From: Yonglong Liu liuyonglong@huawei.com

driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4LD5U CVE: NA

----------------------------

When multiple users access debugfs at the same time, the process of alloc and release memory becomes disordered, causing the kernel crash like this:

[763845.759089] PC is at kfree+0x19c/0x1a0 [763845.759100] LR is at kvfree+0x3c/0x58 [763845.759103] pc : [<ffff00000828878c>] lr : [<ffff00000823432c>] pstate: 60400009 [763845.759105] sp : ffff00003744fc90 [763845.759108] x29: ffff00003744fc90 x28: ffff8027dc87b800 [763845.759115] x27: ffff0000088a1000 x26: ffff000002970f48 [763845.759121] x25: ffff802502600000 x24: 00000000000000af [763845.759127] x23: 0000000000010000 x22: 0000000013dc0000 [763845.759133] x21: ffff00000823432c x20: ffff802502600000 [763845.759139] x19: ffff802502600000 x18: 0000ffffdaa06b10 [763845.759145] x17: 00000000004201c8 x16: ffff0000082b2b10 [763845.759151] x15: 000000000003013f x14: 0000ffffa462ffe0 [763845.759157] x13: ffffffffffffffff x12: 0433526ae61f3300 [763845.759163] x11: ffff000009694b30 x10: 0000000000000001 [763845.759169] x9 : 000000000007b224 x8 : ffff000009719edc [763845.759175] x7 : ffff7fe009409800 x6 : 00000045757af8cf [763845.759181] x5 : ffff8027fced69f0 x4 : 0000000000000000 [763845.759187] x3 : 0000000000000000 x2 : 0433526ae61f3300 [763845.759192] x1 : 0000000000000000 x0 : dead000000000100 [763845.759200] Process cat (pid: 57988, stack limit = 0xffff000037440000) [763845.759203] Call trace: [763845.759207] Exception stack(0xffff00003744fb50 to 0xffff00003744fc90) [763845.759211] fb40: dead000000000100 0000000000000000 [768745.759215] fb60: 0433526ae61f3300 0000000000000000 0000000000000000 ffff8027fced69f0 [763845.759219] fb80: 00000045757af8cf ffff7fe009409800 ffff000009719edc 000000000007b224 [763845.759222] fba0: 0000000000000001 ffff000009694b30 0433526ae61f3300 ffffffffffffffff [763845.759226] fbc0: 0000ffffa462ffe0 000000000003013f ffff0000082b2b10 00000000004201c8 [763845.759231] fbe0: 0000ffffdaa06b10 ffff802502600000 ffff802502600000 ffff00000823432c [763845.759235] fc00: 0000000013dc0000 0000000000010000 00000000000000af ffff802502600000 [763845.759238] fc20: ffff000002970f48 ffff0000088a1000 ffff8027dc87b800 ffff00003744fc90 [763845.759243] fc40: ffff00000823432c ffff00003744fc90 ffff00000828878c 0000000060400009 [763845.759247] fc60: ffff00003744feb0 0000000013dc0000 0000ffffffffffff 0000000000000023 [763845.759250] fc80: ffff00003744fc90 ffff00000828878c [763845.759259] [<ffff00000828878c>] kfree+0x19c/0x1a0 [763845.759263] [<ffff00000823432c>] kvfree+0x3c/0x58 [763845.759306] [<ffff00000295ab94>] hns3_dbg_read+0x94/0x240 [hns3] [763845.759318] [<ffff000008359550>] full_proxy_read+0x60/0x90 [763845.759324] [<ffff0000082b22a4>] __vfs_read+0x58/0x178 [763845.759327] [<ffff0000082b2454>] vfs_read+0x90/0x14c [763845.759332] [<ffff0000082b2b70>] SyS_read+0x60/0xc0

This patch adds a mutex lock to fix the race condition, and need to call hns3_dbg_read_cmd() function when buffer is NULL to avoid reading empty data.

Fixes: c91910efc03a ("net: hns3: refactor the debugfs process") Signed-off-by: Yonglong Liu liuyonglong@huawei.com Reviewed-by: li yongxin liyongxin1@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- drivers/net/ethernet/hisilicon/hns3/hnae3.h | 1 + .../ethernet/hisilicon/hns3/hns3_debugfs.c | 19 +++++++++++++------ 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hnae3.h b/drivers/net/ethernet/hisilicon/hns3/hnae3.h index c9ac1e7cf4492..048de5b367c19 100644 --- a/drivers/net/ethernet/hisilicon/hns3/hnae3.h +++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.h @@ -764,6 +764,7 @@ struct hnae3_handle {

u8 netdev_flags; struct dentry *hnae3_dbgfs; + struct mutex dbgfs_lock;

/* Network interface message level enabled bits */ u32 msg_enable; diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c index 7f3b7084e382f..c68e5f3d0ba52 100644 --- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c @@ -807,6 +807,7 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer, if (ret) return ret;

+ mutex_lock(&handle->dbgfs_lock); save_buf = &hns3_dbg_cmd[index].buf;

if (!test_bit(HNS3_NIC_STATE_INITED, &priv->state) || @@ -819,15 +820,15 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer, read_buf = *save_buf; } else { read_buf = kvzalloc(hns3_dbg_cmd[index].buf_len, GFP_KERNEL); - if (!read_buf) - return -ENOMEM; + if (!read_buf) { + ret = -ENOMEM; + goto out; + }

/* save the buffer addr until the last read operation */ *save_buf = read_buf; - }

- /* get data ready for the first time to read */ - if (!*ppos) { + /* get data ready for the first time to read */ ret = hns3_dbg_read_cmd(dbg_data, hns3_dbg_cmd[index].cmd, read_buf, hns3_dbg_cmd[index].buf_len); if (ret) @@ -836,8 +837,10 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer,

size = simple_read_from_buffer(buffer, count, ppos, read_buf, strlen(read_buf)); - if (size > 0) + if (size > 0) { + mutex_unlock(&handle->dbgfs_lock); return size; + }

out: /* free the buffer for the last read operation */ @@ -846,6 +849,7 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer, *save_buf = NULL; }

+ mutex_unlock(&handle->dbgfs_lock); return ret; }

@@ -916,6 +920,7 @@ int hns3_dbg_init(struct hnae3_handle *handle) debugfs_create_dir(hns3_dbg_dentry[i].name, handle->hnae3_dbgfs);

+ mutex_init(&handle->dbgfs_lock); for (i = 0; i < ARRAY_SIZE(hns3_dbg_cmd); i++) { if (!hns3_dbg_cmd[i].init) { dev_err(&handle->pdev->dev, @@ -936,6 +941,7 @@ int hns3_dbg_init(struct hnae3_handle *handle) return 0;

out: + mutex_destroy(&handle->dbgfs_lock); debugfs_remove_recursive(handle->hnae3_dbgfs); handle->hnae3_dbgfs = NULL; return ret; @@ -951,6 +957,7 @@ void hns3_dbg_uninit(struct hnae3_handle *handle) hns3_dbg_cmd[i].buf = NULL; }

+ mutex_destroy(&handle->dbgfs_lock); debugfs_remove_recursive(handle->hnae3_dbgfs); handle->hnae3_dbgfs = NULL; }