e8384c
From cf1acec008f8d7761aa3fd7c4bca7e17b2d2512d Mon Sep 17 00:00:00 2001
e8384c
From: Bo Chen <chenbo@pdx.edu>
e8384c
Date: Mon, 23 Jul 2018 09:01:29 -0700
e8384c
Subject: e1000: check on netif_running() before calling e1000_up()
e8384c
e8384c
When the device is not up, the call to 'e1000_up()' from the error handling path
e8384c
of 'e1000_set_ringparam()' causes a kernel oops with a null-pointer
e8384c
dereference. The null-pointer dereference is triggered in function
e8384c
'e1000_alloc_rx_buffers()' at line 'buffer_info = &rx_ring->buffer_info[i]'.
e8384c
e8384c
This bug was reported by COD, a tool for testing kernel module binaries I am
e8384c
building. This bug was also detected by KFI from Dr. Kai Cong.
e8384c
e8384c
This patch fixes the bug by checking on 'netif_running()' before calling
e8384c
'e1000_up()' in 'e1000_set_ringparam()'.
e8384c
e8384c
Signed-off-by: Bo Chen <chenbo@pdx.edu>
e8384c
Acked-by: Alexander Duyck <alexander.h.duyck@intel.com>
e8384c
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
e8384c
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
e8384c
---
e8384c
 drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 3 ++-
e8384c
 1 file changed, 2 insertions(+), 1 deletion(-)
e8384c
e8384c
diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
e8384c
index bdb3f8e65ed4..c1e4e94f100f 100644
e8384c
--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
e8384c
+++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
e8384c
@@ -644,7 +644,8 @@ err_setup_rx:
e8384c
 err_alloc_rx:
e8384c
 	kfree(txdr);
e8384c
 err_alloc_tx:
e8384c
-	e1000_up(adapter);
e8384c
+	if (netif_running(adapter->netdev))
e8384c
+		e1000_up(adapter);
e8384c
 err_setup:
e8384c
 	clear_bit(__E1000_RESETTING, &adapter->flags);
e8384c
 	return err;
e8384c
-- 
e8384c
cgit 1.2-0.3.lf.el7
e8384c
e8384c
From ee400a3f1bfe7004a3e14b81c38ccc5583c26295 Mon Sep 17 00:00:00 2001
e8384c
From: Bo Chen <chenbo@pdx.edu>
e8384c
Date: Mon, 23 Jul 2018 09:01:30 -0700
e8384c
Subject: e1000: ensure to free old tx/rx rings in set_ringparam()
e8384c
e8384c
In 'e1000_set_ringparam()', the tx_ring and rx_ring are updated with new value
e8384c
and the old tx/rx rings are freed only when the device is up. There are resource
e8384c
leaks on old tx/rx rings when the device is not up. This bug is reported by COD,
e8384c
a tool for testing kernel module binaries I am building.
e8384c
e8384c
This patch fixes the bug by always calling 'kfree()' on old tx/rx rings in
e8384c
'e1000_set_ringparam()'.
e8384c
e8384c
Signed-off-by: Bo Chen <chenbo@pdx.edu>
e8384c
Reviewed-by: Alexander Duyck <alexander.h.duyck@intel.com>
e8384c
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
e8384c
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
e8384c
---
e8384c
 drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 4 ++--
e8384c
 1 file changed, 2 insertions(+), 2 deletions(-)
e8384c
e8384c
diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
e8384c
index c1e4e94f100f..2569a168334c 100644
e8384c
--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
e8384c
+++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
e8384c
@@ -624,14 +624,14 @@ static int e1000_set_ringparam(struct net_device *netdev,
e8384c
 		adapter->tx_ring = tx_old;
e8384c
 		e1000_free_all_rx_resources(adapter);
e8384c
 		e1000_free_all_tx_resources(adapter);
e8384c
-		kfree(tx_old);
e8384c
-		kfree(rx_old);
e8384c
 		adapter->rx_ring = rxdr;
e8384c
 		adapter->tx_ring = txdr;
e8384c
 		err = e1000_up(adapter);
e8384c
 		if (err)
e8384c
 			goto err_setup;
e8384c
 	}
e8384c
+	kfree(tx_old);
e8384c
+	kfree(rx_old);
e8384c
 
e8384c
 	clear_bit(__E1000_RESETTING, &adapter->flags);
e8384c
 	return 0;
e8384c
-- 
e8384c
cgit 1.2-0.3.lf.el7
e8384c