• Zixuan Fu's avatar
    net: vmxnet3: fix possible NULL pointer dereference in vmxnet3_rq_cleanup() · edf410cb
    Zixuan Fu authored
    In vmxnet3_rq_create(), when dma_alloc_coherent() fails,
    vmxnet3_rq_destroy() is called. It sets rq->rx_ring[i].base to NULL. Then
    vmxnet3_rq_create() returns an error to its callers mxnet3_rq_create_all()
    -> vmxnet3_change_mtu(). Then vmxnet3_change_mtu() calls
    vmxnet3_force_close() -> dev_close() in error handling code. And the driver
    calls vmxnet3_close() -> vmxnet3_quiesce_dev() -> vmxnet3_rq_cleanup_all()
    -> vmxnet3_rq_cleanup(). In vmxnet3_rq_cleanup(),
    rq->rx_ring[ring_idx].base is accessed, but this variable is NULL, causing
    a NULL pointer dereference.
    
    To fix this possible bug, an if statement is added to check whether
    rq->rx_ring[0].base is NULL in vmxnet3_rq_cleanup() and exit early if so.
    
    The error log in our fault-injection testing is shown as follows:
    
    [   65.220135] BUG: kernel NULL pointer dereference, address: 0000000000000008
    ...
    [   65.222633] RIP: 0010:vmxnet3_rq_cleanup_all+0x396/0x4e0 [vmxnet3]
    ...
    [   65.227977] Call Trace:
    ...
    [   65.228262]  vmxnet3_quiesce_dev+0x80f/0x8a0 [vmxnet3]
    [   65.228580]  vmxnet3_close+0x2c4/0x3f0 [vmxnet3]
    [   65.228866]  __dev_close_many+0x288/0x350
    [   65.229607]  dev_close_many+0xa4/0x480
    [   65.231124]  dev_close+0x138/0x230
    [   65.231933]  vmxnet3_force_close+0x1f0/0x240 [vmxnet3]
    [   65.232248]  vmxnet3_change_mtu+0x75d/0x920 [vmxnet3]
    ...
    
    Fixes: d1a890fa ("net: VMware virtual Ethernet NIC driver: vmxnet3")
    Reported-by: default avatarTOTE Robot <oslab@tsinghua.edu.cn>
    Signed-off-by: default avatarZixuan Fu <r33s3n6@gmail.com>
    Link: https://lore.kernel.org/r/20220514050711.2636709-1-r33s3n6@gmail.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
    edf410cb
vmxnet3_drv.c 106 KB