->skb); >>>>>>> >>>>>>> Thus, two possible concurrency use-after-free bugs may occur. >>>>>>> >>>>>>> To fix these possible bugs, >>>>>> >>>>>> >>>>>> Does this really occur? Can you reproduce this ? >>>>> >>>>> This bug is not found by the real execution. >>>>> It is found by a static tool written by myself, and then I check >>>>> it by manual code review. >>>> >>>> Before "line 2004: dev_kfree_skb_any(tx_skb->skb); ", >>>> >>>> " >>>> >>>>                 nv_disable_irq(dev); >>>>                 nv_napi_disable(dev); >>>>                 netif_tx_lock_bh(dev); >>>>                 netif_addr_lock(dev); >>>>                 spin_lock(&np->lock); >>>>                 /* stop engines */ >>>>                 nv_stop_rxtx(dev);   <---this stop rxtx >>>>                 nv_txrx_reset(dev); >>>> " >>>> >>>> In this case, does nv_start_xmit or nv_start_xmit_optimized still >>>> work well? >>>> >>> >>> nv_stop_rxtx() calls nv_stop_tx(dev). >>> >>> static void nv_stop_tx(struct net_device *dev) >>> { >>>     struct fe_priv *np = netdev_priv(dev); >>>     u8 __iomem *base = get_hwbase(dev); >>>     u32 tx_ctrl = readl(base + NvRegTransmitterControl); >>> >>>     if (!np->mac_in_use) >>>         tx_ctrl &= ~NVREG_XMITCTL_START; >>>     else >>>         tx_ctrl |= NVREG_XMITCTL_TX_PATH_EN; >>>     writel(tx_ctrl, base + NvRegTransmitterControl); >>>     if (reg_delay(dev, NvRegTransmitterStatus, NVREG_XMITSTAT_BUSY, 0, >>>               NV_TXSTOP_DELAY1, NV_TXSTOP_DELAY1MAX)) >>>         netdev_info(dev, "%s: TransmitterStatus remained busy\n", >>>                 __func__); >>> >>>     udelay(NV_TXSTOP_DELAY2); >>>     if (!np->mac_in_use) >>>         writel(readl(base + NvRegTransmitPoll) & >>> NVREG_TRANSMITPOLL_MAC_ADDR_REV, >>>                base + NvRegTransmitPoll); >>> } >>> >>> nv_stop_tx() seems to only write registers to stop transmitting for >>> hardware. >>> But it does not wait until nv_start_xmit() and >>> nv_start_xmit_optimized() finish execution. >> There are 3 modes in forcedeth NIC. >> In throughput mode (0), every tx & rx packet will generate an interrupt. >> In CPU mode (1), interrupts are controlled by a timer. >> In dynamic mode (2), the mode toggles between throughput and CPU mode >> based on network load. >> >> From the source code, >> >> "np->recover_error = 1;" is related with CPU mode. >> >> nv_start_xmit or nv_start_xmit_optimized seems related with >> ghroughput mode. >> >> In static void nv_do_nic_poll(struct timer_list *t), >> when  if (np->recover_error), line 2004: >> dev_kfree_skb_any(tx_skb->skb); will run. >> >> When "np->recover_error=1", do you think nv_start_xmit or >> nv_start_xmit_optimized will be called? > > Sorry, I do not know about these modes... > But I still think nv_start_xmit() or nv_start_xmit_optimized() can be > called here, in no matter which mode :) :-P If you have forcedeth NIC, you can make tests with it.:-) > > > Best wishes, > Jia-Ju Bai >