From: Saeed Mahameed <saeed@kernel.org>
To: "David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Eric Dumazet <edumazet@google.com>
Cc: Saeed Mahameed <saeedm@nvidia.com>,
netdev@vger.kernel.org, Tariq Toukan <tariqt@nvidia.com>,
Thomas Gleixner <tglx@linutronix.de>, Eli Cohen <elic@nvidia.com>,
Jacob Keller <jacob.e.keller@intel.com>
Subject: [net-next V2 01/15] lib: cpu_rmap: Avoid use after free on rmap->obj array entries
Date: Fri, 24 Mar 2023 16:13:27 -0700 [thread overview]
Message-ID: <20230324231341.29808-2-saeed@kernel.org> (raw)
In-Reply-To: <20230324231341.29808-1-saeed@kernel.org>
From: Eli Cohen <elic@nvidia.com>
When calling irq_set_affinity_notifier() with NULL at the notify
argument, it will cause freeing of the glue pointer in the
corresponding array entry but will leave the pointer in the array. A
subsequent call to free_irq_cpu_rmap() will try to free this entry again
leading to possible use after free.
Fix that by setting NULL to the array entry and checking that we have
non-zero at the array entry when iterating over the array in
free_irq_cpu_rmap().
The current code does not suffer from this since there are no cases
where irq_set_affinity_notifier(irq, NULL) (note the NULL passed for the
notify arg) is called, followed by a call to free_irq_cpu_rmap() so we
don't hit and issue. Subsequent patches in this series excersize this
flow, hence the required fix.
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Eli Cohen <elic@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
---
lib/cpu_rmap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/lib/cpu_rmap.c b/lib/cpu_rmap.c
index f08d9c56f712..e77f12bb3c77 100644
--- a/lib/cpu_rmap.c
+++ b/lib/cpu_rmap.c
@@ -232,7 +232,8 @@ void free_irq_cpu_rmap(struct cpu_rmap *rmap)
for (index = 0; index < rmap->used; index++) {
glue = rmap->obj[index];
- irq_set_affinity_notifier(glue->notify.irq, NULL);
+ if (glue)
+ irq_set_affinity_notifier(glue->notify.irq, NULL);
}
cpu_rmap_put(rmap);
@@ -268,6 +269,7 @@ static void irq_cpu_rmap_release(struct kref *ref)
container_of(ref, struct irq_glue, notify.kref);
cpu_rmap_put(glue->rmap);
+ glue->rmap->obj[glue->index] = NULL;
kfree(glue);
}
@@ -297,6 +299,7 @@ int irq_cpu_rmap_add(struct cpu_rmap *rmap, int irq)
rc = irq_set_affinity_notifier(irq, &glue->notify);
if (rc) {
cpu_rmap_put(glue->rmap);
+ rmap->obj[glue->index] = NULL;
kfree(glue);
}
return rc;
--
2.39.2
next prev parent reply other threads:[~2023-03-24 23:14 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-24 23:13 [pull request][net-next V2 00/15] mlx5 updates 2023-03-20 Saeed Mahameed
2023-03-24 23:13 ` Saeed Mahameed [this message]
2023-03-29 7:00 ` [net-next V2 01/15] lib: cpu_rmap: Avoid use after free on rmap->obj array entries patchwork-bot+netdevbpf
2023-03-24 23:13 ` [net-next V2 02/15] lib: cpu_rmap: Use allocator for rmap entries Saeed Mahameed
2023-03-24 23:13 ` [net-next V2 03/15] lib: cpu_rmap: Add irq_cpu_rmap_remove to complement irq_cpu_rmap_add Saeed Mahameed
2023-03-24 23:13 ` [net-next V2 04/15] net/mlx5e: Coding style fix, add empty line Saeed Mahameed
2023-03-24 23:13 ` [net-next V2 05/15] net/mlx5: Fix wrong comment Saeed Mahameed
2023-03-24 23:13 ` [net-next V2 06/15] net/mlx5: Modify struct mlx5_irq to use struct msi_map Saeed Mahameed
2023-03-24 23:13 ` [net-next V2 07/15] net/mlx5: Use newer affinity descriptor Saeed Mahameed
2023-03-24 23:13 ` [net-next V2 08/15] net/mlx5: Improve naming of pci function vectors Saeed Mahameed
2023-03-24 23:13 ` [net-next V2 09/15] net/mlx5: Refactor completion irq request/release code Saeed Mahameed
2023-03-24 23:13 ` [net-next V2 10/15] net/mlx5: Use dynamic msix vectors allocation Saeed Mahameed
2023-03-24 23:13 ` [net-next V2 11/15] net/mlx5: Move devlink registration before mlx5_load Saeed Mahameed
2023-03-24 23:13 ` [net-next V2 12/15] net/mlx5: Refactor calculation of required completion vectors Saeed Mahameed
2023-03-24 23:13 ` [net-next V2 13/15] net/mlx5: Use one completion vector if eth is disabled Saeed Mahameed
2023-03-24 23:13 ` [net-next V2 14/15] net/mlx5: Provide external API for allocating vectors Saeed Mahameed
2023-03-24 23:13 ` [net-next V2 15/15] vdpa/mlx5: Support interrupt bypassing Saeed Mahameed
2023-03-25 1:26 ` [pull request][net-next V2 00/15] mlx5 updates 2023-03-20 Saeed Mahameed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230324231341.29808-2-saeed@kernel.org \
--to=saeed@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=elic@nvidia.com \
--cc=jacob.e.keller@intel.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=saeedm@nvidia.com \
--cc=tariqt@nvidia.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.