lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <7961b079-fb26-4541-b7d3-63bddd484e2a@molgen.mpg.de>
Date: Thu, 7 Aug 2025 23:32:03 +0200
From: Paul Menzel <pmenzel@...gen.mpg.de>
To: Jacob Keller <jacob.e.keller@...el.com>,
 Przemek Kitszel <przemyslaw.kitszel@...el.com>,
 Intel Wired LAN <intel-wired-lan@...ts.osuosl.org>, netdev@...r.kernel.org
Subject: Re: [Intel-wired-lan] [PATCH iwl-net 2/2] ice: fix NULL access of
 tx->in_use in ice_ll_ts_intr

Dear Jacob,


Thank you for the patch.

Am 07.08.25 um 19:35 schrieb Jacob Keller:
> Recent versions of the E810 firmware have support for an extra interrupt to
> handle report of the "low latency" Tx timestamps coming from the
> specialized low latency firmware interface. Instead of polling the
> registers, software can wait until the low latency interrupt is fired.
> 
> This logic makes use of the Tx timestamp tracking structure, ice_ptp_tx, as
> it uses the same "ready" bitmap to track which Tx timestamps.

Is the last part “to track which Tx timestamps” complete?

> Unfortunately, the ice_ll_ts_intr() function does not check if the
> tracker is initialized before its first access. This results in NULL
> dereference or use-after-free bugs similar to the issues fixed in the
> ice_ptp_ts_irq() function.
> 
> Fix this by only checking the in_use bitmap (and other fields) if the
> tracker is marked as initialized. The reset flow will clear the init field
> under lock before it tears the tracker down, thus preventing any
> use-after-free or NULL access.
> 
> Fixes: 82e71b226e0e ("ice: Enable SW interrupt from FW for LL TS")
> Signed-off-by: Jacob Keller <jacob.e.keller@...el.com>
> ---
>   drivers/net/ethernet/intel/ice/ice_main.c | 12 +++++++-----
>   1 file changed, 7 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
> index 8e0b06c1e02b..7b002127e40d 100644
> --- a/drivers/net/ethernet/intel/ice/ice_main.c
> +++ b/drivers/net/ethernet/intel/ice/ice_main.c
> @@ -3176,12 +3176,14 @@ static irqreturn_t ice_ll_ts_intr(int __always_unused irq, void *data)
>   	hw = &pf->hw;
>   	tx = &pf->ptp.port.tx;
>   	spin_lock_irqsave(&tx->lock, flags);
> -	ice_ptp_complete_tx_single_tstamp(tx);
> +	if (tx->init) {
> +		ice_ptp_complete_tx_single_tstamp(tx);
>   
> -	idx = find_next_bit_wrap(tx->in_use, tx->len,
> -				 tx->last_ll_ts_idx_read + 1);
> -	if (idx != tx->len)
> -		ice_ptp_req_tx_single_tstamp(tx, idx);
> +		idx = find_next_bit_wrap(tx->in_use, tx->len,
> +					 tx->last_ll_ts_idx_read + 1);
> +		if (idx != tx->len)
> +			ice_ptp_req_tx_single_tstamp(tx, idx);
> +	}
>   	spin_unlock_irqrestore(&tx->lock, flags);
>   
>   	val = GLINT_DYN_CTL_INTENA_M | GLINT_DYN_CTL_CLEARPBA_M |
> 

Reviewed-by: Paul Menzel <pmenzel@...gen.mpg.de>


Kind regards,

Paul

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ