linux

mirror of synced 2025-03-06 20:59:54 +01:00

History

Jialiang Wang 02e1a114fd nfp: fix use-after-free in area_cache_get() area_cache_get() is used to distribute cache->area and set cache->id, and if cache->id is not 0 and cache->area->kref refcount is 0, it will release the cache->area by nfp_cpp_area_release(). area_cache_get() set cache->id before cpp->op->area_init() and nfp_cpp_area_acquire(). But if area_init() or nfp_cpp_area_acquire() fails, the cache->id is is already set but the refcount is not increased as expected. At this time, calling the nfp_cpp_area_release() will cause use-after-free. To avoid the use-after-free, set cache->id after area_init() and nfp_cpp_area_acquire() complete successfully. Note: This vulnerability is triggerable by providing emulated device equipped with specified configuration. BUG: KASAN: use-after-free in nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760) Write of size 4 at addr ffff888005b7f4a0 by task swapper/0/1 Call Trace: <TASK> nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760) area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:884) Allocated by task 1: nfp_cpp_area_alloc_with_name (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:303) nfp_cpp_area_cache_add (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:802) nfp6000_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:1230) nfp_cpp_from_operations (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:1215) nfp_pci_probe (drivers/net/ethernet/netronome/nfp/nfp_main.c:744) Freed by task 1: kfree (mm/slub.c:4562) area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:873) nfp_cpp_read (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:924 drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:973) nfp_cpp_readl (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cpplib.c:48) Signed-off-by: Jialiang Wang <wangjialiang0806@163.com> Reviewed-by: Yinjun Zhang <yinjun.zhang@corigine.com> Acked-by: Simon Horman <simon.horman@corigine.com> Link: https://lore.kernel.org/r/20220810073057.4032-1-wangjialiang0806@163.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>		2022-08-11 09:02:26 -07:00
..
abm	net: sched: Merge Qdisc::bstats and Qdisc::cpu_bstats data types	2021-10-18 12:54:41 +01:00
bpf	nfp: bpf: Fix typo 'the the' in comment	2022-07-25 10:52:28 +01:00
crypto	ipv6: Use ipv6_only_sock() helper in condition.	2022-04-22 12:47:50 +01:00
flower	nfp: flower: add support for tunnel offload without key ID	2022-08-01 12:02:47 -07:00
nfd3	nfp: support TX VLAN ctag insert	2022-07-04 10:44:08 +01:00
nfdk	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2022-07-14 15:27:35 -07:00
nfpcore	nfp: fix use-after-free in area_cache_get()	2022-08-11 09:02:26 -07:00
nic	treewide: remove dummy Makefiles for single targets	2019-08-21 21:05:21 +09:00
ccm.c	nfp: add support for sending control messages via mailbox	2019-06-06 14:13:39 -07:00
ccm.h	nfp: tls: implement the stream sync RX resync	2019-12-19 17:46:51 -08:00
ccm_mbox.c	net: netronome: nfp: Fix wrong function name in comments	2021-05-17 14:12:39 -07:00
devlink_param.c	nfp: Move delink_register to be last command	2021-09-27 16:31:59 +01:00
Makefile	nfp: add support for NFDK data path	2022-03-21 13:21:17 +00:00
nfp_abi.h	nfp: replace long license headers with SPDX	2018-10-11 12:16:21 -07:00
nfp_app.c	nfp: fix clang -Wformat warnings	2022-07-12 17:38:44 -07:00
nfp_app.h	eth: nfp: replace driver's "pf" lock with devlink instance lock	2022-03-16 12:56:37 -07:00
nfp_app_nic.c	nfp: replace long license headers with SPDX	2018-10-11 12:16:21 -07:00
nfp_asm.c	nfp: bpf: silence bitwise vs. logical OR warning	2021-10-18 14:50:01 -07:00
nfp_asm.h	nfp: replace long license headers with SPDX	2018-10-11 12:16:21 -07:00
nfp_devlink.c	devlink: hold the instance lock during eswitch_mode callbacks	2022-03-21 14:11:38 +00:00
nfp_hwmon.c	nfp: replace long license headers with SPDX	2018-10-11 12:16:21 -07:00
nfp_main.c	nfp: fix clang -Wformat warnings	2022-07-12 17:38:44 -07:00
nfp_main.h	eth: nfp: replace driver's "pf" lock with devlink instance lock	2022-03-16 12:56:37 -07:00
nfp_net.h	nfp: support RX VLAN ctag/stag strip	2022-07-04 10:44:08 +01:00
nfp_net_common.c	nfp: support TX VLAN ctag insert in NFDK	2022-07-12 18:09:57 -07:00
nfp_net_ctrl.c	nfp: tls: implement the stream sync RX resync	2019-12-19 17:46:51 -08:00
nfp_net_ctrl.h	nfp: support TX VLAN ctag insert	2022-07-04 10:44:08 +01:00
nfp_net_debugdump.c	netronome: Replace zero-length array with flexible-array member	2020-02-24 15:26:17 -08:00
nfp_net_debugfs.c	nfp: use TX ring pointer write back	2022-03-21 13:21:16 +00:00
nfp_net_dp.c	nfp: support RX VLAN ctag/stag strip	2022-07-04 10:44:08 +01:00
nfp_net_dp.h	nfp: support RX VLAN ctag/stag strip	2022-07-04 10:44:08 +01:00
nfp_net_ethtool.c	nfp: ethtool: fix the display error of `ethtool -m DEVNAME`	2022-08-03 19:20:54 -07:00
nfp_net_main.c	nfp: choose data path based on version	2022-03-21 13:21:17 +00:00
nfp_net_repr.c	nfp: enable TSO by default for nfp netdev	2022-07-06 08:15:39 +01:00
nfp_net_repr.h	netronome: Replace zero-length array with flexible-array member	2020-02-24 15:26:17 -08:00
nfp_net_sriov.c	nfp: avoid unnecessary check warnings in nfp_app_get_vf_config	2022-06-09 22:02:38 -07:00
nfp_net_sriov.h	nfp: VF rate limit support	2022-05-12 13:03:08 +02:00
nfp_net_xsk.c	nfp: support 48-bit DMA addressing for NFP3800	2022-06-13 13:31:39 +01:00
nfp_net_xsk.h	nfp: move the fast path code to separate files	2022-03-21 13:21:16 +00:00
nfp_netvf_main.c	nfp: support Corigine PCIE vendor ID	2022-05-09 18:20:39 -07:00
nfp_port.c	devlink: pass devlink_port to port_split / port_unsplit callbacks	2022-03-16 12:56:45 -07:00
nfp_port.h	devlink: pass devlink_port to port_split / port_unsplit callbacks	2022-03-16 12:56:45 -07:00
nfp_shared_buf.c	net: devlink: report cell size of shared buffers	2019-02-03 11:25:34 -08:00