From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tariq Toukan Subject: Re: [PATCH v2] net/mlx4_en: fix potential use-after-free with dma_unmap_page Date: Wed, 2 May 2018 16:50:28 +0300 Message-ID: <5ee8574e-154c-3fa6-8b29-09fae1d08861@mellanox.com> References: <1524715234-20002-1-git-send-email-srn@prgmr.com> <20180427.194859.554972405986118921.davem@davemloft.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Cc: yishaih@mellanox.com, netdev@vger.kernel.org To: David Miller , srn@prgmr.com Return-path: Received: from mail-ve1eur01on0064.outbound.protection.outlook.com ([104.47.1.64]:36254 "EHLO EUR01-VE1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750898AbeEBNui (ORCPT ); Wed, 2 May 2018 09:50:38 -0400 In-Reply-To: <20180427.194859.554972405986118921.davem@davemloft.net> Content-Language: en-US Sender: netdev-owner@vger.kernel.org List-ID: On 28/04/2018 2:48 AM, David Miller wrote: > From: Sarah Newman > Date: Wed, 25 Apr 2018 21:00:34 -0700 > >> When swiotlb is in use, calling dma_unmap_page means that >> the original page mapped with dma_map_page must still be valid >> as swiotlb will copy data from its internal cache back to the >> originally requested DMA location. When GRO is enabled, >> all references to the original frag may be put before >> mlx4_en_free_frag is called, meaning the page has been freed >> before the call to dma_unmap_page in mlx4_en_free_frag. >> >> To fix, unmap the page as soon as possible. >> >> This can be trivially detected by doing the following: >> >> Compile the kernel with DEBUG_PAGEALLOC >> Run the kernel as a Xen Dom0 >> Leave GRO enabled on the interface >> Run a 10 second or more test with iperf over the interface. >> >> Signed-off-by: Sarah Newman > > Tariq, I assume I will get this from you in the next set of > changes you submit to me. > > Thanks. > This patch fixes an issue existing in old kernels. It is not relevant per latest code. So I'm not sure about the process. After I review it, do I just submit it again for -stable? Thanks.