From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Di Zhu <zhudi2@huawei.com>,
Rui Zhang <zhangrui182@huawei.com>,
Gurucharan G <gurucharanx.g@intel.com>,
Tony Nguyen <anthony.l.nguyen@intel.com>
Subject: [PATCH 5.15 16/72] i40e: fix use-after-free in i40e_sync_filters_subtask()
Date: Mon, 10 Jan 2022 08:22:53 +0100 [thread overview]
Message-ID: <20220110071822.110037500@linuxfoundation.org> (raw)
In-Reply-To: <20220110071821.500480371@linuxfoundation.org>
From: Di Zhu <zhudi2@huawei.com>
commit 3116f59c12bd24c513194cd3acb3ec1f7d468954 upstream.
Using ifconfig command to delete the ipv6 address will cause
the i40e network card driver to delete its internal mac_filter and
i40e_service_task kernel thread will concurrently access the mac_filter.
These two processes are not protected by lock
so causing the following use-after-free problems.
print_address_description+0x70/0x360
? vprintk_func+0x5e/0xf0
kasan_report+0x1b2/0x330
i40e_sync_vsi_filters+0x4f0/0x1850 [i40e]
i40e_sync_filters_subtask+0xe3/0x130 [i40e]
i40e_service_task+0x195/0x24c0 [i40e]
process_one_work+0x3f5/0x7d0
worker_thread+0x61/0x6c0
? process_one_work+0x7d0/0x7d0
kthread+0x1c3/0x1f0
? kthread_park+0xc0/0xc0
ret_from_fork+0x35/0x40
Allocated by task 2279810:
kasan_kmalloc+0xa0/0xd0
kmem_cache_alloc_trace+0xf3/0x1e0
i40e_add_filter+0x127/0x2b0 [i40e]
i40e_add_mac_filter+0x156/0x190 [i40e]
i40e_addr_sync+0x2d/0x40 [i40e]
__hw_addr_sync_dev+0x154/0x210
i40e_set_rx_mode+0x6d/0xf0 [i40e]
__dev_set_rx_mode+0xfb/0x1f0
__dev_mc_add+0x6c/0x90
igmp6_group_added+0x214/0x230
__ipv6_dev_mc_inc+0x338/0x4f0
addrconf_join_solict.part.7+0xa2/0xd0
addrconf_dad_work+0x500/0x980
process_one_work+0x3f5/0x7d0
worker_thread+0x61/0x6c0
kthread+0x1c3/0x1f0
ret_from_fork+0x35/0x40
Freed by task 2547073:
__kasan_slab_free+0x130/0x180
kfree+0x90/0x1b0
__i40e_del_filter+0xa3/0xf0 [i40e]
i40e_del_mac_filter+0xf3/0x130 [i40e]
i40e_addr_unsync+0x85/0xa0 [i40e]
__hw_addr_sync_dev+0x9d/0x210
i40e_set_rx_mode+0x6d/0xf0 [i40e]
__dev_set_rx_mode+0xfb/0x1f0
__dev_mc_del+0x69/0x80
igmp6_group_dropped+0x279/0x510
__ipv6_dev_mc_dec+0x174/0x220
addrconf_leave_solict.part.8+0xa2/0xd0
__ipv6_ifa_notify+0x4cd/0x570
ipv6_ifa_notify+0x58/0x80
ipv6_del_addr+0x259/0x4a0
inet6_addr_del+0x188/0x260
addrconf_del_ifaddr+0xcc/0x130
inet6_ioctl+0x152/0x190
sock_do_ioctl+0xd8/0x2b0
sock_ioctl+0x2e5/0x4c0
do_vfs_ioctl+0x14e/0xa80
ksys_ioctl+0x7c/0xa0
__x64_sys_ioctl+0x42/0x50
do_syscall_64+0x98/0x2c0
entry_SYSCALL_64_after_hwframe+0x65/0xca
Fixes: 41c445ff0f48 ("i40e: main driver core")
Signed-off-by: Di Zhu <zhudi2@huawei.com>
Signed-off-by: Rui Zhang <zhangrui182@huawei.com>
Tested-by: Gurucharan G <gurucharanx.g@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/i40e/i40e_main.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -99,6 +99,24 @@ MODULE_LICENSE("GPL v2");
static struct workqueue_struct *i40e_wq;
+static void netdev_hw_addr_refcnt(struct i40e_mac_filter *f,
+ struct net_device *netdev, int delta)
+{
+ struct netdev_hw_addr *ha;
+
+ if (!f || !netdev)
+ return;
+
+ netdev_for_each_mc_addr(ha, netdev) {
+ if (ether_addr_equal(ha->addr, f->macaddr)) {
+ ha->refcount += delta;
+ if (ha->refcount <= 0)
+ ha->refcount = 1;
+ break;
+ }
+ }
+}
+
/**
* i40e_allocate_dma_mem_d - OS specific memory alloc for shared code
* @hw: pointer to the HW structure
@@ -2036,6 +2054,7 @@ static void i40e_undo_add_filter_entries
hlist_for_each_entry_safe(new, h, from, hlist) {
/* We can simply free the wrapper structure */
hlist_del(&new->hlist);
+ netdev_hw_addr_refcnt(new->f, vsi->netdev, -1);
kfree(new);
}
}
@@ -2383,6 +2402,10 @@ int i40e_sync_vsi_filters(struct i40e_vs
&tmp_add_list,
&tmp_del_list,
vlan_filters);
+
+ hlist_for_each_entry(new, &tmp_add_list, hlist)
+ netdev_hw_addr_refcnt(new->f, vsi->netdev, 1);
+
if (retval)
goto err_no_memory_locked;
@@ -2515,6 +2538,7 @@ int i40e_sync_vsi_filters(struct i40e_vs
if (new->f->state == I40E_FILTER_NEW)
new->f->state = new->state;
hlist_del(&new->hlist);
+ netdev_hw_addr_refcnt(new->f, vsi->netdev, -1);
kfree(new);
}
spin_unlock_bh(&vsi->mac_filter_hash_lock);
next prev parent reply other threads:[~2022-01-10 7:34 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-10 7:22 [PATCH 5.15 00/72] 5.15.14-rc1 review Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 01/72] fscache_cookie_enabled: check cookie is valid before accessing it Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 02/72] selftests: x86: fix [-Wstringop-overread] warn in test_process_vm_readv() Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 03/72] tracing: Fix check for trace_percpu_buffer validity in get_trace_buf() Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 04/72] tracing: Tag trace_percpu_buffer as a percpu pointer Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 05/72] Revert "RDMA/mlx5: Fix releasing unallocated memory in dereg MR flow" Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 06/72] ieee802154: atusb: fix uninit value in atusb_set_extended_addr Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 07/72] i40e: Fix to not show opcode msg on unsuccessful VF MAC change Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 08/72] iavf: Fix limit of total number of queues to active queues of VF Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 09/72] RDMA/core: Dont infoleak GRH fields Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 10/72] Revert "net: usb: r8152: Add MAC passthrough support for more Lenovo Docks" Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 11/72] netrom: fix copying in user data in nr_setsockopt Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 12/72] RDMA/uverbs: Check for null return of kmalloc_array Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 13/72] mac80211: initialize variable have_higher_than_11mbit Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 14/72] mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 15/72] sfc: The RX page_ring is optional Greg Kroah-Hartman
2022-01-10 7:22 ` Greg Kroah-Hartman [this message]
2022-01-10 7:22 ` [PATCH 5.15 17/72] i40e: Fix for displaying message regarding NVM version Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 18/72] i40e: Fix incorrect netdevs real number of RX/TX queues Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 19/72] ftrace/samples: Add missing prototypes direct functions Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 20/72] ipv4: Check attribute length for RTA_GATEWAY in multipath route Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 21/72] ipv4: Check attribute length for RTA_FLOW " Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 22/72] ipv6: Check attribute length for RTA_GATEWAY " Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 23/72] ipv6: Check attribute length for RTA_GATEWAY when deleting " Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 24/72] lwtunnel: Validate RTA_ENCAP_TYPE attribute length Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 25/72] selftests: net: udpgro_fwd.sh: explicitly checking the available ping feature Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 26/72] sctp: hold endpoint before calling cb in sctp_transport_lookup_process Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 27/72] batman-adv: mcast: dont send link-local multicast to mcast routers Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 28/72] sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 29/72] net: ena: Fix undefined state when tx request id is out of bounds Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 30/72] net: ena: Fix wrong rx request id by resetting device Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 31/72] net: ena: Fix error handling when calculating max IO queues number Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 32/72] md/raid1: fix missing bitmap update w/o WriteMostly devices Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 33/72] EDAC/i10nm: Release mdev/mbase when failing to detect HBM Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 34/72] KVM: x86: Check for rmaps allocation Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 35/72] cgroup: Use open-time credentials for process migraton perm checks Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 36/72] cgroup: Allocate cgroup_file_ctx for kernfs_open_file->priv Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 37/72] cgroup: Use open-time cgroup namespace for process migration perm checks Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 38/72] Revert "i2c: core: support bus regulator controlling in adapter" Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 39/72] i2c: mpc: Avoid out of bounds memory access Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 40/72] xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 41/72] power: supply: core: Break capacity loop Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 42/72] power: reset: ltc2952: Fix use of floating point literals Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 43/72] reset: renesas: Fix Runtime PM usage Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 44/72] rndis_host: support Hytera digital radios Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 45/72] gpio: gpio-aspeed-sgpio: Fix wrong hwirq base in irq handler Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 46/72] net ticp:fix a kernel-infoleak in __tipc_sendmsg() Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 47/72] phonet: refcount leak in pep_sock_accep Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 48/72] fbdev: fbmem: add a helper to determine if an aperture is used by a fw fb Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 49/72] drm/amdgpu: disable runpm if we are the primary adapter Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 50/72] power: bq25890: Enable continuous conversion for ADC at charging Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 51/72] ipv6: Continue processing multipath route even if gateway attribute is invalid Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 52/72] ipv6: Do cleanup if attribute validation fails in multipath route Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 53/72] auxdisplay: charlcd: checking for pointer reference before dereferencing Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 54/72] drm/amdgpu: fix dropped backing store handling in amdgpu_dma_buf_move_notify Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 55/72] drm/amd/pm: Fix xgmi link control on aldebaran Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 56/72] usb: mtu3: fix interval value for intr and isoc Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 57/72] scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown() Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 58/72] ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 59/72] net: udp: fix alignment problem in udp4_seq_show() Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 60/72] atlantic: Fix buff_ring OOB in aq_ring_rx_clean Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 61/72] drm/amd/pm: skip setting gfx cgpg in the s0ix suspend-resume Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 62/72] drm/amdgpu: always reset the asic in suspend (v2) Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 63/72] drm/amdgpu: put SMU into proper state on runpm suspending for BOCO capable platform Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 64/72] mISDN: change function names to avoid conflicts Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 65/72] drm/amd/display: fix B0 TMDS deepcolor no dislay issue Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 66/72] drm/amd/display: Added power down for DCN10 Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 67/72] ipv6: raw: check passed optlen before reading Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 68/72] userfaultfd/selftests: fix hugetlb area allocations Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 69/72] ARM: dts: gpio-ranges property is now required Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 70/72] Input: zinitix - make sure the IRQ is allocated before it gets enabled Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 71/72] Revert "drm/amdgpu: stop scheduler when calling hw_fini (v2)" Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 72/72] drm/amd/pm: keep the BACO feature enabled for suspend Greg Kroah-Hartman
2022-01-10 11:49 ` [PATCH 5.15 00/72] 5.15.14-rc1 review Jon Hunter
2022-01-10 14:30 ` Jeffrin Jose T
2022-01-10 20:16 ` Florian Fainelli
2022-01-10 21:17 ` Fox Chen
2022-01-10 22:55 ` Shuah Khan
2022-01-10 23:50 ` Guenter Roeck
2022-01-11 3:48 ` Zan Aziz
2022-01-11 5:14 ` Naresh Kamboju
2022-01-11 7:35 ` Rudi Heitbaum
2022-01-11 12:41 ` Sudip Mukherjee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220110071822.110037500@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=anthony.l.nguyen@intel.com \
--cc=gurucharanx.g@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=zhangrui182@huawei.com \
--cc=zhudi2@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).