Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp671259img; Fri, 22 Mar 2019 06:17:58 -0700 (PDT) X-Google-Smtp-Source: APXvYqx7ysblKBuGq0C+PJWAIgMzHtt0lBSFXLyX2wUrhoNMC5MtPXZ0PFexZ3FEGJCLS2fxXEcu X-Received: by 2002:a62:bd17:: with SMTP id a23mr8940552pff.233.1553260678924; Fri, 22 Mar 2019 06:17:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553260678; cv=none; d=google.com; s=arc-20160816; b=rKZiIx5d6CMIs14LcnGmQrysgkFERhboh9JuEstXkUgb95r0aZL0UPREeRmKShD1yp +jzxwzS4XzLm2e/dJn7kCqmK2nH8Xrzj2w2R1OUW3rhAxOcfDQ1bLo9oMqIiSWw+VVfm QfZDj3wFK5drfic37/6yxkqcKAszEAO0SfGk9F6U3rr4g/hB25yitwQksbIgbT6dFnjI 39Qxyc4B4//XlhhnEOQ9lRoN302VUYPco5sDekMU10kVH/pnklTtWbfRL8RCF1ti8a7p UwgR9SpDLlojHjM11B67WWb3W/UL7EAmHHxPB6alsq4SyxfrgC9+c9my0je6F5HhD8HP cA1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=xH47oJXtt4OhLxT2XT7E853yDjp8N5GhTi0/Idnisz0=; b=hzvdcWRtjpbB8ozbo1vKF93vd9Z0uc71zKKxExUYseR5ejyo3f3EQJvdCk6FnJ2uw0 7UjxV/VNj9a0oe5THImn8voyL1i+70mHXw/P4zETuPWWJc5BrAGOngHL9p8B0+LPGotA E3ud7x+iGeQP7y6F6xQAGG1N7CHPjqu8FyJg2leOFwqRGhMmo5knNDbyhRXfxSJsRgE8 sSmFROrpNbSFrFR6PiiHxJayO/HHHRkMlobg7DSzFlHtLlixypu8ORmkffzqP4N+Y0Wp qOKxFmR5G+GwWvpCAw484faod0pbj0MUxGZPNLJoLtCgGoJ3MwyDwW7FwH4TMryOG/0n hEMw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=FDUmbreP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d3si6366958pgc.461.2019.03.22.06.17.40; Fri, 22 Mar 2019 06:17:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=FDUmbreP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729662AbfCVNPa (ORCPT + 99 others); Fri, 22 Mar 2019 09:15:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:55802 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728408AbfCVL2E (ORCPT ); Fri, 22 Mar 2019 07:28:04 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 79A0F218A2; Fri, 22 Mar 2019 11:28:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553254084; bh=7Aaitg+AhtNy5rprRWFEhQ4oyYzWZHLctRY+exstmAM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FDUmbrePp8kXuKeiJGkc8DyfLd4yHo7x+fOaKw5+3Frn7LnLLhmSpXG3vZssVx5+f 9QiQK9Q01B4eMdTNId1Wctko6CERZJ3l8uvR8GFr1pHp9oeOGuidiQugTqVJgf00vQ 3PeNU0JORIw2DXmR1ATw6vNzoWmxpeiCEe6TbQ7Y= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Yonglong Liu , Huazhong Tan , "David S. Miller" , Sasha Levin Subject: [PATCH 4.4 011/230] net: hns: Fix use after free identified by SLUB debug Date: Fri, 22 Mar 2019 12:12:29 +0100 Message-Id: <20190322111237.534752387@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190322111236.796964179@linuxfoundation.org> References: <20190322111236.796964179@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit bb989501abcafa0de5f18b0ec0ec459b5b817908 ] When enable SLUB debug, than remove hns_enet_drv module, SLUB debug will identify a use after free bug: [134.189505] Unable to handle kernel paging request at virtual address 006b6b6b6b6b6b6b [134.197553] Mem abort info: [134.200381] ESR = 0x96000004 [134.203487] Exception class = DABT (current EL), IL = 32 bits [134.209497] SET = 0, FnV = 0 [134.212596] EA = 0, S1PTW = 0 [134.215777] Data abort info: [134.218701] ISV = 0, ISS = 0x00000004 [134.222596] CM = 0, WnR = 0 [134.225606] [006b6b6b6b6b6b6b] address between user and kernel address ranges [134.232851] Internal error: Oops: 96000004 [#1] SMP [134.237798] CPU: 21 PID: 27834 Comm: rmmod Kdump: loaded Tainted: G OE 4.19.5-1.2.34.aarch64 #1 [134.247856] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.58 10/24/2018 [134.255181] pstate: 20000005 (nzCv daif -PAN -UAO) [134.260044] pc : hns_ae_put_handle+0x38/0x60 [134.264372] lr : hns_ae_put_handle+0x24/0x60 [134.268700] sp : ffff00001be93c50 [134.272054] x29: ffff00001be93c50 x28: ffff802faaec8040 [134.277442] x27: 0000000000000000 x26: 0000000000000000 [134.282830] x25: 0000000056000000 x24: 0000000000000015 [134.288284] x23: ffff0000096fe098 x22: ffff000001050070 [134.293671] x21: ffff801fb3c044a0 x20: ffff80afb75ec098 [134.303287] x19: ffff80afb75ec098 x18: 0000000000000000 [134.312945] x17: 0000000000000000 x16: 0000000000000000 [134.322517] x15: 0000000000000002 x14: 0000000000000000 [134.332030] x13: dead000000000100 x12: ffff7e02bea3c988 [134.341487] x11: ffff80affbee9e68 x10: 0000000000000000 [134.351033] x9 : 6fffff8000008101 x8 : 0000000000000000 [134.360569] x7 : dead000000000100 x6 : ffff000009579748 [134.370059] x5 : 0000000000210d00 x4 : 0000000000000000 [134.379550] x3 : 0000000000000001 x2 : 0000000000000000 [134.388813] x1 : 6b6b6b6b6b6b6b6b x0 : 0000000000000000 [134.397993] Process rmmod (pid: 27834, stack limit = 0x00000000d474b7fd) [134.408498] Call trace: [134.414611] hns_ae_put_handle+0x38/0x60 [134.422208] hnae_put_handle+0xd4/0x108 [134.429563] hns_nic_dev_remove+0x60/0xc0 [hns_enet_drv] [134.438342] platform_drv_remove+0x2c/0x70 [134.445958] device_release_driver_internal+0x174/0x208 [134.454810] driver_detach+0x70/0xd8 [134.461913] bus_remove_driver+0x64/0xe8 [134.469396] driver_unregister+0x34/0x60 [134.476822] platform_driver_unregister+0x20/0x30 [134.485130] hns_nic_dev_driver_exit+0x14/0x6e4 [hns_enet_drv] [134.494634] __arm64_sys_delete_module+0x238/0x290 struct hnae_handle is a member of struct hnae_vf_cb, so when vf_cb is freed, than use hnae_handle will cause use after free panic. This patch frees vf_cb after hnae_handle used. Signed-off-by: Yonglong Liu Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c b/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c index 1a16c0307b475..bd36fbe81ad2a 100644 --- a/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c +++ b/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c @@ -188,12 +188,10 @@ static void hns_ae_put_handle(struct hnae_handle *handle) struct hnae_vf_cb *vf_cb = hns_ae_get_vf_cb(handle); int i; - vf_cb->mac_cb = NULL; - - kfree(vf_cb); - for (i = 0; i < handle->q_num; i++) hns_ae_get_ring_pair(handle->qs[i])->used_by_vf = 0; + + kfree(vf_cb); } static void hns_ae_ring_enable_all(struct hnae_handle *handle, int val) -- 2.19.1