From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.kernel.org ([198.145.29.99]:47864 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751885AbeEaFgi (ORCPT <rfc822;stable@vger.kernel.org>);
        Thu, 31 May 2018 01:36:38 -0400
Date: Thu, 31 May 2018 07:36:14 +0200
From: Greg KH <gregkh@linuxfoundation.org>
To: Sarah Newman <srn@prgmr.com>
Cc: stable@vger.kernel.org, tariqt@mellanox.com, davem@davemloft.net
Subject: Re: [PATCH v3] net/mlx4_en: fix potential use-after-free with
 dma_unmap_page
Message-ID: <20180531053614.GB2532@kroah.com>
References: <20180502.102609.1429982179942319879.davem@davemloft.net>
 <1527728645-6216-1-git-send-email-srn@prgmr.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1527728645-6216-1-git-send-email-srn@prgmr.com>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Wed, May 30, 2018 at 06:04:05PM -0700, Sarah Newman wrote:
> [ Not relevant upstream, therefore no upstream commit. ]
> 
> To fix, unmap the page as soon as possible.
> 
> When swiotlb is in use, calling dma_unmap_page means that
> the original page mapped with dma_map_page must still be valid,
> as swiotlb will copy data from its internal cache back to the
> originally requested DMA location.
> 
> When GRO is enabled, before this patch all references to the
> original frag may be put and the page freed before dma_unmap_page
> in mlx4_en_free_frag is called.
> 
> It is possible there is a path where the use-after-free occurs
> even with GRO disabled, but this has not been observed so far.
> 
> The bug can be trivially detected by doing the following:
> 
> * Compile the kernel with DEBUG_PAGEALLOC
> * Run the kernel as a Xen Dom0
> * Leave GRO enabled on the interface
> * Run a 10 second or more test with iperf over the interface.
> 
> This bug was likely introduced in
> commit 4cce66cdd14a ("mlx4_en: map entire pages to increase throughput"),
> first part of u3.6.
> 
> It was incidentally fixed in
> commit 34db548bfb95 ("mlx4: add page recycling in receive path"),
> first part of v4.12.

Why not just apply this patch instead?

> 
> This version applies to the v4.9 series.

What about 4.4?  Why not just use 4.14 for this hardware?

thanks,

greg k-h