Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp4142259pxy; Mon, 26 Apr 2021 19:56:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwLL/SVKgIcDSa63W1drYzGLxreDMN8b0T+MFYHdXNnJcbg614vZXwvRDQ7C4eLfZVVoc8l X-Received: by 2002:a62:1c0f:0:b029:25f:ba3c:9cc0 with SMTP id c15-20020a621c0f0000b029025fba3c9cc0mr20297769pfc.56.1619492183519; Mon, 26 Apr 2021 19:56:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619492183; cv=none; d=google.com; s=arc-20160816; b=hJJz1tvFfCiMzPaLfqKNeP9b0KeG70h+f12k0uoU4Vf7CuoG05S65duMB8VrqPVznV ifJiGAtqX5HJUO4f/T3KjTsiefWM2ypGpf0EtgCIPPLjqzbC0YVyXuw++oY31jT/o0+D 8O000YuIpkNHKi6Xl5jDDj4YsVfNMf+YZKczFa6mmbZHtH81l6UoFilKXx0+VlOLuvgU JfqFUkBoTXerwNZ4ddQstLNHKqxX4w4KdOcV9EJcBgVA9piInKVgwIhA+PqFuoVHxBlV dV5Jy2sipgalCOCVOcombt85CFeZFtUXU5AN9rX73JjIFsKg1ntTnGL0OAgflMmodTMt n01w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:mime-version :content-transfer-encoding:subject:cc:to:from:date:dkim-signature; bh=koWdw01H2nxhMV1cU8VzsgKEbkEPzJgacvNcNaBeyng=; b=jEO7nkZvf9s4o9eDitNc76bc8cVlCoPhNLLkX1yAfRP0TzdUk9fqSANX/d8TK6reNi tldSpIV1AdkBtVyrXoY3Ato6P7/w+0RnVk3F2dD0K5pWWwu0+jrA3bQUylog/LYXUg1C TeMpKqV7JeKuuaETW1nCO6ukxlvdsvGT6F/yLGWsjuo82dcIDTI3nYa71yj2AcIS7hz6 zg9lDDuc7Ua92+dHuel6obN7cbDn9p6tAaLwCQfloyJh/xdj+oQAzlQBsMJjAQ2pQhq/ xEbY6q9mYHQ3urXwLWQWLaWtTuX7vIOrCquM17uZCdHW01jPO2rcuCr/JwxpSgYHSKuK 9W5w== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@mail.ustc.edu.cn header.s=dkim header.b=IM09J8pK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mail.ustc.edu.cn Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d9si21589010plo.15.2021.04.26.19.56.11; Mon, 26 Apr 2021 19:56:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@mail.ustc.edu.cn header.s=dkim header.b=IM09J8pK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mail.ustc.edu.cn Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233824AbhD0C4H (ORCPT + 99 others); Mon, 26 Apr 2021 22:56:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42774 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231363AbhD0C4H (ORCPT ); Mon, 26 Apr 2021 22:56:07 -0400 Received: from ustc.edu.cn (email6.ustc.edu.cn [IPv6:2001:da8:d800::8]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 096F0C061574; Mon, 26 Apr 2021 19:55:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail.ustc.edu.cn; s=dkim; h=Received:Date:From:To:Cc:Subject: Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID; bh=L4kfcrc85nJywNTxQJ9ULzn904QQW3nv4pDzdVyLdWA=; b=IM09J8pKq1VV8 ofMedyYnlwj2tQYrRL0LnIYLyQrg2BcbupMuXBG3w/b2EEyk3zkA4q06GLKCPWQs WpG4LjCNh/5ocWM92Nb6kgkyGrTqAmXVknzNYpQrN3WTYP6+4SlRFlOW/qm/cgYn CZrssgniRRhuHYTXLkE6lLgLP7ayow= Received: by ajax-webmail-newmailweb.ustc.edu.cn (Coremail) ; Tue, 27 Apr 2021 10:55:06 +0800 (GMT+08:00) X-Originating-IP: [104.245.96.151] Date: Tue, 27 Apr 2021 10:55:06 +0800 (GMT+08:00) X-CM-HeaderCharset: UTF-8 From: lyl2019@mail.ustc.edu.cn To: benve@cisco.com, _govind@gmx.com, davem@davemloft.net, kuba@kernel.org Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [BUG] ethernet:enic: A use after free bug in enic_hard_start_xmit X-Priority: 3 X-Mailer: Coremail Webmail Server Version XT3.0.8 dev build 20190610(cb3344cf) Copyright (c) 2002-2021 www.mailtech.cn ustc-xl X-SendMailWithSms: false Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=UTF-8 MIME-Version: 1.0 Message-ID: <65becad9.62766.17911406ff0.Coremail.lyl2019@mail.ustc.edu.cn> X-Coremail-Locale: zh_CN X-CM-TRANSID: LkAmygDHeO4KfYdgmhxPAA--.1W X-CM-SenderInfo: ho1ojiyrz6zt1loo32lwfovvfxof0/1tbiAQsEBlQhn6cdfAABsl X-Coremail-Antispam: 1Ur529EdanIXcx71UUUUU7IcSsGvfJ3iIAIbVAYjsxI4VWxJw CS07vEb4IE77IF4wCS07vE1I0E4x80FVAKz4kxMIAIbVAFxVCaYxvI4VCIwcAKzIAtYxBI daVFxhVjvjDU= Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, maintainers. Our code analyzer reported a uaf bug, but it is a little difficult for me to fix it directly. File: drivers/net/ethernet/cisco/enic/enic_main.c In enic_hard_start_xmit, it calls enic_queue_wq_skb(). Inside enic_queue_wq_skb, if some error happens, the skb will be freed by dev_kfree_skb(skb). But the freed skb is still used in skb_tx_timestamp(skb). ``` enic_queue_wq_skb(enic, wq, skb);// skb could freed here if (vnic_wq_desc_avail(wq) < MAX_SKB_FRAGS + ENIC_DESC_MAX_SPLITS) netif_tx_stop_queue(txq); skb_tx_timestamp(skb); // freed skb is used here. ``` Bug introduced by fb7516d42478e ("enic: add sw timestamp support"). Thanks for your time, looking forwarding to your reply. Lv Yunlong