From patchwork Thu Mar 2 13:00:53 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dexuan Cui X-Patchwork-Id: 734620 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3vYw381yYdz9s7f for ; Fri, 3 Mar 2017 01:40:36 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=microsoft.com header.i=@microsoft.com header.b="Xviee8Lf"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754089AbdCBOkI (ORCPT ); Thu, 2 Mar 2017 09:40:08 -0500 Received: from mail-cys01nam02on0097.outbound.protection.outlook.com ([104.47.37.97]:27488 "EHLO NAM02-CY1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1754066AbdCBOj2 (ORCPT ); Thu, 2 Mar 2017 09:39:28 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=W5bPpr6DtslUTplponcvlDzdczYYL7KldEFa/MUaPwQ=; b=Xviee8Lf8xeGWmomVnJcqEhaf/CR6osVoMUeIyjYxilwuicKgRebvjzhTeq/3l+ujpyf6CmyJGo69zi+UjZR/0TQX0OBDcVN2+LfK/s0t9Mb+0CmSoEVwedFZAlLpeezTZpHZ02WVf9Qde0ZSADA426uCI8cN4rrc5xFYS52950= Received: from MWHPR03MB2669.namprd03.prod.outlook.com (10.168.207.15) by MWHPR03MB2495.namprd03.prod.outlook.com (10.169.201.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.12; Thu, 2 Mar 2017 13:00:53 +0000 Received: from MWHPR03MB2669.namprd03.prod.outlook.com ([10.168.207.15]) by MWHPR03MB2669.namprd03.prod.outlook.com ([10.168.207.15]) with mapi id 15.01.0947.012; Thu, 2 Mar 2017 13:00:53 +0000 From: Dexuan Cui To: David Miller , netdev , Stephen Hemminger , KY Srinivasan , Haiyang Zhang CC: "linux-kernel@vger.kernel.org" , "driverdev-devel@linuxdriverproject.org" Subject: [PATCH] netvsc: fix use-after-free in netvsc_change_mtu() Thread-Topic: [PATCH] netvsc: fix use-after-free in netvsc_change_mtu() Thread-Index: AdKTU6vRERPyREOVSV22ds3xs/Sw0Q== Date: Thu, 2 Mar 2017 13:00:53 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: davemloft.net; dkim=none (message not signed) header.d=none;davemloft.net; dmarc=none action=none header.from=microsoft.com; x-originating-ip: [167.220.255.28] x-ms-office365-filtering-correlation-id: 66ef4f32-5898-4bc0-80b2-08d4616c28bc x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:MWHPR03MB2495; x-microsoft-exchange-diagnostics: 1; MWHPR03MB2495; 7:gPObncNyceFRExmCoB7HCtwh6+PR0DhV68IbH2tQt4nkMULpoNjmyN2GvLW6rKrexja0JX4fpfQNRoWJwy/60E9DJBDsItNtAXIZ0BU0nNCKPvl3sFSKHqks6XRJNjX2+1FDg9oaRcylTuVUNv4VDn/SD34KqGqTFo+vTxbF6pPY6ALrOkVU8yyZ7EpFgolaR+rIltUKEOwFDhWA5c/BhSW6MCyuIn3HU0gHHZWRZwWZXOenCJu9oIE93zT4oc+MdTWJZCiEmzKQD5rn2rab97VkN+D3KCGhtPhon1ukdRexN03rWoj5AuU6DGAAEYlsgC3wBWJt1PlpupkRk6Y1YZ/9RzGS3UE9AnqZ7+sNnR8= x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123555025)(20161123558025)(20161123564025)(20161123560025)(20161123562025)(6072148); SRVR:MWHPR03MB2495; BCL:0; PCL:0; RULEID:; SRVR:MWHPR03MB2495; x-forefront-prvs: 023495660C x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39840400002)(39450400003)(39850400002)(39410400002)(39860400002)(2906002)(33656002)(5660300001)(3846002)(86362001)(86612001)(102836003)(6116002)(66066001)(230783001)(189998001)(54356999)(50986999)(7736002)(305945005)(2421001)(7696004)(38730400002)(8676002)(3280700002)(74316002)(81166006)(4326008)(2900100001)(122556002)(8936002)(5005710100001)(10290500002)(54906002)(53936002)(55016002)(9686003)(8990500004)(99286003)(25786008)(77096006)(6636002)(6436002)(3660700001)(6506006)(92566002); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR03MB2495; H:MWHPR03MB2669.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Mar 2017 13:00:53.1465 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR03MB2495 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org 'nvdev' is freed in rndis_filter_device_remove -> netvsc_device_remove -> free_netvsc_device, so we mustn't access it, before it's re-created in rndis_filter_device_add -> netvsc_device_add. Signed-off-by: Dexuan Cui Cc: "K. Y. Srinivasan" Cc: Haiyang Zhang Cc: Stephen Hemminger Reviewed-by: Stephen Hemminger --- drivers/net/hyperv/netvsc_drv.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c index 2d3cdb0..bc05c89 100644 --- a/drivers/net/hyperv/netvsc_drv.c +++ b/drivers/net/hyperv/netvsc_drv.c @@ -859,15 +859,22 @@ static int netvsc_change_mtu(struct net_device *ndev, int mtu) if (ret) goto out; + memset(&device_info, 0, sizeof(device_info)); + device_info.ring_size = ring_size; + device_info.num_chn = nvdev->num_chn; + device_info.max_num_vrss_chns = nvdev->num_chn; + ndevctx->start_remove = true; rndis_filter_device_remove(hdev, nvdev); + /* 'nvdev' has been freed in rndis_filter_device_remove() -> + * netvsc_device_remove () -> free_netvsc_device(). + * We mustn't access it before it's re-created in + * rndis_filter_device_add() -> netvsc_device_add(). + */ + ndev->mtu = mtu; - memset(&device_info, 0, sizeof(device_info)); - device_info.ring_size = ring_size; - device_info.num_chn = nvdev->num_chn; - device_info.max_num_vrss_chns = nvdev->num_chn; rndis_filter_device_add(hdev, &device_info); out: