From cf1acec008f8d7761aa3fd7c4bca7e17b2d2512d Mon Sep 17 00:00:00 2001

From: Bo Chen <chenbo@pdx.edu>

Date: Mon, 23 Jul 2018 09:01:29 -0700

Subject: e1000: check on netif_running() before calling e1000_up()

When the device is not up, the call to 'e1000_up()' from the error handling path

of 'e1000_set_ringparam()' causes a kernel oops with a null-pointer

dereference. The null-pointer dereference is triggered in function

'e1000_alloc_rx_buffers()' at line 'buffer_info = &rx_ring->buffer_info[i]'.

This bug was reported by COD, a tool for testing kernel module binaries I am

building. This bug was also detected by KFI from Dr. Kai Cong.

This patch fixes the bug by checking on 'netif_running()' before calling

'e1000_up()' in 'e1000_set_ringparam()'.

Signed-off-by: Bo Chen <chenbo@pdx.edu>

Acked-by: Alexander Duyck <alexander.h.duyck@intel.com>

Tested-by: Aaron Brown <aaron.f.brown@intel.com>

Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>

---

 drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 3 ++-

 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c

index bdb3f8e65ed4..c1e4e94f100f 100644

--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c

+++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c

@@ -644,7 +644,8 @@ err_setup_rx:

 err_alloc_rx:

 	kfree(txdr);

 err_alloc_tx:

-	e1000_up(adapter);

+	if (netif_running(adapter->netdev))

+		e1000_up(adapter);

 err_setup:

 	clear_bit(__E1000_RESETTING, &adapter->flags);

 	return err;

-- 

cgit 1.2-0.3.lf.el7

From ee400a3f1bfe7004a3e14b81c38ccc5583c26295 Mon Sep 17 00:00:00 2001

From: Bo Chen <chenbo@pdx.edu>

Date: Mon, 23 Jul 2018 09:01:30 -0700

Subject: e1000: ensure to free old tx/rx rings in set_ringparam()

In 'e1000_set_ringparam()', the tx_ring and rx_ring are updated with new value

and the old tx/rx rings are freed only when the device is up. There are resource

leaks on old tx/rx rings when the device is not up. This bug is reported by COD,

a tool for testing kernel module binaries I am building.

This patch fixes the bug by always calling 'kfree()' on old tx/rx rings in

'e1000_set_ringparam()'.

Signed-off-by: Bo Chen <chenbo@pdx.edu>

Reviewed-by: Alexander Duyck <alexander.h.duyck@intel.com>

Tested-by: Aaron Brown <aaron.f.brown@intel.com>

Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>

---

 drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c

index c1e4e94f100f..2569a168334c 100644

--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c

+++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c

@@ -624,14 +624,14 @@ static int e1000_set_ringparam(struct net_device *netdev,

 		adapter->tx_ring = tx_old;

 		e1000_free_all_rx_resources(adapter);

 		e1000_free_all_tx_resources(adapter);

-		kfree(tx_old);

-		kfree(rx_old);

 		adapter->rx_ring = rxdr;

 		adapter->tx_ring = txdr;

 		err = e1000_up(adapter);

 		if (err)

 			goto err_setup;

 	}

+	kfree(tx_old);

+	kfree(rx_old);

 	clear_bit(__E1000_RESETTING, &adapter->flags);

 	return 0;

-- 

cgit 1.2-0.3.lf.el7