Re: [PATCH net 1/2] iavf: Fix use-after-free in free_netdev

From: Ding Hui
Date: Tue Apr 18 2023 - 21:00:50 EST

Next message: Ian Rogers: "Re: [PATCH v2] perf stat: Introduce skippable evsels"
Previous message: Dongliang Mu: "Re: [PATCH] clk: imx: clk-imx8mm: fix memory leak issue in 'imx8mm_clocks_probe'"
In reply to: Tony Nguyen: "Re: [PATCH net 1/2] iavf: Fix use-after-free in free_netdev"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2023/4/19 0:50, Tony Nguyen wrote:

On 4/8/2023 7:00 AM, Ding Hui wrote:

We do netif_napi_add() for all allocated q_vectors[], but potentially
do netif_napi_del() for part of them, then kfree q_vectors and lefted
invalid pointers at dev->napi_list.

If num_active_queues is changed to less than allocated q_vectors[] by
by unexpected, when iavf_remove, we might see UAF in free_netdev like this:

[ 4093.900222] ==================================================================
[ 4093.900230] BUG: KASAN: use-after-free in free_netdev+0x308/0x390
[ 4093.900232] Read of size 8 at addr ffff88b4dc145640 by task test-iavf-1.sh/6699

...

Fix it by letting netif_napi_del() match to netif_napi_add().

Should this have a Fixes:?

Yes, I searched the git log, and found that the mismatched usage was
introduced since the beginning of i40evf_main.c, so I'll add

Fixes: 5eae00c57f5e ("i40evf: main driver core")

in v2.

--
Thanks,
- Ding Hui

Next message: Ian Rogers: "Re: [PATCH v2] perf stat: Introduce skippable evsels"
Previous message: Dongliang Mu: "Re: [PATCH] clk: imx: clk-imx8mm: fix memory leak issue in 'imx8mm_clocks_probe'"
In reply to: Tony Nguyen: "Re: [PATCH net 1/2] iavf: Fix use-after-free in free_netdev"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]