Re: [PATCH net 1/2] iavf: Fix use-after-free in free_netdev

[Tony Nguyen]

On 4/8/2023 7:00 AM, Ding Hui wrote:
> We do netif_napi_add() for all allocated q_vectors[], but potentially
> do netif_napi_del() for part of them, then kfree q_vectors and lefted
> invalid pointers at dev->napi_list.
>
> If num_active_queues is changed to less than allocated q_vectors[] by
> by unexpected, when iavf_remove, we might see UAF in free_netdev like this:
>
> [ 4093.900222] ==================================================================
> [ 4093.900230] BUG: KASAN: use-after-free in free_netdev+0x308/0x390
> [ 4093.900232] Read of size 8 at addr ffff88b4dc145640 by task test-iavf-1.sh/6699

...

> Fix it by letting netif_napi_del() match to netif_napi_add().

Should this have a Fixes:?

> Signed-off-by: Ding Hui <dinghui@xxxxxxxxxxxxxx>
> Cc: Donglin Peng <pengdonglin@xxxxxxxxxxxxxx>
> CC: Huang Cun <huangcun@xxxxxxxxxxxxxx>