From patchwork Fri Jun 18 10:52:23 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Esben Haabendal X-Patchwork-Id: 12331021 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 466F9C48BDF for ; Fri, 18 Jun 2021 10:54:15 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1131F60FF0 for ; Fri, 18 Jun 2021 10:54:15 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1131F60FF0 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=geanix.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=ilNjcHX+TISxxwVOninsJBuH9G2gArvEWlCXXyXnOGQ=; b=qJhvPqTrPT3Ccx 3MTTV6XxYbvlito6ChLBqTj7ViZIphYcSv6wL3zhAi6h2RMeDCfwZrBHZ0COKpMOoFN4UUzsDt6dT 8RngCfpbBr+PiUOSD+FnxQK2kapPeJGSgCLN7e4Sd7dKJiU1F9q333DkPFla6BcF7OW0/h4FWajVG WvHme3rmE6+h4wHKigT/ddZ82vk90JohpZ0wsDUPxnPkkUblYi1U8xxNWfZinLKEUilsDlurTaZSl 416n6PDfNxvc0LyV2Hc1A9rxIU82cAfPpXXhAIL4VufnBtbUF3Rs03+eqORvFrV2JS/bgf25OPJTu AipqqFvcB1bA4hTSi2qA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1luC73-00DnnN-Pl; Fri, 18 Jun 2021 10:52:37 +0000 Received: from first.geanix.com ([116.203.34.67]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1luC6z-00Dnl4-KM for linux-arm-kernel@lists.infradead.org; Fri, 18 Jun 2021 10:52:35 +0000 Received: from localhost (80-62-117-165-mobile.dk.customer.tdc.net [80.62.117.165]) by first.geanix.com (Postfix) with ESMTPSA id 83127C7E; Fri, 18 Jun 2021 10:52:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=geanix.com; s=first; t=1624013545; bh=q1b5bexcq1vlomibUUd2NWw4q2kj339YQtJG09H39VU=; h=From:To:Cc:Subject:Date; b=HeMztwFs+X1USFI5ZxW5uim5+GUirflBTScWidkBQiyZTPd/hni4X5UMrAybMrgwf 4RDZtH4mfxImXHD7rVhta2VS6VgONNoeaNSgJtY8BEAkFjy5A1b7KEeOjE8Fo3HaqA 5fXVJoy5WJzFHpvZ4XGeTw8tGgk2uHdNjw0xXP8D7KygA0+pQ/dN8jN5xtnJvIz8UP JnMGeR3FTQju3J5QMBZW4aSkNMh2OdUK0UpO7OR4w28Y8/dGvtrPhGEWYV7rA01rYU 72fsuOeMlEIPaMRgx2Hv6gWcPzkUthBFgy+Fjob6htZOO8R0vJwpmI4pj2XCRmZ1qr snoEGnIsZjwPg== From: Esben Haabendal To: netdev@vger.kernel.org Cc: stable@vger.kernel.org, "David S. Miller" , Jakub Kicinski , Michal Simek , Jesse Brandeburg , Wang Hai , Andrew Lunn , Zhang Changzhong , Michael Walle , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH 1/4] net: ll_temac: Make sure to free skb when it is completely used Date: Fri, 18 Jun 2021 12:52:23 +0200 Message-Id: X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210618_035233_841423_B7709404 X-CRM114-Status: GOOD ( 13.20 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org With the skb pointer piggy-backed on the TX BD, we have a simple and efficient way to free the skb buffer when the frame has been transmitted. But in order to avoid freeing the skb while there are still fragments from the skb in use, we need to piggy-back on the TX BD of the skb, not the first. Without this, we are doing use-after-free on the DMA side, when the first BD of a multi TX BD packet is seen as completed in xmit_done, and the remaining BDs are still being processed. Cc: stable@vger.kernel.org # v5.4+ Signed-off-by: Esben Haabendal --- drivers/net/ethernet/xilinx/ll_temac_main.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c index a1f5f07f4ca9..e82f162cd80c 100644 --- a/drivers/net/ethernet/xilinx/ll_temac_main.c +++ b/drivers/net/ethernet/xilinx/ll_temac_main.c @@ -876,7 +876,6 @@ temac_start_xmit(struct sk_buff *skb, struct net_device *ndev) return NETDEV_TX_OK; } cur_p->phys = cpu_to_be32(skb_dma_addr); - ptr_to_txbd((void *)skb, cur_p); for (ii = 0; ii < num_frag; ii++) { if (++lp->tx_bd_tail >= lp->tx_bd_num) @@ -915,6 +914,11 @@ temac_start_xmit(struct sk_buff *skb, struct net_device *ndev) } cur_p->app0 |= cpu_to_be32(STS_CTRL_APP0_EOP); + /* Mark last fragment with skb address, so it can be consumed + * in temac_start_xmit_done() + */ + ptr_to_txbd((void *)skb, cur_p); + tail_p = lp->tx_bd_p + sizeof(*lp->tx_bd_v) * lp->tx_bd_tail; lp->tx_bd_tail++; if (lp->tx_bd_tail >= lp->tx_bd_num)