Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1970554ybh; Tue, 14 Jul 2020 11:58:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwyPt8qnrLczrE1YlpxSXuoffU65rt9k9cH6YiWeySfLs94zcThN8o5wk3B/riOwvU2m/dh X-Received: by 2002:a17:906:29d8:: with SMTP id y24mr5800450eje.212.1594753091896; Tue, 14 Jul 2020 11:58:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594753091; cv=none; d=google.com; s=arc-20160816; b=EzfOBr8EDbVSRrM2wPBEcghIN1YOAH2iWpyjt8eESD0ghOXgBu1Y5c/s6nYCUdQc2f fpHbe16CKQeLKTRtjmHllPGKC1onyM651n7oz4izEMBphVPfFVFzs5GKwpkkN838Sm7U sDf0wCha8il0WnQa0OatTXbawJ2nHSerQxVxqTP4363glylke6Wq4144l1i1y+5Nvbxg ewg5M/f2hdmT1lUnc2dwjHIHawE4aaztUo1Bpanf3OsdFhsutbgy/GkJHBbRqCDATUfC uiMonMjP0hZl0QstV3o8Ja6MMWupz1G0D1kMzBWtndntV1C4N+X3hgbTPK+UQeAzAVMA oZmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=efgV1duCbJyD9ji8rcwOXvFO0xlQk7CYpp/5WDgBEAc=; b=azuDQKoZSnyuX6zvTuWqe6kMOfHUpBlDaeXV3GnUiXu9vMAh2Ax4vVLn4CTZdC+ADD 8LRIQ+OmVvR4rETbn2UVaNE7N7z+5uGrlrPlr5IWwxXYw3yfeMxp/LxSm3zPh4AqPyK1 6tRHxg8FtJuiQiNBbggJJCLSqomr9Y4lAu+k0re+Ybg30DPXQUKR1zqlwPOmiywnWlSa fIgVnRVJ5rHNHL9Yp/NgM7rBnfwECxNpTuZQAlWR6yvdZMyH6sXuU2hkrAOTIBnXy/ge h1Ny7DDzkuSbK9g6/FicbLqHy0NkYrCIbUuWSA5TSoBCxe8iKk5t4Fkwld3COhXJ/7kL ZTPQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nuyaGhq0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h8si14846963edn.92.2020.07.14.11.57.48; Tue, 14 Jul 2020 11:58:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nuyaGhq0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730645AbgGNS4t (ORCPT + 99 others); Tue, 14 Jul 2020 14:56:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:54708 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731009AbgGNS4j (ORCPT ); Tue, 14 Jul 2020 14:56:39 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 09DC5229CA; Tue, 14 Jul 2020 18:56:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1594752998; bh=sANhJ2Ti1EUL70NCb3kes9GpA7wbID4KFIxyaOjnT4Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nuyaGhq0w5JX53Pjby0IPoFzj8X6IChG976j3WHnG+5+YCOGC4ysQKQDE/tOymOe9 7kkCqTE5r0WC4UCBUd73D7i1etMzAXOWtjTOTxodUxg7R7KqSAi+wiEQMm4GgmQz6a uo5vX46eeqjEJsjB34NlyCUmD7LSnxua+eXEhHNo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Yonglong Liu , Huazhong Tan , "David S. Miller" , Sasha Levin Subject: [PATCH 5.7 080/166] net: hns3: fix use-after-free when doing self test Date: Tue, 14 Jul 2020 20:44:05 +0200 Message-Id: <20200714184119.682981960@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200714184115.844176932@linuxfoundation.org> References: <20200714184115.844176932@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Yonglong Liu [ Upstream commit a06656211304fec653c1931c2ca6d644013b5bbb ] Enable promisc mode of PF, set VF link state to enable, and run iperf of the VF, then do self test of the PF. The self test will fail with a low frequency, and may cause a use-after-free problem. [ 87.142126] selftest:000004a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 87.159722] ================================================================== [ 87.174187] BUG: KASAN: use-after-free in hex_dump_to_buffer+0x140/0x608 [ 87.187600] Read of size 1 at addr ffff003b22828000 by task ethtool/1186 [ 87.201012] [ 87.203978] CPU: 7 PID: 1186 Comm: ethtool Not tainted 5.5.0-rc4-gfd51c473-dirty #4 [ 87.219306] Hardware name: Huawei TaiShan 2280 V2/BC82AMDA, BIOS TA BIOS 2280-A CS V2.B160.01 01/15/2020 [ 87.238292] Call trace: [ 87.243173] dump_backtrace+0x0/0x280 [ 87.250491] show_stack+0x24/0x30 [ 87.257114] dump_stack+0xe8/0x140 [ 87.263911] print_address_description.isra.8+0x70/0x380 [ 87.274538] __kasan_report+0x12c/0x230 [ 87.282203] kasan_report+0xc/0x18 [ 87.288999] __asan_load1+0x60/0x68 [ 87.295969] hex_dump_to_buffer+0x140/0x608 [ 87.304332] print_hex_dump+0x140/0x1e0 [ 87.312000] hns3_lb_check_skb_data+0x168/0x170 [ 87.321060] hns3_clean_rx_ring+0xa94/0xfe0 [ 87.329422] hns3_self_test+0x708/0x8c0 The length of packet sent by the selftest process is only 128 + 14 bytes, and the min buffer size of a BD is 256 bytes, and the receive process will make sure the packet sent by the selftest process is in the linear part, so only check the linear part in hns3_lb_check_skb_data(). So fix this use-after-free by using skb_headlen() to dump skb->data instead of skb->len. Fixes: c39c4d98dc65 ("net: hns3: Add mac loopback selftest support in hns3 driver") Signed-off-by: Yonglong Liu Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c index 28b81f24afa11..2a78805d531a1 100644 --- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c @@ -174,18 +174,21 @@ static void hns3_lb_check_skb_data(struct hns3_enet_ring *ring, { struct hns3_enet_tqp_vector *tqp_vector = ring->tqp_vector; unsigned char *packet = skb->data; + u32 len = skb_headlen(skb); u32 i; - for (i = 0; i < skb->len; i++) + len = min_t(u32, len, HNS3_NIC_LB_TEST_PACKET_SIZE); + + for (i = 0; i < len; i++) if (packet[i] != (unsigned char)(i & 0xff)) break; /* The packet is correctly received */ - if (i == skb->len) + if (i == HNS3_NIC_LB_TEST_PACKET_SIZE) tqp_vector->rx_group.total_packets++; else print_hex_dump(KERN_ERR, "selftest:", DUMP_PREFIX_OFFSET, 16, 1, - skb->data, skb->len, true); + skb->data, len, true); dev_kfree_skb_any(skb); } -- 2.25.1