1. 28 9月, 2020 4 次提交
  2. 18 9月, 2020 3 次提交
  3. 07 7月, 2020 1 次提交
    • Y
      net: hns3: fix use-after-free when doing self test · a0665621
      Yonglong Liu 提交于
      Enable promisc mode of PF, set VF link state to enable, and
      run iperf of the VF, then do self test of the PF. The self test
      will fail with a low frequency, and may cause a use-after-free
      problem.
      
      [   87.142126] selftest:000004a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      [   87.159722] ==================================================================
      [   87.174187] BUG: KASAN: use-after-free in hex_dump_to_buffer+0x140/0x608
      [   87.187600] Read of size 1 at addr ffff003b22828000 by task ethtool/1186
      [   87.201012]
      [   87.203978] CPU: 7 PID: 1186 Comm: ethtool Not tainted 5.5.0-rc4-gfd51c473-dirty #4
      [   87.219306] Hardware name: Huawei TaiShan 2280 V2/BC82AMDA, BIOS TA BIOS 2280-A CS V2.B160.01 01/15/2020
      [   87.238292] Call trace:
      [   87.243173]  dump_backtrace+0x0/0x280
      [   87.250491]  show_stack+0x24/0x30
      [   87.257114]  dump_stack+0xe8/0x140
      [   87.263911]  print_address_description.isra.8+0x70/0x380
      [   87.274538]  __kasan_report+0x12c/0x230
      [   87.282203]  kasan_report+0xc/0x18
      [   87.288999]  __asan_load1+0x60/0x68
      [   87.295969]  hex_dump_to_buffer+0x140/0x608
      [   87.304332]  print_hex_dump+0x140/0x1e0
      [   87.312000]  hns3_lb_check_skb_data+0x168/0x170
      [   87.321060]  hns3_clean_rx_ring+0xa94/0xfe0
      [   87.329422]  hns3_self_test+0x708/0x8c0
      
      The length of packet sent by the selftest process is only
      128 + 14 bytes, and the min buffer size of a BD is 256 bytes,
      and the receive process will make sure the packet sent by
      the selftest process is in the linear part, so only check
      the linear part in hns3_lb_check_skb_data().
      
      So fix this use-after-free by using skb_headlen() to dump
      skb->data instead of skb->len.
      
      Fixes: c39c4d98 ("net: hns3: Add mac loopback selftest support in hns3 driver")
      Signed-off-by: NYonglong Liu <liuyonglong@huawei.com>
      Signed-off-by: NHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a0665621
  4. 11 5月, 2020 1 次提交
  5. 30 4月, 2020 1 次提交
  6. 26 4月, 2020 1 次提交
  7. 22 4月, 2020 1 次提交
  8. 13 3月, 2020 1 次提交
  9. 20 2月, 2020 1 次提交
  10. 21 1月, 2020 1 次提交
  11. 17 11月, 2019 1 次提交
  12. 01 11月, 2019 1 次提交
  13. 22 10月, 2019 1 次提交
  14. 11 9月, 2019 2 次提交
  15. 06 9月, 2019 1 次提交
    • H
      net: hns3: fix double free bug when setting ringparam · 323a2ac5
      Huazhong Tan 提交于
      The system will panic when change the ringparam in HNS3 drivers:
      
      [ 1459.627727] hns3 0000:bd:00.0 eth6: Changing Tx/Rx ring ds from 1024/1024 to 24/24
      [ 1459.635766] hns3 0000:bd:00.0 eth6: link down
      [ 1459.640788] BUG: Bad page state in process ethtool  pfn:203f75c18
      [ 1459.646940] page:ffff7ee4ffd70600 refcount:0 mapcount:0 mapping:ffff993fff40f400 index:0x0 compound_mapcount: 0
      [ 1459.656987] flags: 0x9fffe00000010200(slab|head)
      [ 1459.661591] raw: 9fffe00000010200 dead000000000100 dead000000000122 ffff993fff40f400
      [ 1459.669302] raw: 0000000000000000 0000000080100010 00000000ffffffff 0000000000000000
      [ 1459.677016] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
      [ 1459.683432] bad because of flags: 0x200(slab)
      [ 1459.687775] Modules linked in: ib_ipoib ib_umad rpcrdma ib_iser libiscsi scsi_transport_iscsi hns_roce_hw_v2 crct10dif_ce hns3 ses hclge hnae3 hisi_hpre hisi_zip qm uacce ip_tables x_tables hisi_sas_v3_hw hisi_sas_main libsas scsi_transport_sas
      [ 1459.709329] CPU: 14 PID: 17244 Comm: ethtool Tainted: G           O      5.3.0-rc4-00415-gc86f057 #1
      [ 1459.718419] Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V3.B040.01 07/26/2019
      [ 1459.727248] Call trace:
      [ 1459.729688]  dump_backtrace+0x0/0x150
      [ 1459.733335]  show_stack+0x24/0x30
      [ 1459.736639]  dump_stack+0xa0/0xc4
      [ 1459.739943]  bad_page+0xf0/0x158
      [ 1459.743157]  free_pages_check_bad+0x84/0xa0
      [ 1459.747322]  __free_pages_ok+0x348/0x378
      [ 1459.751228]  page_frag_free+0x80/0x88
      [ 1459.754877]  skb_free_head+0x38/0x48
      [ 1459.758436]  skb_release_data+0x134/0x160
      [ 1459.762427]  skb_release_all+0x30/0x40
      [ 1459.766158]  consume_skb+0x38/0x108
      [ 1459.769633]  __dev_kfree_skb_any+0x58/0x68
      [ 1459.773718]  hns3_fini_ring+0x48/0x58 [hns3]
      [ 1459.777970]  hns3_set_ringparam+0x2a8/0x418 [hns3]
      [ 1459.782741]  dev_ethtool+0x5f4/0x2080
      [ 1459.786390]  dev_ioctl+0x190/0x3d8
      [ 1459.789777]  sock_do_ioctl+0xf8/0x220
      [ 1459.793423]  sock_ioctl+0x3bc/0x490
      [ 1459.796896]  do_vfs_ioctl+0xc4/0x868
      [ 1459.800454]  ksys_ioctl+0x8c/0xa0
      [ 1459.803752]  __arm64_sys_ioctl+0x28/0x38
      [ 1459.807658]  el0_svc_common.constprop.0+0xe0/0x1e0
      [ 1459.812426]  el0_svc_handler+0x34/0x90
      [ 1459.816158]  el0_svc+0x10/0x14
      [ 1459.819220] Disabling lock debugging due to kernel taint
      [ 1459.825182] ------------[ cut here ]------------
      
      Since ndo_stop will reclaim the RX's skb allocated by the driver,
      so the backed up ring parameter should not keep this info.
      
      Fixes: a723fb8e ("net: hns3: refine for set ring parameters")
      Signed-off-by: NHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      323a2ac5
  16. 30 8月, 2019 2 次提交
  17. 19 8月, 2019 3 次提交
  18. 10 8月, 2019 1 次提交
  19. 02 8月, 2019 1 次提交
  20. 29 7月, 2019 2 次提交
  21. 29 6月, 2019 1 次提交
  22. 26 6月, 2019 1 次提交
  23. 15 6月, 2019 1 次提交
  24. 10 6月, 2019 3 次提交
  25. 08 5月, 2019 2 次提交
  26. 04 5月, 2019 2 次提交