Received: by 2002:ac0:b08d:0:0:0:0:0 with SMTP id l13csp4902587imc; Mon, 25 Feb 2019 13:17:49 -0800 (PST) X-Google-Smtp-Source: AHgI3IZEK8ipvsqZiab9xewsdSfquBBL1JrRKYq2XWcQeubbL/2Ir9kKEpTTCd6JnDPsuj+Fe2Ed X-Received: by 2002:a17:902:728f:: with SMTP id d15mr22497869pll.156.1551129469170; Mon, 25 Feb 2019 13:17:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551129469; cv=none; d=google.com; s=arc-20160816; b=cU6JRrqLx2WFkDx1Q2Hpz7h1O9Kw9pSV7/P8lqK13DPkE1GRr0l5swRBx2X7jTiaC3 +2oVv5Y05s2KjHCf7LDmdLhwTSoUdppJSJaq8bUY/fGNVSO/wROc/s4+MMdUfD7OzLgX 8Pw1AIHMrTbLghi5Gq8dFcmB0Ot1L6eme6gZw8A0zjLF+fjUXJ/7BI/PlhMXwqsnbk3I RSPgsC7vlLdN31If4X8HcFgOQ3dWrs2zQ8V65hLmIED3PkjygyqwdgccYCYEjxw29Gcj 7pK0w/2MOaqBFGSrZGb5kyqycLBBvid9TElmnt/j2J5p3TsgYEeUIiuFH+oQEeyxfi0U ZHPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=rA+0YLoeQAue8b0LffYOxD5bD3RY5hWHsH/eROYvDh0=; b=dBC0oDeu0pI2jVagy1MSKsNbGTtskWGdOeier7VUzHcYXJi65bSeu0JENfH2Dy4hT1 vMLCZn0PYestRkTOrjvUPJesh5K0XJQHWuzi0LLIJA7hrVitdUQlRhrRue/iRUxa9gnJ vYSNsBqB7e416p4Bjyla6JMo3E7IDJJQ+USON1ceZayLb4IOOhU0GiiIyvTtHMZjZqgy G7y5ObjvxwG5qjvY48CfZDbno1Hxp+DE1PdRla1zi4L9zdV3+11sBTGSBCobLH3h5v6B HZq8SVL75NsVvRoun7ELEEeAJIK9rqytV7N/sxVbpcBPgGOP6YQcRHmU3HE1XoNgG30Z Tb9w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=cOAizyi1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e12si6697506pgd.381.2019.02.25.13.17.34; Mon, 25 Feb 2019 13:17:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=cOAizyi1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729452AbfBYVPR (ORCPT + 99 others); Mon, 25 Feb 2019 16:15:17 -0500 Received: from mail.kernel.org ([198.145.29.99]:46284 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729432AbfBYVPN (ORCPT ); Mon, 25 Feb 2019 16:15:13 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B91502147C; Mon, 25 Feb 2019 21:15:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1551129312; bh=tlGd1MYqT656FB9pEtAtIZ4mV3EuOj1AR+Q4PbySmf0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cOAizyi1rDcTWJfMtNqFYejz54WVdutsms7wbykVOgRNVnaasdM3cUbPdzklISPKq yYHFbfb1gKa88fbm+eeSuhDi61EV5oKQ7/MS7CFzMBTbhHC7fo7XreeXAEhGEA9ZJo agxChS4zQ9VFK/CiUgP7oaOyw7/pWL3cRY8MQ28w= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Yonglong Liu , Huazhong Tan , "David S. Miller" , Sasha Levin Subject: [PATCH 4.9 16/63] net: hns: Fix use after free identified by SLUB debug Date: Mon, 25 Feb 2019 22:11:16 +0100 Message-Id: <20190225195036.945469444@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190225195035.713274200@linuxfoundation.org> References: <20190225195035.713274200@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit bb989501abcafa0de5f18b0ec0ec459b5b817908 ] When enable SLUB debug, than remove hns_enet_drv module, SLUB debug will identify a use after free bug: [134.189505] Unable to handle kernel paging request at virtual address 006b6b6b6b6b6b6b [134.197553] Mem abort info: [134.200381] ESR = 0x96000004 [134.203487] Exception class = DABT (current EL), IL = 32 bits [134.209497] SET = 0, FnV = 0 [134.212596] EA = 0, S1PTW = 0 [134.215777] Data abort info: [134.218701] ISV = 0, ISS = 0x00000004 [134.222596] CM = 0, WnR = 0 [134.225606] [006b6b6b6b6b6b6b] address between user and kernel address ranges [134.232851] Internal error: Oops: 96000004 [#1] SMP [134.237798] CPU: 21 PID: 27834 Comm: rmmod Kdump: loaded Tainted: G OE 4.19.5-1.2.34.aarch64 #1 [134.247856] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.58 10/24/2018 [134.255181] pstate: 20000005 (nzCv daif -PAN -UAO) [134.260044] pc : hns_ae_put_handle+0x38/0x60 [134.264372] lr : hns_ae_put_handle+0x24/0x60 [134.268700] sp : ffff00001be93c50 [134.272054] x29: ffff00001be93c50 x28: ffff802faaec8040 [134.277442] x27: 0000000000000000 x26: 0000000000000000 [134.282830] x25: 0000000056000000 x24: 0000000000000015 [134.288284] x23: ffff0000096fe098 x22: ffff000001050070 [134.293671] x21: ffff801fb3c044a0 x20: ffff80afb75ec098 [134.303287] x19: ffff80afb75ec098 x18: 0000000000000000 [134.312945] x17: 0000000000000000 x16: 0000000000000000 [134.322517] x15: 0000000000000002 x14: 0000000000000000 [134.332030] x13: dead000000000100 x12: ffff7e02bea3c988 [134.341487] x11: ffff80affbee9e68 x10: 0000000000000000 [134.351033] x9 : 6fffff8000008101 x8 : 0000000000000000 [134.360569] x7 : dead000000000100 x6 : ffff000009579748 [134.370059] x5 : 0000000000210d00 x4 : 0000000000000000 [134.379550] x3 : 0000000000000001 x2 : 0000000000000000 [134.388813] x1 : 6b6b6b6b6b6b6b6b x0 : 0000000000000000 [134.397993] Process rmmod (pid: 27834, stack limit = 0x00000000d474b7fd) [134.408498] Call trace: [134.414611] hns_ae_put_handle+0x38/0x60 [134.422208] hnae_put_handle+0xd4/0x108 [134.429563] hns_nic_dev_remove+0x60/0xc0 [hns_enet_drv] [134.438342] platform_drv_remove+0x2c/0x70 [134.445958] device_release_driver_internal+0x174/0x208 [134.454810] driver_detach+0x70/0xd8 [134.461913] bus_remove_driver+0x64/0xe8 [134.469396] driver_unregister+0x34/0x60 [134.476822] platform_driver_unregister+0x20/0x30 [134.485130] hns_nic_dev_driver_exit+0x14/0x6e4 [hns_enet_drv] [134.494634] __arm64_sys_delete_module+0x238/0x290 struct hnae_handle is a member of struct hnae_vf_cb, so when vf_cb is freed, than use hnae_handle will cause use after free panic. This patch frees vf_cb after hnae_handle used. Signed-off-by: Yonglong Liu Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c b/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c index 0b4d90ceea7a6..864f107ed48fa 100644 --- a/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c +++ b/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c @@ -149,12 +149,10 @@ static void hns_ae_put_handle(struct hnae_handle *handle) struct hnae_vf_cb *vf_cb = hns_ae_get_vf_cb(handle); int i; - vf_cb->mac_cb = NULL; - - kfree(vf_cb); - for (i = 0; i < handle->q_num; i++) hns_ae_get_ring_pair(handle->qs[i])->used_by_vf = 0; + + kfree(vf_cb); } static void hns_ae_ring_enable_all(struct hnae_handle *handle, int val) -- 2.19.1