* [PATCH net] [v2] sfc: fix a double-free bug in efx_probe_filters
@ 2023-12-22 15:49 Zhipeng Lu
2023-12-24 15:51 ` Simon Horman
0 siblings, 1 reply; 4+ messages in thread
From: Zhipeng Lu @ 2023-12-22 15:49 UTC (permalink / raw
To: alexious
Cc: Simon Horman, Edward Cree, Martin Habets, David S. Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, netdev,
linux-net-drivers, linux-kernel
In efx_probe_filters, the channel->rps_flow_id is freed in a
efx_for_each_channel marco when success equals to 0.
However, after the following call chain:
ef100_net_open
|-> efx_probe_filters
|-> ef100_net_stop
|-> efx_remove_filters
The channel->rps_flow_id is freed again in the efx_for_each_channel of
efx_remove_filters, triggering a double-free bug.
---
Changelog:
v2: Correct the call-chain description in commit message and change
patch subject.
Fixes: a9dc3d5612ce ("sfc_ef100: RX filter table management and related gubbins")
Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Edward Cree <ecree.xilinx@gmail.com>
---
drivers/net/ethernet/sfc/rx_common.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/sfc/rx_common.c b/drivers/net/ethernet/sfc/rx_common.c
index d2f35ee15eff..fac227d372db 100644
--- a/drivers/net/ethernet/sfc/rx_common.c
+++ b/drivers/net/ethernet/sfc/rx_common.c
@@ -823,8 +823,10 @@ int efx_probe_filters(struct efx_nic *efx)
}
if (!success) {
- efx_for_each_channel(channel, efx)
+ efx_for_each_channel(channel, efx) {
kfree(channel->rps_flow_id);
+ channel->rps_flow_id = NULL;
+ }
efx->type->filter_table_remove(efx);
rc = -ENOMEM;
goto out_unlock;
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH net] [v2] sfc: fix a double-free bug in efx_probe_filters
2023-12-22 15:49 Zhipeng Lu
@ 2023-12-24 15:51 ` Simon Horman
0 siblings, 0 replies; 4+ messages in thread
From: Simon Horman @ 2023-12-24 15:51 UTC (permalink / raw
To: Zhipeng Lu
Cc: Edward Cree, Martin Habets, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, netdev, linux-net-drivers,
linux-kernel
On Fri, Dec 22, 2023 at 11:49:52PM +0800, Zhipeng Lu wrote:
> In efx_probe_filters, the channel->rps_flow_id is freed in a
> efx_for_each_channel marco when success equals to 0.
> However, after the following call chain:
>
> ef100_net_open
> |-> efx_probe_filters
> |-> ef100_net_stop
> |-> efx_remove_filters
>
> The channel->rps_flow_id is freed again in the efx_for_each_channel of
> efx_remove_filters, triggering a double-free bug.
> ---
Everything below the line above (---) will be omitted from the commit
message when the patch is applied.
> Changelog:
>
> v2: Correct the call-chain description in commit message and change
> patch subject.
>
> Fixes: a9dc3d5612ce ("sfc_ef100: RX filter table management and related gubbins")
> Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
> Reviewed-by: Simon Horman <horms@kernel.org>
> Reviewed-by: Edward Cree <ecree.xilinx@gmail.com>
Hi Zhipeng Lu,
I think that your Signed-off-by should go last when you post a patch.
And the Changelog should go below the (first set of) scissors (---).
> ---
> drivers/net/ethernet/sfc/rx_common.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
With the above in mind, I think you want something like:
In efx_probe_filters, the channel->rps_flow_id is freed in a
efx_for_each_channel marco when success equals to 0.
However, after the following call chain:
ef100_net_open
|-> efx_probe_filters
|-> ef100_net_stop
|-> efx_remove_filters
The channel->rps_flow_id is freed again in the efx_for_each_channel of
efx_remove_filters, triggering a double-free bug.
Fixes: a9dc3d5612ce ("sfc_ef100: RX filter table management and related gubbins")
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Edward Cree <ecree.xilinx@gmail.com>
Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
---
Changelog:
v2: Correct the call-chain description in commit message and change
patch subject.
---
drivers/net/ethernet/sfc/rx_common.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--
pw-bot: changes-requested
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH net] [v2] sfc: fix a double-free bug in efx_probe_filters
@ 2023-12-25 11:29 Zhipeng Lu
2024-01-03 0:10 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 4+ messages in thread
From: Zhipeng Lu @ 2023-12-25 11:29 UTC (permalink / raw
To: alexious
Cc: Simon Horman, Edward Cree, Martin Habets, David S. Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, netdev,
linux-net-drivers, linux-kernel
In efx_probe_filters, the channel->rps_flow_id is freed in a
efx_for_each_channel marco when success equals to 0.
However, after the following call chain:
ef100_net_open
|-> efx_probe_filters
|-> ef100_net_stop
|-> efx_remove_filters
The channel->rps_flow_id is freed again in the efx_for_each_channel of
efx_remove_filters, triggering a double-free bug.
Fixes: a9dc3d5612ce ("sfc_ef100: RX filter table management and related gubbins")
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Edward Cree <ecree.xilinx@gmail.com>
Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
---
Changelog:
v2: Correct the call-chain description in commit message and change
patch subject.
---
drivers/net/ethernet/sfc/rx_common.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/sfc/rx_common.c b/drivers/net/ethernet/sfc/rx_common.c
index d2f35ee15eff..fac227d372db 100644
--- a/drivers/net/ethernet/sfc/rx_common.c
+++ b/drivers/net/ethernet/sfc/rx_common.c
@@ -823,8 +823,10 @@ int efx_probe_filters(struct efx_nic *efx)
}
if (!success) {
- efx_for_each_channel(channel, efx)
+ efx_for_each_channel(channel, efx) {
kfree(channel->rps_flow_id);
+ channel->rps_flow_id = NULL;
+ }
efx->type->filter_table_remove(efx);
rc = -ENOMEM;
goto out_unlock;
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH net] [v2] sfc: fix a double-free bug in efx_probe_filters
2023-12-25 11:29 [PATCH net] [v2] sfc: fix a double-free bug in efx_probe_filters Zhipeng Lu
@ 2024-01-03 0:10 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2024-01-03 0:10 UTC (permalink / raw
To: Zhipeng Lu
Cc: horms, ecree.xilinx, habetsm.xilinx, davem, edumazet, kuba,
pabeni, netdev, linux-net-drivers, linux-kernel
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Mon, 25 Dec 2023 19:29:14 +0800 you wrote:
> In efx_probe_filters, the channel->rps_flow_id is freed in a
> efx_for_each_channel marco when success equals to 0.
> However, after the following call chain:
>
> ef100_net_open
> |-> efx_probe_filters
> |-> ef100_net_stop
> |-> efx_remove_filters
>
> [...]
Here is the summary with links:
- [net,v2] sfc: fix a double-free bug in efx_probe_filters
https://git.kernel.org/netdev/net/c/d5a306aedba3
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-01-03 0:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-12-25 11:29 [PATCH net] [v2] sfc: fix a double-free bug in efx_probe_filters Zhipeng Lu
2024-01-03 0:10 ` patchwork-bot+netdevbpf
-- strict thread matches above, loose matches on Subject: below --
2023-12-22 15:49 Zhipeng Lu
2023-12-24 15:51 ` Simon Horman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.