This is a note to let you know that I've just added the patch titled
igb: Fix use-after-free error during reset
to the 5.13-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
igb-fix-use-after-free-error-during-reset.patch
and it can be found in the queue-5.13 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 68e373c948875a472b20dbde5773acf5ecebdfc5
Author: Vinicius Costa Gomes <vinicius.gomes@xxxxxxxxx>
Date: Thu May 13 17:31:04 2021 -0700
igb: Fix use-after-free error during reset
[ Upstream commit 7b292608db23ccbbfbfa50cdb155d01725d7a52e ]
Cleans the next descriptor to watch (next_to_watch) when cleaning the
TX ring.
Failure to do so can cause invalid memory accesses. If igb_poll() runs
while the controller is reset this can lead to the driver try to free
a skb that was already freed.
(The crash is harder to reproduce with the igb driver, but the same
potential problem exists as the code is identical to igc)
Fixes: 7cc6fd4c60f2 ("igb: Don't bother clearing Tx buffer_info in igb_clean_tx_ring")
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@xxxxxxxxx>
Reported-by: Erez Geva <erez.geva.ext@xxxxxxxxxxx>
Tested-by: Tony Brelinski <tonyx.brelinski@xxxxxxxxx>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@xxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
index 7b1885f9ce03..ed7ec27df8c2 100644
--- a/drivers/net/ethernet/intel/igb/igb_main.c
+++ b/drivers/net/ethernet/intel/igb/igb_main.c
@@ -4835,6 +4835,8 @@ static void igb_clean_tx_ring(struct igb_ring *tx_ring)
DMA_TO_DEVICE);
}
+ tx_buffer->next_to_watch = NULL;
+
/* move us one more past the eop_desc for start of next pkt */
tx_buffer++;
i++;
