Re: [PATCH net v3 1/2] iavf: Fix use-after-free in free_netdev

From: Ding Hui
Date: Mon May 01 2023 - 03:51:28 EST

Next message: Avri Altman: "RE: [PATCH] scsi: ufs: core: Fix IO hang that occurs when BKOPS fails in W-LUN suspend"
Previous message: Frank Wunderlich: "Re: Aw: [PATCH] PCI: mediatek-gen3: handle PERST after reset"
In reply to: Simon Horman: "Re: [PATCH net v3 1/2] iavf: Fix use-after-free in free_netdev"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2023/5/1 15:01, Simon Horman wrote:

On Sat, Apr 29, 2023 at 09:20:21PM +0800, Ding Hui wrote:

We do netif_napi_add() for all allocated q_vectors[], but potentially
do netif_napi_del() for part of them, then kfree q_vectors and leave
invalid pointers at dev->napi_list.

...

Although the patch #2 (of 2) can avoid the issuse triggered by this
repro.sh, there still are other potential risks that if num_active_queues
is changed to less than allocated q_vectors[] by unexpected, the
mismatched netif_napi_add/del() can also casue UAF.

nit: ./checkpatch --codespell tells me:

s/casue/cause/

Sorry, I'll fix it in v4.

Since we actually call netif_napi_add() for all allocated q_vectors
unconditionally in iavf_alloc_q_vectors(), so we should fix it by
letting netif_napi_del() match to netif_napi_add().

Fixes: 5eae00c57f5e ("i40evf: main driver core")
Signed-off-by: Ding Hui <dinghui@xxxxxxxxxxxxxx>
Cc: Donglin Peng <pengdonglin@xxxxxxxxxxxxxx>
Cc: Huang Cun <huangcun@xxxxxxxxxxxxxx>
Reviewed-by: Simon Horman <simon.horman@xxxxxxxxxxxx>
Reviewed-by: Michal Kubiak <michal.kubiak@xxxxxxxxx>
Reviewed-by: Madhu Chittim <madhu.chittim@xxxxxxxxx>

--
Thanks,
-dinghui

Next message: Avri Altman: "RE: [PATCH] scsi: ufs: core: Fix IO hang that occurs when BKOPS fails in W-LUN suspend"
Previous message: Frank Wunderlich: "Re: Aw: [PATCH] PCI: mediatek-gen3: handle PERST after reset"
In reply to: Simon Horman: "Re: [PATCH net v3 1/2] iavf: Fix use-after-free in free_netdev"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]