From: Sarah Newman <srn@prgmr.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org, tariqt@mellanox.com, davem@davemloft.net
Subject: [PATCH v3] net/mlx4_en: fix potential use-after-free with dma_unmap_page
Date: Thu, 31 May 2018 10:15:21 -0700 [thread overview]
Message-ID: <95db5d0c-85ab-2977-98b4-bd8836a7adad@prgmr.com> (raw)
In-Reply-To: <20180531053614.GB2532@kroah.com>
On 05/30/2018 10:36 PM, Greg KH wrote:
> On Wed, May 30, 2018 at 06:04:05PM -0700, Sarah Newman wrote:
>> [ Not relevant upstream, therefore no upstream commit. ]
>>
>> To fix, unmap the page as soon as possible.
>>
>> When swiotlb is in use, calling dma_unmap_page means that
>> the original page mapped with dma_map_page must still be valid,
>> as swiotlb will copy data from its internal cache back to the
>> originally requested DMA location.
>>
>> When GRO is enabled, before this patch all references to the
>> original frag may be put and the page freed before dma_unmap_page
>> in mlx4_en_free_frag is called.
>>
>> It is possible there is a path where the use-after-free occurs
>> even with GRO disabled, but this has not been observed so far.
>>
>> The bug can be trivially detected by doing the following:
>>
>> * Compile the kernel with DEBUG_PAGEALLOC
>> * Run the kernel as a Xen Dom0
>> * Leave GRO enabled on the interface
>> * Run a 10 second or more test with iperf over the interface.
>>
>> This bug was likely introduced in
>> commit 4cce66cdd14a ("mlx4_en: map entire pages to increase throughput"),
>> first part of u3.6.
>>
>> It was incidentally fixed in
>> commit 34db548bfb95 ("mlx4: add page recycling in receive path"),
>> first part of v4.12.
>
> Why not just apply this patch instead?
That patch was part of a major rewrite. There was a 13 patch series and not even the first patch of the series 69ba943151b2e "mlx4: dma_dir is a
mlx4_en_priv attribute" applies cleanly to 4.9. I didn't believe that was appropriate to backport.
>
>>
>> This version applies to the v4.9 series.
>
> What about 4.4? Why not just use 4.14 for this hardware?
I can also submit a patch for 4.4 if that's desired. The differences are minor.
We don't use 4.14 because we want to use a kernel version more widely tested for the majority of features we use. Currently our distribution ships 4.9.
Thanks, Sarah
next prev parent reply other threads:[~2018-05-31 17:15 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-05 4:20 [PATCH] net/mlx4_en: fix potential use-after-free with dma_unmap_page Sarah Newman
2018-03-05 10:09 ` Tariq Toukan
2018-03-05 21:10 ` Sarah Newman
2018-03-06 16:13 ` Tariq Toukan
2018-03-06 20:16 ` Sarah Newman
2018-03-11 15:15 ` Tariq Toukan
2018-04-26 4:00 ` [PATCH v2] " Sarah Newman
2018-04-27 23:48 ` David Miller
2018-05-02 13:50 ` Tariq Toukan
2018-05-02 14:26 ` David Miller
2018-05-31 1:04 ` [PATCH v3] " Sarah Newman
2018-05-31 5:36 ` Greg KH
2018-05-31 17:15 ` Sarah Newman [this message]
2018-06-02 13:33 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=95db5d0c-85ab-2977-98b4-bd8836a7adad@prgmr.com \
--to=srn@prgmr.com \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=stable@vger.kernel.org \
--cc=tariqt@mellanox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.