evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/drivers/net
History
Eugeniu Rosca 53ae0c2ffe ravb: Fix use-after-free on ifconfig eth0 down 
[ Upstream commit 79514ef670e9e575a1fe36922268c439d0f0ca8a ]

Commit a47b70ea86bd ("ravb: unmap descriptors when freeing rings") has
introduced the issue seen in [1] reproduced on H3ULCB board.

Fix this by relocating the RX skb ringbuffer free operation, so that
swiotlb page unmapping can be done first. Freeing of aligned TX buffers
is not relevant to the issue seen in [1]. Still, reposition TX free
calls as well, to have all kfree() operations performed consistently
_after_ dma_unmap_*()/dma_free_*().

[1] Console screenshot with the problem reproduced:

salvator-x login: root
root@salvator-x:~# ifconfig eth0 up
Micrel KSZ9031 Gigabit PHY e6800000.ethernet-ffffffff:00: \
       attached PHY driver [Micrel KSZ9031 Gigabit PHY]   \
       (mii_bus:phy_addr=e6800000.ethernet-ffffffff:00, irq=235)
IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
root@salvator-x:~#
root@salvator-x:~# ifconfig eth0 down

==================================================================
BUG: KASAN: use-after-free in swiotlb_tbl_unmap_single+0xc4/0x35c
Write of size 1538 at addr ffff8006d884f780 by task ifconfig/1649

CPU: 0 PID: 1649 Comm: ifconfig Not tainted 4.12.0-rc4-00004-g112eb07287d1 #32
Hardware name: Renesas H3ULCB board based on r8a7795 (DT)
Call trace:
[<ffff20000808f11c>] dump_backtrace+0x0/0x3a4
[<ffff20000808f4d4>] show_stack+0x14/0x1c
[<ffff20000865970c>] dump_stack+0xf8/0x150
[<ffff20000831f8b0>] print_address_description+0x7c/0x330
[<ffff200008320010>] kasan_report+0x2e0/0x2f4
[<ffff20000831eac0>] check_memory_region+0x20/0x14c
[<ffff20000831f054>] memcpy+0x48/0x68
[<ffff20000869ed50>] swiotlb_tbl_unmap_single+0xc4/0x35c
[<ffff20000869fcf4>] unmap_single+0x90/0xa4
[<ffff20000869fd14>] swiotlb_unmap_page+0xc/0x14
[<ffff2000080a2974>] __swiotlb_unmap_page+0xcc/0xe4
[<ffff2000088acdb8>] ravb_ring_free+0x514/0x870
[<ffff2000088b25dc>] ravb_close+0x288/0x36c
[<ffff200008aaf8c4>] __dev_close_many+0x14c/0x174
[<ffff200008aaf9b4>] __dev_close+0xc8/0x144
[<ffff200008ac2100>] __dev_change_flags+0xd8/0x194
[<ffff200008ac221c>] dev_change_flags+0x60/0xb0
[<ffff200008ba2dec>] devinet_ioctl+0x484/0x9d4
[<ffff200008ba7b78>] inet_ioctl+0x190/0x194
[<ffff200008a78c44>] sock_do_ioctl+0x78/0xa8
[<ffff200008a7a128>] sock_ioctl+0x110/0x3c4
[<ffff200008365a70>] vfs_ioctl+0x90/0xa0
[<ffff200008365dbc>] do_vfs_ioctl+0x148/0xc38
[<ffff2000083668f0>] SyS_ioctl+0x44/0x74
[<ffff200008083770>] el0_svc_naked+0x24/0x28

The buggy address belongs to the page:
page:ffff7e001b6213c0 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x4000000000000000()
raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 ffff7e001b6213e0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8006d884f680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8006d884f700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8006d884f780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff8006d884f800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8006d884f880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Disabling lock debugging due to kernel taint
root@salvator-x:~#

Fixes: a47b70ea86bd ("ravb: unmap descriptors when freeing rings")
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Acked-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-05 14:37:21 +02:00
..
appletalk
arcnet arcnet/com20020: add LEDS_CLASS dependency 2015-11-03 11:29:56 -05:00
bonding bonding: Fix bonding crash 2016-09-30 10:18:36 +02:00
caif net: caif: check return value of alloc_netdev 2015-11-09 11:31:13 -05:00
can can: gs_usb: fix memory leak in gs_cmd_reset() 2017-06-26 07:13:08 +02:00
cris
dsa net: dsa: bcm_sf2: Ensure we re-negotiate EEE during after link change 2016-12-10 19:07:23 +01:00
ethernet ravb: Fix use-after-free on ifconfig eth0 down 2017-07-05 14:37:21 +02:00
fddi
fjes fjes: fix inconsistent indenting 2015-11-15 17:09:23 -05:00
hamradio NET: mkiss: Fix panic 2017-06-17 06:39:35 +02:00
hippi
hyperv hv_netvsc: use skb_get_hash() instead of a homegrown implementation 2017-03-26 12:13:18 +02:00
ieee802154 fakelb: fix schedule while atomic 2017-03-15 09:57:15 +08:00
ipvlan ipvlan: fix use after free of skb 2015-11-17 14:39:29 -05:00
irda net: irda: irda-usb: fix firmware name on big-endian hosts 2017-05-25 14:30:12 +02:00
phy net: phy: fix marvell phy status reading 2017-06-29 12:48:53 +02:00
plip
ppp ppp: defer netns reference release for ppp channel 2017-01-06 11:16:17 +01:00
slip ppp, slip: Validate VJ compression slot parameters completely 2015-11-02 16:25:00 -05:00
team team: don't call netdev_change_features under team->lock 2016-06-24 10:18:17 -07:00
usb r8152: avoid start_xmit to schedule napi when napi is disabled 2017-06-17 06:39:38 +02:00
vmxnet3 Driver: Vmxnet3: Fix regression caused by 5738a09 2016-01-06 16:20:13 -05:00
wan farsync: fix off-by-one bug in fst_add_one 2016-04-20 15:42:03 +09:00
wimax
wireless ath9k_htc: fix NULL-deref at probe 2017-05-25 14:30:09 +02:00
xen-netback xen: bug fixes for 4.4-rc5 2015-12-18 12:24:52 -08:00
dummy.c net: dummy: add more features 2015-10-21 19:36:10 -07:00
eql.c
geneve.c geneve: avoid use-after-free of skb->data 2016-12-10 19:07:24 +01:00
ifb.c
Kconfig net: Add IPv6 support to VRF device 2015-10-13 04:55:07 -07:00
LICENSE.SRC
loopback.c net: introduce device min_header_len 2017-02-18 16:39:27 +01:00
macvlan.c macvlan: Fix device ref leak when purging bc_queue 2017-05-02 21:19:54 -07:00
macvtap.c macvtap: read vnet_hdr_size once 2017-02-18 16:39:27 +01:00
Makefile
mdio.c
mii.c
netconsole.c netconsole: use per-attribute show and store methods 2015-10-13 22:17:51 -07:00
nlmon.c
ntb_netdev.c
rionet.c rapidio/rionet: fix deadlock on SMP 2016-04-12 09:08:58 -07:00
sb1000.c
Space.c
sungem_phy.c
tun.c tun: read vnet_hdr_sz once 2017-02-18 16:39:27 +01:00
veth.c veth: don’t modify ip_summed; doing so treats packets with bad checksums as good. 2015-12-22 15:15:34 -05:00
virtio_net.c virtio_net: fix PAGE_SIZE > 64k 2017-07-05 14:37:19 +02:00
vrf.c vrf: Fix use-after-free in vrf_xmit 2017-03-22 12:04:16 +01:00
vxlan.c vxlan: do not age static remote mac entries 2017-07-05 14:37:19 +02:00
xen-netfront.c xen-netfront: Fix Rx stall during network stress and OOM 2017-07-05 14:37:18 +02:00