From patchwork Fri May 14 00:31:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vinicius Costa Gomes X-Patchwork-Id: 1478259 X-Patchwork-Delegate: anthony.l.nguyen@intel.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=osuosl.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=intel-wired-lan-bounces@osuosl.org; receiver=) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Fh8bm0smmz9sWX for ; Fri, 14 May 2021 10:31:45 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id CEB3160ABC; Fri, 14 May 2021 00:31:42 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pofiiRA9sjNn; Fri, 14 May 2021 00:31:42 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id DFE5960AE1; Fri, 14 May 2021 00:31:41 +0000 (UTC) X-Original-To: intel-wired-lan@lists.osuosl.org Delivered-To: intel-wired-lan@lists.osuosl.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 0E6191C11A9 for ; Fri, 14 May 2021 00:31:40 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id EF867405E8 for ; Fri, 14 May 2021 00:31:39 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nl6oxVPXGEd1 for ; Fri, 14 May 2021 00:31:39 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by smtp4.osuosl.org (Postfix) with ESMTPS id 12830405AD for ; Fri, 14 May 2021 00:31:38 +0000 (UTC) IronPort-SDR: QIG5dsRElHtG4NdCEqDFpV9/b2mtOn1+GgHVQPbBKcmwythOgHKjRHBjEqrpVTOyn4/TmrqoM+ Z02BGjgGv3Fg== X-IronPort-AV: E=McAfee;i="6200,9189,9983"; a="196998435" X-IronPort-AV: E=Sophos;i="5.82,298,1613462400"; d="scan'208";a="196998435" Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 May 2021 17:31:36 -0700 IronPort-SDR: vJOYf3eUmHxKlTBeyUdTOaPG3jMD+4mXKvZBxg0mFiveTNLY75jJYlrx6KpcPoBjVGtfR5eGkP PQCo9y3Ln0Ng== X-IronPort-AV: E=Sophos;i="5.82,298,1613462400"; d="scan'208";a="463531526" Received: from dlgersho-mobl3.amr.corp.intel.com (HELO localhost.localdomain) ([10.212.226.220]) by fmsmga003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 May 2021 17:31:35 -0700 From: Vinicius Costa Gomes To: intel-wired-lan@lists.osuosl.org Date: Thu, 13 May 2021 17:31:04 -0700 Message-Id: <20210514003104.1360697-2-vinicius.gomes@intel.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210514003104.1360697-1-vinicius.gomes@intel.com> References: <20210514003104.1360697-1-vinicius.gomes@intel.com> MIME-Version: 1.0 Subject: [Intel-wired-lan] [PATCH net-queue v1 2/2] igb: Fix user-after-free error during reset X-BeenThere: intel-wired-lan@osuosl.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Intel Wired Ethernet Linux Kernel Driver Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: erez.geva.ext@siemens.com Errors-To: intel-wired-lan-bounces@osuosl.org Sender: "Intel-wired-lan" Cleans the next descriptor to watch (next_to_watch) when cleaning the TX ring. Failure to do so can cause invalid memory accesses. If igc_poll() runs while the controller is reset this can lead to the driver try to free a skb that was already freed. (The crash is harder to reproduce with the igb driver, but the same potential problem exists as the code is identical to igc) Fixes: 7cc6fd4c60f2 ("igb: Don't bother clearing Tx buffer_info in igb_clean_tx_ring") Signed-off-by: Vinicius Costa Gomes Reported-by: Erez Geva Tested-by: Tony Brelinski (A Contingent Worker at Intel) --- drivers/net/ethernet/intel/igb/igb_main.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c index fb3d69586db7..7d1b97f1deef 100644 --- a/drivers/net/ethernet/intel/igb/igb_main.c +++ b/drivers/net/ethernet/intel/igb/igb_main.c @@ -4841,6 +4841,8 @@ static void igb_clean_tx_ring(struct igb_ring *tx_ring) DMA_TO_DEVICE); } + tx_buffer->next_to_watch = NULL; + /* move us one more past the eop_desc for start of next pkt */ tx_buffer++; i++;