* [PATCH] epic100: fix use after free on rmmod
@ 2022-06-23 7:40 Tong Zhang
2022-06-23 9:22 ` Francois Romieu
0 siblings, 1 reply; 8+ messages in thread
From: Tong Zhang @ 2022-06-23 7:40 UTC (permalink / raw)
To: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Florian Fainelli, Arnd Bergmann, Jason Gunthorpe, Tong Zhang,
Jeff Kirsher, netdev, linux-kernel
Cc: Yilun Wu
epic_close() calls epic_rx() and uses dma buffer, but in epic_remove_one()
we already freed the dma buffer. To fix this issue, reorder function calls
like in the .probe function.
BUG: KASAN: use-after-free in epic_rx+0xa6/0x7e0 [epic100]
Call Trace:
epic_rx+0xa6/0x7e0 [epic100]
epic_close+0xec/0x2f0 [epic100]
unregister_netdev+0x18/0x20
epic_remove_one+0xaa/0xf0 [epic100]
Fixes: ae150435b59e ("smsc: Move the SMC (SMSC) drivers")
Reported-by: Yilun Wu <yiluwu@cs.stonybrook.edu>
Signed-off-by: Tong Zhang <ztong0001@gmail.com>
---
drivers/net/ethernet/smsc/epic100.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/smsc/epic100.c b/drivers/net/ethernet/smsc/epic100.c
index a0654e88444c..0329caf63279 100644
--- a/drivers/net/ethernet/smsc/epic100.c
+++ b/drivers/net/ethernet/smsc/epic100.c
@@ -1515,14 +1515,14 @@ static void epic_remove_one(struct pci_dev *pdev)
struct net_device *dev = pci_get_drvdata(pdev);
struct epic_private *ep = netdev_priv(dev);
+ unregister_netdev(dev);
dma_free_coherent(&pdev->dev, TX_TOTAL_SIZE, ep->tx_ring,
ep->tx_ring_dma);
dma_free_coherent(&pdev->dev, RX_TOTAL_SIZE, ep->rx_ring,
ep->rx_ring_dma);
- unregister_netdev(dev);
pci_iounmap(pdev, ep->ioaddr);
- pci_release_regions(pdev);
free_netdev(dev);
+ pci_release_regions(pdev);
pci_disable_device(pdev);
/* pci_power_off(pdev, -1); */
}
--
2.25.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] epic100: fix use after free on rmmod
2022-06-23 7:40 [PATCH] epic100: fix use after free on rmmod Tong Zhang
@ 2022-06-23 9:22 ` Francois Romieu
2022-06-24 18:41 ` Jakub Kicinski
0 siblings, 1 reply; 8+ messages in thread
From: Francois Romieu @ 2022-06-23 9:22 UTC (permalink / raw)
To: Tong Zhang
Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Florian Fainelli, Arnd Bergmann, Jason Gunthorpe, Jeff Kirsher,
netdev, linux-kernel, Yilun Wu
Tong Zhang <ztong0001@gmail.com> :
> epic_close() calls epic_rx() and uses dma buffer, but in epic_remove_one()
> we already freed the dma buffer. To fix this issue, reorder function calls
> like in the .probe function.
>
> BUG: KASAN: use-after-free in epic_rx+0xa6/0x7e0 [epic100]
> Call Trace:
> epic_rx+0xa6/0x7e0 [epic100]
> epic_close+0xec/0x2f0 [epic100]
> unregister_netdev+0x18/0x20
> epic_remove_one+0xaa/0xf0 [epic100]
>
> Fixes: ae150435b59e ("smsc: Move the SMC (SMSC) drivers")
> Reported-by: Yilun Wu <yiluwu@cs.stonybrook.edu>
> Signed-off-by: Tong Zhang <ztong0001@gmail.com>
The "Fixes:" tag is a bit misleading: this code path predates the move
by several years. Ignoring pci_* vs dma_* API changes, this is pre-2005
material.
Reviewed-by: Francois Romieu <romieu@fr.zoreil.com>
--
Ueimor
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] epic100: fix use after free on rmmod
2022-06-23 9:22 ` Francois Romieu
@ 2022-06-24 18:41 ` Jakub Kicinski
2022-06-26 4:45 ` Tong Zhang
2022-06-27 4:33 ` [PATCH v2] " Tong Zhang
0 siblings, 2 replies; 8+ messages in thread
From: Jakub Kicinski @ 2022-06-24 18:41 UTC (permalink / raw)
To: Francois Romieu
Cc: Tong Zhang, David S. Miller, Eric Dumazet, Paolo Abeni,
Florian Fainelli, Arnd Bergmann, Jason Gunthorpe, Jeff Kirsher,
netdev, linux-kernel, Yilun Wu
On Thu, 23 Jun 2022 11:22:28 +0200 Francois Romieu wrote:
> Tong Zhang <ztong0001@gmail.com> :
> > epic_close() calls epic_rx() and uses dma buffer, but in epic_remove_one()
> > we already freed the dma buffer. To fix this issue, reorder function calls
> > like in the .probe function.
> >
> > BUG: KASAN: use-after-free in epic_rx+0xa6/0x7e0 [epic100]
> > Call Trace:
> > epic_rx+0xa6/0x7e0 [epic100]
> > epic_close+0xec/0x2f0 [epic100]
> > unregister_netdev+0x18/0x20
> > epic_remove_one+0xaa/0xf0 [epic100]
> >
> > Fixes: ae150435b59e ("smsc: Move the SMC (SMSC) drivers")
> > Reported-by: Yilun Wu <yiluwu@cs.stonybrook.edu>
> > Signed-off-by: Tong Zhang <ztong0001@gmail.com>
>
> The "Fixes:" tag is a bit misleading: this code path predates the move
> by several years. Ignoring pci_* vs dma_* API changes, this is pre-2005
> material.
Yeah, please find the correct Fixes tag.
> Reviewed-by: Francois Romieu <romieu@fr.zoreil.com>
Keep Francois' tag when reposting.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] epic100: fix use after free on rmmod
2022-06-24 18:41 ` Jakub Kicinski
@ 2022-06-26 4:45 ` Tong Zhang
2022-06-26 15:07 ` Francois Romieu
2022-06-27 4:33 ` [PATCH v2] " Tong Zhang
1 sibling, 1 reply; 8+ messages in thread
From: Tong Zhang @ 2022-06-26 4:45 UTC (permalink / raw)
To: Jakub Kicinski
Cc: Francois Romieu, David S. Miller, Eric Dumazet, Paolo Abeni,
Florian Fainelli, Arnd Bergmann, Jason Gunthorpe, Jeff Kirsher,
Netdev, open list, Yilun Wu
On Fri, Jun 24, 2022 at 11:41 AM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Thu, 23 Jun 2022 11:22:28 +0200 Francois Romieu wrote:
> > Tong Zhang <ztong0001@gmail.com> :
> > > epic_close() calls epic_rx() and uses dma buffer, but in epic_remove_one()
> > > we already freed the dma buffer. To fix this issue, reorder function calls
> > > like in the .probe function.
> > >
> > > BUG: KASAN: use-after-free in epic_rx+0xa6/0x7e0 [epic100]
> > > Call Trace:
> > > epic_rx+0xa6/0x7e0 [epic100]
> > > epic_close+0xec/0x2f0 [epic100]
> > > unregister_netdev+0x18/0x20
> > > epic_remove_one+0xaa/0xf0 [epic100]
> > >
> > > Fixes: ae150435b59e ("smsc: Move the SMC (SMSC) drivers")
> > > Reported-by: Yilun Wu <yiluwu@cs.stonybrook.edu>
> > > Signed-off-by: Tong Zhang <ztong0001@gmail.com>
> >
> > The "Fixes:" tag is a bit misleading: this code path predates the move
> > by several years. Ignoring pci_* vs dma_* API changes, this is pre-2005
> > material.
>
> Yeah, please find the correct Fixes tag.
>
> > Reviewed-by: Francois Romieu <romieu@fr.zoreil.com>
>
> Keep Francois' tag when reposting.
Looks like drivers/net/ethernet/smsc/epic100.c is renamed from
drivers/net/epic100.c
and this bug has been around since the very initial commit. What would
you suggest ?
Remove the fix tag or use
Fix: 1da177e4c3f4 ("Linux-2.6.12-rc2")
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] epic100: fix use after free on rmmod
2022-06-26 4:45 ` Tong Zhang
@ 2022-06-26 15:07 ` Francois Romieu
2022-06-27 4:35 ` Tong Zhang
0 siblings, 1 reply; 8+ messages in thread
From: Francois Romieu @ 2022-06-26 15:07 UTC (permalink / raw)
To: Tong Zhang
Cc: Jakub Kicinski, David S. Miller, Eric Dumazet, Paolo Abeni,
Florian Fainelli, Arnd Bergmann, Jason Gunthorpe, Jeff Kirsher,
Netdev, open list, Yilun Wu
Tong Zhang <ztong0001@gmail.com> :
[...]
> Looks like drivers/net/ethernet/smsc/epic100.c is renamed from
> drivers/net/epic100.c and this bug has been around since the very
> initial commit.
> What would you suggest ? Remove the fix tag or use
> Fix: 1da177e4c3f4 ("Linux-2.6.12-rc2")
'Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")' has already been signed-by or
directly used by maintainers, including netdev ones. See:
$ git log --grep='^Fixes: 1da177e4c3f4'
The patch will require some change for pre-5.9 stable kernels due to
63692803899b563f94bf1b4f821b574eb74316ae "epic100: switch from 'pci_' to 'dma_' API".
--
Ueimor
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH v2] epic100: fix use after free on rmmod
2022-06-24 18:41 ` Jakub Kicinski
2022-06-26 4:45 ` Tong Zhang
@ 2022-06-27 4:33 ` Tong Zhang
2022-06-28 5:00 ` patchwork-bot+netdevbpf
1 sibling, 1 reply; 8+ messages in thread
From: Tong Zhang @ 2022-06-27 4:33 UTC (permalink / raw)
To: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Florian Fainelli, Tong Zhang, Jason Gunthorpe, Arnd Bergmann,
netdev, linux-kernel
Cc: Yilun Wu, Francois Romieu
epic_close() calls epic_rx() and uses dma buffer, but in epic_remove_one()
we already freed the dma buffer. To fix this issue, reorder function calls
like in the .probe function.
BUG: KASAN: use-after-free in epic_rx+0xa6/0x7e0 [epic100]
Call Trace:
epic_rx+0xa6/0x7e0 [epic100]
epic_close+0xec/0x2f0 [epic100]
unregister_netdev+0x18/0x20
epic_remove_one+0xaa/0xf0 [epic100]
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Yilun Wu <yiluwu@cs.stonybrook.edu>
Signed-off-by: Tong Zhang <ztong0001@gmail.com>
Reviewed-by: Francois Romieu <romieu@fr.zoreil.com>
---
v2: amend fix tag
drivers/net/ethernet/smsc/epic100.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/smsc/epic100.c b/drivers/net/ethernet/smsc/epic100.c
index a0654e88444c..0329caf63279 100644
--- a/drivers/net/ethernet/smsc/epic100.c
+++ b/drivers/net/ethernet/smsc/epic100.c
@@ -1515,14 +1515,14 @@ static void epic_remove_one(struct pci_dev *pdev)
struct net_device *dev = pci_get_drvdata(pdev);
struct epic_private *ep = netdev_priv(dev);
+ unregister_netdev(dev);
dma_free_coherent(&pdev->dev, TX_TOTAL_SIZE, ep->tx_ring,
ep->tx_ring_dma);
dma_free_coherent(&pdev->dev, RX_TOTAL_SIZE, ep->rx_ring,
ep->rx_ring_dma);
- unregister_netdev(dev);
pci_iounmap(pdev, ep->ioaddr);
- pci_release_regions(pdev);
free_netdev(dev);
+ pci_release_regions(pdev);
pci_disable_device(pdev);
/* pci_power_off(pdev, -1); */
}
--
2.25.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] epic100: fix use after free on rmmod
2022-06-26 15:07 ` Francois Romieu
@ 2022-06-27 4:35 ` Tong Zhang
0 siblings, 0 replies; 8+ messages in thread
From: Tong Zhang @ 2022-06-27 4:35 UTC (permalink / raw)
To: Francois Romieu
Cc: Jakub Kicinski, David S. Miller, Eric Dumazet, Paolo Abeni,
Florian Fainelli, Arnd Bergmann, Jason Gunthorpe, Jeff Kirsher,
Netdev, open list, Yilun Wu
On Sun, Jun 26, 2022 at 8:07 AM Francois Romieu <romieu@fr.zoreil.com> wrote:
>
> Tong Zhang <ztong0001@gmail.com> :
> [...]
> > Looks like drivers/net/ethernet/smsc/epic100.c is renamed from
> > drivers/net/epic100.c and this bug has been around since the very
> > initial commit.
> > What would you suggest ? Remove the fix tag or use
> > Fix: 1da177e4c3f4 ("Linux-2.6.12-rc2")
>
> 'Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")' has already been signed-by or
> directly used by maintainers, including netdev ones. See:
>
> $ git log --grep='^Fixes: 1da177e4c3f4'
>
> The patch will require some change for pre-5.9 stable kernels due to
> 63692803899b563f94bf1b4f821b574eb74316ae "epic100: switch from 'pci_' to 'dma_' API".
>
> --
> Ueimor
Thanks! I amended the fix tag and sent it as v2.
- Tong
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v2] epic100: fix use after free on rmmod
2022-06-27 4:33 ` [PATCH v2] " Tong Zhang
@ 2022-06-28 5:00 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 8+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-06-28 5:00 UTC (permalink / raw)
To: Tong Zhang
Cc: davem, edumazet, kuba, pabeni, f.fainelli, jgg, arnd, netdev,
linux-kernel, yiluwu, romieu
Hello:
This patch was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:
On Sun, 26 Jun 2022 21:33:48 -0700 you wrote:
> epic_close() calls epic_rx() and uses dma buffer, but in epic_remove_one()
> we already freed the dma buffer. To fix this issue, reorder function calls
> like in the .probe function.
>
> BUG: KASAN: use-after-free in epic_rx+0xa6/0x7e0 [epic100]
> Call Trace:
> epic_rx+0xa6/0x7e0 [epic100]
> epic_close+0xec/0x2f0 [epic100]
> unregister_netdev+0x18/0x20
> epic_remove_one+0xaa/0xf0 [epic100]
>
> [...]
Here is the summary with links:
- [v2] epic100: fix use after free on rmmod
https://git.kernel.org/netdev/net/c/8ee9d82cd0a4
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2022-06-28 5:00 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-23 7:40 [PATCH] epic100: fix use after free on rmmod Tong Zhang
2022-06-23 9:22 ` Francois Romieu
2022-06-24 18:41 ` Jakub Kicinski
2022-06-26 4:45 ` Tong Zhang
2022-06-26 15:07 ` Francois Romieu
2022-06-27 4:35 ` Tong Zhang
2022-06-27 4:33 ` [PATCH v2] " Tong Zhang
2022-06-28 5:00 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).