Received: by 2002:ac0:b08d:0:0:0:0:0 with SMTP id l13csp4924884imc; Mon, 25 Feb 2019 13:45:57 -0800 (PST) X-Google-Smtp-Source: AHgI3Ia4mJcqBUdQrCHtTvdblrght4Zkgsp1Pv5HcCOdoFX88aKD1Xi/TAGFhgHLzdYkkImyqk0h X-Received: by 2002:a63:4247:: with SMTP id p68mr12205405pga.30.1551131157535; Mon, 25 Feb 2019 13:45:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551131157; cv=none; d=google.com; s=arc-20160816; b=m24ZzafpspQopFkI0HcSsyehbCM7xUOKIZEZjDZ4DdZJLuH/acPQcNt0jwtYK08icy WUHyZ3TpVs5ngVu3cTa8CsMm95ulkFKODj0kDRLxQybNYOht4c45gyLK7qJutY8+9goh /x7F3hNBrcYbFh2Y/9d0gd/O7YdinWMe4EvuIafCDhTij+Xbt7uKjmKkcam+jxmEPTBU 2sgGOewuRELwd5EC2wRE+KTMATNXA1K3GTbQXkgGGZPZmTPHVpY5KRKHIprL7NcSfxtQ 2uScwOwbX4bYFE9y8wQOM83rKVChom/h0VTAFVKUkTongKoGgKtWs687CcW0heZnIInU R+7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=hChENYtyzl4XbFph4+q+CzUJPehDv3MDiJdfG2d7ZPs=; b=wDsJUHIoCln2pF1vOizoqaIHHnsRImFMpM6R2WEite0Bp/MrL2FeDVs1fDZKt0bVD+ i89G0Zg5/9Q/a8+lRqp7icq9pNhACwue5nTLYJ92HuqXg7DvIrsc3wmoyrjMCiU21E4v Rg/uMvsCf8pD1nLGxYk3PXvk90D3aV3Q4uFm4OEwb1yYT9Zu2oydgR+Q5cLg7UN3cbBk qk4BGH+jtdxy9G1MNKgQYx8Cgl9UH8OcJSMHZmQQ7rN4nocOLy2j+TZT+nLs9DljlPAM OZjsocUgo1VDrUGqQl1UBFzBm6PHe9hwfrVQsC89EwT35y+Jooe0eEHbJNpCystAv8SX 98rA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Ezf4uSrC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u8si10368927plz.97.2019.02.25.13.45.42; Mon, 25 Feb 2019 13:45:57 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Ezf4uSrC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732071AbfBYV36 (ORCPT + 99 others); Mon, 25 Feb 2019 16:29:58 -0500 Received: from mail.kernel.org ([198.145.29.99]:35598 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731827AbfBYV3y (ORCPT ); Mon, 25 Feb 2019 16:29:54 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6C17B21848; Mon, 25 Feb 2019 21:29:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1551130192; bh=Z50XHXTWakiMTifLk4xKR39w2pW0WFNVj9dTktAF0oo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ezf4uSrCcQ9JuLe36uv3hwvOPNsp9PYyFOkbYQfqwRrRNJtf9mGDqxwGPmWtVEzEs vFx5vQWc3b/1HDMewcwH533rsEtu5q8WvRlYhX80UsV9TPAUGcevUl2uj9H6Szb/vt t3pujvlTBKgh/clg8nUrF5G9ta+E9yJaHZiLplXw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Yonglong Liu , Huazhong Tan , "David S. Miller" , Sasha Levin Subject: [PATCH 4.20 043/183] net: hns: Fix use after free identified by SLUB debug Date: Mon, 25 Feb 2019 22:10:16 +0100 Message-Id: <20190225195101.906068555@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190225195054.748060397@linuxfoundation.org> References: <20190225195054.748060397@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.20-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit bb989501abcafa0de5f18b0ec0ec459b5b817908 ] When enable SLUB debug, than remove hns_enet_drv module, SLUB debug will identify a use after free bug: [134.189505] Unable to handle kernel paging request at virtual address 006b6b6b6b6b6b6b [134.197553] Mem abort info: [134.200381] ESR = 0x96000004 [134.203487] Exception class = DABT (current EL), IL = 32 bits [134.209497] SET = 0, FnV = 0 [134.212596] EA = 0, S1PTW = 0 [134.215777] Data abort info: [134.218701] ISV = 0, ISS = 0x00000004 [134.222596] CM = 0, WnR = 0 [134.225606] [006b6b6b6b6b6b6b] address between user and kernel address ranges [134.232851] Internal error: Oops: 96000004 [#1] SMP [134.237798] CPU: 21 PID: 27834 Comm: rmmod Kdump: loaded Tainted: G OE 4.19.5-1.2.34.aarch64 #1 [134.247856] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.58 10/24/2018 [134.255181] pstate: 20000005 (nzCv daif -PAN -UAO) [134.260044] pc : hns_ae_put_handle+0x38/0x60 [134.264372] lr : hns_ae_put_handle+0x24/0x60 [134.268700] sp : ffff00001be93c50 [134.272054] x29: ffff00001be93c50 x28: ffff802faaec8040 [134.277442] x27: 0000000000000000 x26: 0000000000000000 [134.282830] x25: 0000000056000000 x24: 0000000000000015 [134.288284] x23: ffff0000096fe098 x22: ffff000001050070 [134.293671] x21: ffff801fb3c044a0 x20: ffff80afb75ec098 [134.303287] x19: ffff80afb75ec098 x18: 0000000000000000 [134.312945] x17: 0000000000000000 x16: 0000000000000000 [134.322517] x15: 0000000000000002 x14: 0000000000000000 [134.332030] x13: dead000000000100 x12: ffff7e02bea3c988 [134.341487] x11: ffff80affbee9e68 x10: 0000000000000000 [134.351033] x9 : 6fffff8000008101 x8 : 0000000000000000 [134.360569] x7 : dead000000000100 x6 : ffff000009579748 [134.370059] x5 : 0000000000210d00 x4 : 0000000000000000 [134.379550] x3 : 0000000000000001 x2 : 0000000000000000 [134.388813] x1 : 6b6b6b6b6b6b6b6b x0 : 0000000000000000 [134.397993] Process rmmod (pid: 27834, stack limit = 0x00000000d474b7fd) [134.408498] Call trace: [134.414611] hns_ae_put_handle+0x38/0x60 [134.422208] hnae_put_handle+0xd4/0x108 [134.429563] hns_nic_dev_remove+0x60/0xc0 [hns_enet_drv] [134.438342] platform_drv_remove+0x2c/0x70 [134.445958] device_release_driver_internal+0x174/0x208 [134.454810] driver_detach+0x70/0xd8 [134.461913] bus_remove_driver+0x64/0xe8 [134.469396] driver_unregister+0x34/0x60 [134.476822] platform_driver_unregister+0x20/0x30 [134.485130] hns_nic_dev_driver_exit+0x14/0x6e4 [hns_enet_drv] [134.494634] __arm64_sys_delete_module+0x238/0x290 struct hnae_handle is a member of struct hnae_vf_cb, so when vf_cb is freed, than use hnae_handle will cause use after free panic. This patch frees vf_cb after hnae_handle used. Signed-off-by: Yonglong Liu Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c b/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c index ad1779fc410e6..a78bfafd212c8 100644 --- a/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c +++ b/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c @@ -147,12 +147,10 @@ static void hns_ae_put_handle(struct hnae_handle *handle) struct hnae_vf_cb *vf_cb = hns_ae_get_vf_cb(handle); int i; - vf_cb->mac_cb = NULL; - - kfree(vf_cb); - for (i = 0; i < handle->q_num; i++) hns_ae_get_ring_pair(handle->qs[i])->used_by_vf = 0; + + kfree(vf_cb); } static int hns_ae_wait_flow_down(struct hnae_handle *handle) -- 2.19.1