[Devel] [PATCH vz7] drivers/net/i40e: define proper net_device::neigh_priv_len
Konstantin Khorenko
khorenko at virtuozzo.com
Fri Nov 23 10:48:36 MSK 2018
Reported by KASan.
i40iw_net_event() unconditionally reads 16 bytes from
neighbour::priv_key on neigh entry update, but memory evaluated
for arp entry on allocation at neigh_event_ns() is evaluated as
tbl->entry_size + dev->neigh_priv_len
and neigh_priv_len is not inited by the driver.
Fix that.
net_device allocation stack:
alloc_netdev_mqs
alloc_etherdev_mqs_rh
i40e_vsi_setup
i40e_setup_pf_switch
i40e_probe
neigh entry allocation stack:
__kmalloc
__neigh_create
neigh_event_ns
arp_process
arp_rcv
__netif_receive_skb_core
__netif_receive_skb
netif_receive_skb_internal
napi_gro_receive
i40e_clean_rx_irq
i40e_napi_poll
net_rx_action
__do_softirq
reading 16 bytes from neighbour::priv_key stack:
i40iw_copy_ip_ntohl
i40iw_net_event
notifier_call_chain
atomic_notifier_call_chain
call_netevent_notifiers
neigh_update
neigh_event_ns
arp_process
arp_rcv
__netif_receive_skb_core
__netif_receive_skb
netif_receive_skb_internal
napi_gro_receive
i40e_clean_rx_irq
i40e_napi_poll
net_rx_action
__do_softirq
https://pmc.acronis.com/browse/VSTOR-17918
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
drivers/net/ethernet/intel/i40e/i40e_main.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
index 6596fb22ab7c..1a3df2eaf7dd 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -9606,6 +9606,9 @@ static int i40e_config_netdev(struct i40e_vsi *vsi)
ether_addr_copy(netdev->dev_addr, mac_addr);
ether_addr_copy(netdev->perm_addr, mac_addr);
+ /* i40iw_net_event() reads 16 bytes from neigh->primary_key */
+ netdev->neigh_priv_len = sizeof(u32) * 4;
+
netdev->priv_flags |= IFF_UNICAST_FLT;
netdev->priv_flags |= IFF_SUPP_NOFCS;
/* Setup netdev TC information */
--
2.15.1
More information about the Devel
mailing list