1 From 60290613a73c6df50da06338a383957342a814ce Mon Sep 17 00:00:00 2001
2 From: Yonglong Liu <liuyonglong@huawei.com>
3 Date: Fri, 4 Jan 2019 20:18:11 +0800
4 Subject: net: hns: Fix use after free identified by SLUB debug
6 [ Upstream commit bb989501abcafa0de5f18b0ec0ec459b5b817908 ]
8 When enable SLUB debug, than remove hns_enet_drv module, SLUB debug will
9 identify a use after free bug:
11 [134.189505] Unable to handle kernel paging request at virtual address
13 [134.197553] Mem abort info:
14 [134.200381] ESR = 0x96000004
15 [134.203487] Exception class = DABT (current EL), IL = 32 bits
16 [134.209497] SET = 0, FnV = 0
17 [134.212596] EA = 0, S1PTW = 0
18 [134.215777] Data abort info:
19 [134.218701] ISV = 0, ISS = 0x00000004
20 [134.222596] CM = 0, WnR = 0
21 [134.225606] [006b6b6b6b6b6b6b] address between user and kernel address ranges
22 [134.232851] Internal error: Oops: 96000004 [#1] SMP
23 [134.237798] CPU: 21 PID: 27834 Comm: rmmod Kdump: loaded Tainted: G
24 OE 4.19.5-1.2.34.aarch64 #1
25 [134.247856] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.58 10/24/2018
26 [134.255181] pstate: 20000005 (nzCv daif -PAN -UAO)
27 [134.260044] pc : hns_ae_put_handle+0x38/0x60
28 [134.264372] lr : hns_ae_put_handle+0x24/0x60
29 [134.268700] sp : ffff00001be93c50
30 [134.272054] x29: ffff00001be93c50 x28: ffff802faaec8040
31 [134.277442] x27: 0000000000000000 x26: 0000000000000000
32 [134.282830] x25: 0000000056000000 x24: 0000000000000015
33 [134.288284] x23: ffff0000096fe098 x22: ffff000001050070
34 [134.293671] x21: ffff801fb3c044a0 x20: ffff80afb75ec098
35 [134.303287] x19: ffff80afb75ec098 x18: 0000000000000000
36 [134.312945] x17: 0000000000000000 x16: 0000000000000000
37 [134.322517] x15: 0000000000000002 x14: 0000000000000000
38 [134.332030] x13: dead000000000100 x12: ffff7e02bea3c988
39 [134.341487] x11: ffff80affbee9e68 x10: 0000000000000000
40 [134.351033] x9 : 6fffff8000008101 x8 : 0000000000000000
41 [134.360569] x7 : dead000000000100 x6 : ffff000009579748
42 [134.370059] x5 : 0000000000210d00 x4 : 0000000000000000
43 [134.379550] x3 : 0000000000000001 x2 : 0000000000000000
44 [134.388813] x1 : 6b6b6b6b6b6b6b6b x0 : 0000000000000000
45 [134.397993] Process rmmod (pid: 27834, stack limit = 0x00000000d474b7fd)
46 [134.408498] Call trace:
47 [134.414611] hns_ae_put_handle+0x38/0x60
48 [134.422208] hnae_put_handle+0xd4/0x108
49 [134.429563] hns_nic_dev_remove+0x60/0xc0 [hns_enet_drv]
50 [134.438342] platform_drv_remove+0x2c/0x70
51 [134.445958] device_release_driver_internal+0x174/0x208
52 [134.454810] driver_detach+0x70/0xd8
53 [134.461913] bus_remove_driver+0x64/0xe8
54 [134.469396] driver_unregister+0x34/0x60
55 [134.476822] platform_driver_unregister+0x20/0x30
56 [134.485130] hns_nic_dev_driver_exit+0x14/0x6e4 [hns_enet_drv]
57 [134.494634] __arm64_sys_delete_module+0x238/0x290
59 struct hnae_handle is a member of struct hnae_vf_cb, so when vf_cb is
60 freed, than use hnae_handle will cause use after free panic.
62 This patch frees vf_cb after hnae_handle used.
64 Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
65 Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
66 Signed-off-by: David S. Miller <davem@davemloft.net>
67 Signed-off-by: Sasha Levin <sashal@kernel.org>
69 drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c | 6 ++----
70 1 file changed, 2 insertions(+), 4 deletions(-)
72 diff --git a/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c b/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c
73 index 1a16c0307b475..bd36fbe81ad2a 100644
74 --- a/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c
75 +++ b/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c
76 @@ -188,12 +188,10 @@ static void hns_ae_put_handle(struct hnae_handle *handle)
77 struct hnae_vf_cb *vf_cb = hns_ae_get_vf_cb(handle);
80 - vf_cb->mac_cb = NULL;
84 for (i = 0; i < handle->q_num; i++)
85 hns_ae_get_ring_pair(handle->qs[i])->used_by_vf = 0;
90 static void hns_ae_ring_enable_all(struct hnae_handle *handle, int val)
projects / thirdparty / kernel / stable-queue.git / blob