From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 338F6A0093
	for <public@inbox.dpdk.org>; Wed,  9 Mar 2022 12:02:59 +0100 (CET)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 2EC11410F5;
	Wed,  9 Mar 2022 12:02:59 +0100 (CET)
Received: from smtp-relay-internal-0.canonical.com
 (smtp-relay-internal-0.canonical.com [185.125.188.122])
 by mails.dpdk.org (Postfix) with ESMTP id 0BEF5410F5
 for <stable@dpdk.org>; Wed,  9 Mar 2022 12:02:58 +0100 (CET)
Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com
 [209.85.128.70])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 078E03F499
 for <stable@dpdk.org>; Wed,  9 Mar 2022 11:02:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1646823777;
 bh=jwibL+YaPIh82ODnSlfXQ8DoWxHC62KLgznuH4faQw4=;
 h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=SYxyCnF3e0yActyDb0/BLhoU4uebGnkBavmCWYR3tQWbl/q2VB5kRZC/RN92ziTwf
 6xUX4/CIXWtm3o12LfMrPSTLqTolWrkN6HieYEF+09Qo7cszYea8hy8XwVwGoExSIg
 ghqIMynADHlBsoYCX+4FvnyEBkHd77nlqIPcPM4A/cdKMPQLRFcWTenCuOV1irHkBl
 SyV9C5ddiBXA9q8alUf2qWiy62TjCVl4UqykSD03ZhmKvO/IXd1unO2qep5rX+gIad
 EMnjlsk9tYNNwOH6lpvlkIXDAZNgr3/TitgnQ2L1Tn8Iv81uj9XIf+oXhP16SgkpBU
 WW9SWd+kODALA==
Received: by mail-wm1-f70.google.com with SMTP id
 x5-20020a1c7c05000000b00389bcc8df46so851406wmc.0
 for <stable@dpdk.org>; Wed, 09 Mar 2022 03:02:57 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=jwibL+YaPIh82ODnSlfXQ8DoWxHC62KLgznuH4faQw4=;
 b=eEKYZ2EsYUQ+XChLC++OGqARJfsl0aO7fGMBS+HrOSzaaa4GyJi/eLaRV/kPA2ILQw
 dOBXlfvRNHeRwpl6FL4Yg6LT8NG9MQBszW6sVUUiY7wJWcr6uEqJ+gTvjdQF2x1pbfmd
 f0nxp7N07w89GyJddvc0qRxnyCudlpjKF9ud0OPZ0dpDWHnr/bk/5D44tj1nRuPxTyVv
 9LU9pK66mwZIuNoYcTTtmcwLQCOWSzqoq+46oVOVoKLCoM7WgD5lRlIApcDUR9ju3xJ6
 kE54ZCOJ3F6f2C0jreA9O1QNhAqTLyLdW+Wt4Aa7W4jk3QF4iAzEQL7to+1OfzVYCLgg
 kwAw==
X-Gm-Message-State: AOAM533inWk7InrdRPS72YLrncR8P/MjZB8FYUny6dQvwAlLqESD00Ur
 kuYC25lpZAsW1xjRV/X66yspM+BdFtrT4OOIXGGyXb3T/Qojg3sPXSWYfMadTyXBvjlt7iQLNPV
 qW9lEcHG8wPyc2mtcOQgZQaE7
X-Received: by 2002:adf:dcd0:0:b0:1f0:4b41:3953 with SMTP id
 x16-20020adfdcd0000000b001f04b413953mr15053230wrm.503.1646823776538; 
 Wed, 09 Mar 2022 03:02:56 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxabA4cVJ0MpIDbk/yfEajK32Rdyews9vMpbRjrydGl0uvnaPtVK9JkJ/88sQUlIoJp2NIMRw==
X-Received: by 2002:adf:dcd0:0:b0:1f0:4b41:3953 with SMTP id
 x16-20020adfdcd0000000b001f04b413953mr15053216wrm.503.1646823776292; 
 Wed, 09 Mar 2022 03:02:56 -0800 (PST)
Received: from localhost.localdomain (068-133-067-156.ip-addr.inexio.net.
 [156.67.133.68]) by smtp.gmail.com with ESMTPSA id
 u4-20020adfdb84000000b001e8d8ac5394sm1412993wri.110.2022.03.09.03.02.55
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 09 Mar 2022 03:02:55 -0800 (PST)
From: christian.ehrhardt@canonical.com
To: Huisong Li <lihuisong@huawei.com>
Cc: Min Hu <humin29@huawei.com>, Ferruh Yigit <ferruh.yigit@intel.com>,
 dpdk stable <stable@dpdk.org>
Subject: patch 'kni: fix freeing order in device release' has been queued to
 stable release 19.11.12
Date: Wed,  9 Mar 2022 12:01:00 +0100
Message-Id: <20220309110116.1295395-29-christian.ehrhardt@canonical.com>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220309110116.1295395-1-christian.ehrhardt@canonical.com>
References: <20220309110116.1295395-1-christian.ehrhardt@canonical.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org

Hi,

FYI, your patch has been queued to stable release 19.11.12

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 03/11/22. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/cpaelzer/dpdk-stable-queue

This queued commit can be viewed at:
https://github.com/cpaelzer/dpdk-stable-queue/commit/07459d98d2aad55766ce33452ca8c9b1700786bd

Thanks.

Christian Ehrhardt <christian.ehrhardt@canonical.com>

---
>From 07459d98d2aad55766ce33452ca8c9b1700786bd Mon Sep 17 00:00:00 2001
From: Huisong Li <lihuisong@huawei.com>
Date: Wed, 9 Feb 2022 15:35:25 +0800
Subject: [PATCH] kni: fix freeing order in device release

[ upstream commit d57f2899e29a74fffeb876863e1f570084d6437b ]

The "kni_dev" is the private data of the "net_device" in kni, and allocated
with the "net_device" by calling "alloc_netdev()". The "net_device" is
freed by calling "free_netdev()" when kni release. The freed memory
includes the "kni_dev". So after "kni_dev" should not be accessed after
"net_device" is released.

Fixes: e77fec694936 ("kni: fix possible mbuf leaks and speed up port release")

KASAN trace:

[   85.263717] ==========================================================
[   85.264418] BUG: KASAN: use-after-free in kni_net_release_fifo_phy+
		0x30/0x84 [rte_kni]
[   85.265139] Read of size 8 at addr ffff000260668d60 by task kni/341
[   85.265703]
[   85.265857] CPU: 0 PID: 341 Comm: kni Tainted: G     U     O
		5.15.0-rc4+ #1
[   85.266525] Hardware name: linux,dummy-virt (DT)
[   85.266968] Call trace:
[   85.267220]  dump_backtrace+0x0/0x2d0
[   85.267591]  show_stack+0x24/0x30
[   85.267924]  dump_stack_lvl+0x8c/0xb8
[   85.268294]  print_address_description.constprop.0+0x74/0x2b8
[   85.268855]  kasan_report+0x1e4/0x200
[   85.269224]  __asan_load8+0x98/0xd4
[   85.269577]  kni_net_release_fifo_phy+0x30/0x84 [rte_kni]
[   85.270116]  kni_dev_remove.isra.0+0x50/0x64 [rte_kni]
[   85.270630]  kni_ioctl_release+0x254/0x320 [rte_kni]
[   85.271136]  kni_ioctl+0x64/0xb0 [rte_kni]
[   85.271553]  __arm64_sys_ioctl+0xdc/0x120
[   85.271955]  invoke_syscall+0x68/0x1a0
[   85.272332]  el0_svc_common.constprop.0+0x90/0x200
[   85.272807]  do_el0_svc+0x94/0xa4
[   85.273144]  el0_svc+0x78/0x240
[   85.273463]  el0t_64_sync_handler+0x1a8/0x1b0
[   85.273895]  el0t_64_sync+0x1a0/0x1a4
[   85.274264]
[   85.274427] Allocated by task 341:
[   85.274767]  kasan_save_stack+0x2c/0x60
[   85.275157]  __kasan_kmalloc+0x90/0xb4
[   85.275533]  __kmalloc_node+0x230/0x594
[   85.275917]  kvmalloc_node+0x8c/0x190
[   85.276286]  alloc_netdev_mqs+0x70/0x6b0
[   85.276678]  kni_ioctl_create+0x224/0xf40 [rte_kni]
[   85.277166]  kni_ioctl+0x9c/0xb0 [rte_kni]
[   85.277581]  __arm64_sys_ioctl+0xdc/0x120
[   85.277980]  invoke_syscall+0x68/0x1a0
[   85.278357]  el0_svc_common.constprop.0+0x90/0x200
[   85.278830]  do_el0_svc+0x94/0xa4
[   85.279172]  el0_svc+0x78/0x240
[   85.279491]  el0t_64_sync_handler+0x1a8/0x1b0
[   85.279925]  el0t_64_sync+0x1a0/0x1a4
[   85.280292]
[   85.280454] Freed by task 341:
[   85.280763]  kasan_save_stack+0x2c/0x60
[   85.281147]  kasan_set_track+0x2c/0x40
[   85.281522]  kasan_set_free_info+0x2c/0x50
[   85.281930]  __kasan_slab_free+0xdc/0x140
[   85.282331]  slab_free_freelist_hook+0x90/0x250
[   85.282782]  kfree+0x128/0x580
[   85.283099]  kvfree+0x48/0x60
[   85.283402]  netdev_freemem+0x34/0x44
[   85.283770]  netdev_release+0x50/0x64
[   85.284138]  device_release+0xa0/0x120
[   85.284516]  kobject_put+0xf8/0x160
[   85.284867]  put_device+0x20/0x30
[   85.285204]  free_netdev+0x22c/0x310
[   85.285562]  kni_dev_remove.isra.0+0x48/0x64 [rte_kni]
[   85.286076]  kni_ioctl_release+0x254/0x320 [rte_kni]
[   85.286573]  kni_ioctl+0x64/0xb0 [rte_kni]
[   85.286992]  __arm64_sys_ioctl+0xdc/0x120
[   85.287392]  invoke_syscall+0x68/0x1a0
[   85.287769]  el0_svc_common.constprop.0+0x90/0x200
[   85.288243]  do_el0_svc+0x94/0xa4
[   85.288579]  el0_svc+0x78/0x240
[   85.288899]  el0t_64_sync_handler+0x1a8/0x1b0
[   85.289332]  el0t_64_sync+0x1a0/0x1a4
[   85.289699]
[   85.289862] The buggy address belongs to the object at ffff000260668000
[   85.289862]  which belongs to the cache kmalloc-cg-8k of size 8192
[   85.291079] The buggy address is located 3424 bytes inside of
[   85.291079]  8192-byte region [ffff000260668000, ffff00026066a000)
[   85.292213] The buggy address belongs to the page:
[   85.292684] page:(____ptrval____) refcount:1 mapcount:0 mapping:
		0000000000000000 index:0x0 pfn:0x2a0668
[   85.293585] head:(____ptrval____) order:3 compound_mapcount:0
		compound_pincount:0
[   85.294305] flags: 0xbfff80000010200(slab|head|node=0|zone=2|
		lastcpupid=0x7fff)
[   85.295020] raw: 0bfff80000010200 0000000000000000 dead000000000122
		ffff0000c000d680
[   85.295767] raw: 0000000000000000 0000000080020002 00000001ffffffff
		0000000000000000
[   85.296512] page dumped because: kasan: bad access detected
[   85.297054]
[   85.297217] Memory state around the buggy address:
[   85.297688]  ffff000260668c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
		fb fb
[   85.298384]  ffff000260668c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
		fb fb
[   85.299088] >ffff000260668d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
		fb fb
[   85.299781]                                                        ^
[   85.300396]  ffff000260668d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
		fb fb
[   85.301092]  ffff000260668e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
		fb fb
[   85.301787] ===========================================================

Signed-off-by: Huisong Li <lihuisong@huawei.com>
Signed-off-by: Min Hu (Connor) <humin29@huawei.com>
Acked-by: Ferruh Yigit <ferruh.yigit@intel.com>
---
 kernel/linux/kni/kni_misc.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/kernel/linux/kni/kni_misc.c b/kernel/linux/kni/kni_misc.c
index 9b3d20ec69..2067cb4841 100644
--- a/kernel/linux/kni/kni_misc.c
+++ b/kernel/linux/kni/kni_misc.c
@@ -180,13 +180,17 @@ kni_dev_remove(struct kni_dev *dev)
 	if (!dev)
 		return -ENODEV;
 
+	/*
+	 * The memory of kni device is allocated and released together
+	 * with net device. Release mbuf before freeing net device.
+	 */
+	kni_net_release_fifo_phy(dev);
+
 	if (dev->net_dev) {
 		unregister_netdev(dev->net_dev);
 		free_netdev(dev->net_dev);
 	}
 
-	kni_net_release_fifo_phy(dev);
-
 	return 0;
 }
 
@@ -216,8 +220,8 @@ kni_release(struct inode *inode, struct file *file)
 			dev->pthread = NULL;
 		}
 
-		kni_dev_remove(dev);
 		list_del(&dev->list);
+		kni_dev_remove(dev);
 	}
 	up_write(&knet->kni_list_lock);
 
@@ -466,8 +470,8 @@ kni_ioctl_release(struct net *net, uint32_t ioctl_num,
 			dev->pthread = NULL;
 		}
 
-		kni_dev_remove(dev);
 		list_del(&dev->list);
+		kni_dev_remove(dev);
 		ret = 0;
 		break;
 	}
-- 
2.35.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2022-03-09 11:57:44.889093056 +0100
+++ 0029-kni-fix-freeing-order-in-device-release.patch	2022-03-09 11:57:43.396938405 +0100
@@ -1 +1 @@
-From d57f2899e29a74fffeb876863e1f570084d6437b Mon Sep 17 00:00:00 2001
+From 07459d98d2aad55766ce33452ca8c9b1700786bd Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit d57f2899e29a74fffeb876863e1f570084d6437b ]
+
@@ -13 +14,0 @@
-Cc: stable@dpdk.org
@@ -124 +125 @@
-index ec70190042..780187d8bf 100644
+index 9b3d20ec69..2067cb4841 100644
@@ -127 +128 @@
-@@ -182,13 +182,17 @@ kni_dev_remove(struct kni_dev *dev)
+@@ -180,13 +180,17 @@ kni_dev_remove(struct kni_dev *dev)
@@ -147 +148 @@
-@@ -218,8 +222,8 @@ kni_release(struct inode *inode, struct file *file)
+@@ -216,8 +220,8 @@ kni_release(struct inode *inode, struct file *file)
@@ -157 +158 @@
-@@ -468,8 +472,8 @@ kni_ioctl_release(struct net *net, uint32_t ioctl_num,
+@@ -466,8 +470,8 @@ kni_ioctl_release(struct net *net, uint32_t ioctl_num,