mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/drivers/net
History
Ke Xiao 90cf756c4f i40e: fix use-after-free in i40e_aqc_add_filters() 
[ Upstream commit 6a15584e99 ]

Commit 3116f59c12 ("i40e: fix use-after-free in
i40e_sync_filters_subtask()") avoided use-after-free issues,
by increasing refcount during update the VSI filter list to
the HW. However, it missed the unicast situation.

When deleting an unicast FDB entry, the i40e driver will release
the mac_filter, and i40e_service_task will concurrently request
firmware to add the mac_filter, which will lead to the following
use-after-free issue.

Fix again for both netdev->uc and netdev->mc.

BUG: KASAN: use-after-free in i40e_aqc_add_filters+0x55c/0x5b0 [i40e]
Read of size 2 at addr ffff888eb3452d60 by task kworker/8:7/6379

CPU: 8 PID: 6379 Comm: kworker/8:7 Kdump: loaded Tainted: G
Workqueue: i40e i40e_service_task [i40e]
Call Trace:
 dump_stack+0x71/0xab
 print_address_description+0x6b/0x290
 kasan_report+0x14a/0x2b0
 i40e_aqc_add_filters+0x55c/0x5b0 [i40e]
 i40e_sync_vsi_filters+0x1676/0x39c0 [i40e]
 i40e_service_task+0x1397/0x2bb0 [i40e]
 process_one_work+0x56a/0x11f0
 worker_thread+0x8f/0xf40
 kthread+0x2a0/0x390
 ret_from_fork+0x1f/0x40

Allocated by task 21948:
 kasan_kmalloc+0xa6/0xd0
 kmem_cache_alloc_trace+0xdb/0x1c0
 i40e_add_filter+0x11e/0x520 [i40e]
 i40e_addr_sync+0x37/0x60 [i40e]
 __hw_addr_sync_dev+0x1f5/0x2f0
 i40e_set_rx_mode+0x61/0x1e0 [i40e]
 dev_uc_add_excl+0x137/0x190
 i40e_ndo_fdb_add+0x161/0x260 [i40e]
 rtnl_fdb_add+0x567/0x950
 rtnetlink_rcv_msg+0x5db/0x880
 netlink_rcv_skb+0x254/0x380
 netlink_unicast+0x454/0x610
 netlink_sendmsg+0x747/0xb00
 sock_sendmsg+0xe2/0x120
 __sys_sendto+0x1ae/0x290
 __x64_sys_sendto+0xdd/0x1b0
 do_syscall_64+0xa0/0x370
 entry_SYSCALL_64_after_hwframe+0x65/0xca

Freed by task 21948:
 __kasan_slab_free+0x137/0x190
 kfree+0x8b/0x1b0
 __i40e_del_filter+0x116/0x1e0 [i40e]
 i40e_del_mac_filter+0x16c/0x300 [i40e]
 i40e_addr_unsync+0x134/0x1b0 [i40e]
 __hw_addr_sync_dev+0xff/0x2f0
 i40e_set_rx_mode+0x61/0x1e0 [i40e]
 dev_uc_del+0x77/0x90
 rtnl_fdb_del+0x6a5/0x860
 rtnetlink_rcv_msg+0x5db/0x880
 netlink_rcv_skb+0x254/0x380
 netlink_unicast+0x454/0x610
 netlink_sendmsg+0x747/0xb00
 sock_sendmsg+0xe2/0x120
 __sys_sendto+0x1ae/0x290
 __x64_sys_sendto+0xdd/0x1b0
 do_syscall_64+0xa0/0x370
 entry_SYSCALL_64_after_hwframe+0x65/0xca

Fixes: 3116f59c12 ("i40e: fix use-after-free in i40e_sync_filters_subtask()")
Fixes: 41c445ff0f ("i40e: main driver core")
Signed-off-by: Ke Xiao <xiaoke@sangfor.com.cn>
Signed-off-by: Ding Hui <dinghui@sangfor.com.cn>
Cc: Di Zhu <zhudi2@huawei.com>
Reviewed-by: Jan Sokolowski <jan.sokolowski@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2024-01-10 14:45:41 +01:00
..
appletalk
arcnet net: arcnet: Do not call kfree_skb() under local_irq_disable() 2023-09-23 10:46:55 +02:00
bonding bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves 2023-08-16 18:10:54 +02:00
caif caif_virtio: fix race between virtio_device_ready() and ndo_open() 2022-07-07 17:31:17 +02:00
can can: gs_usb: gs_usb_receive_bulk_callback(): count RX overflow errors also in case of OOM 2023-09-23 10:46:55 +02:00
cris
dsa net: dsa: lan9303: consequently nested-lock physical MDIO 2023-11-28 16:45:45 +00:00
ethernet i40e: fix use-after-free in i40e_aqc_add_filters() 2024-01-10 14:45:41 +01:00
fddi net: defxx: Fix missing err handling in dfx_init() 2023-01-18 09:26:18 +01:00
fjes fjes: Check for error irq 2021-12-29 12:17:34 +01:00
hamradio hamradio: baycom_epp: Fix return type of baycom_send_packet() 2023-01-18 09:26:31 +01:00
hippi drivers: net: hippi: Fix deadlock in rr_close() 2022-05-12 12:17:08 +02:00
hyperv
ieee802154 ieee802154: ca8210: Fix a potential UAF in ca8210_probe 2023-10-25 11:13:30 +02:00
ipvlan ipvlan:Fix out-of-bounds caused by unclear skb->cb 2023-05-30 12:38:34 +01:00
phy net: phy: broadcom: stub c45 read/write for 54810 2023-08-30 16:35:14 +02:00
plip net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq() 2022-12-14 11:26:15 +01:00
ppp ppp: associate skb with a device at tx 2023-01-18 09:26:32 +01:00
slip drivers: net: slip: fix NPD bug in sl_tx_timeout() 2022-04-20 09:08:32 +02:00
team team: Fix use-after-free when an option instance allocation fails 2023-12-20 15:32:38 +01:00
usb net: usb: qmi_wwan: claim interface 4 for ZTE MF290 2023-12-20 15:32:37 +01:00
vmxnet3 net: vmxnet3: fix possible NULL pointer dereference in vmxnet3_rq_cleanup() 2022-05-25 08:41:19 +02:00
wan drivers/net: process the result of hdlc_open() and add call of hdlc_close() in uhdlc_close() 2023-10-10 21:43:41 +02:00
wimax
wireless wifi: ath10k: fix clang-specific fortify warning 2023-11-28 16:45:43 +00:00
xen-netback xen/netback: Fix buffer overrun triggered by unusual packet 2023-08-08 19:48:25 +02:00
Kconfig
LICENSE.SRC
Makefile
Space.c
dummy.c
eql.c
geneve.c geneve: do not use RT_TOS for IPv6 flowlabel 2022-08-25 11:11:33 +02:00
gtp.c gtp: Fix use-after-free in __gtp_encap_destroy(). 2023-08-11 11:33:35 +02:00
ifb.c
loopback.c net: loopback: use NET_NAME_PREDICTABLE for name_assign_type 2023-01-18 09:26:07 +01:00
macsec.c Revert "net: macsec: preserve ingress frame ordering" 2023-09-23 10:46:54 +02:00
macvlan.c macvlan: enforce a consistent minimal mtu 2022-11-25 17:36:54 +01:00
macvtap.c macvtap: advertise link netns via netlink 2022-04-20 09:08:27 +02:00
mdio.c
mii.c
netconsole.c
nlmon.c
ntb_netdev.c ntb_netdev: Use dev_kfree_skb_any() in interrupt context 2023-01-18 09:26:20 +01:00
rionet.c
sb1000.c
sungem_phy.c net: sungem_phy: Add of_node_put() for reference returned by of_get_parent() 2022-08-25 11:11:09 +02:00
tap.c
tun.c drivers: net: prevent tun_build_skb() to exceed the packet size limit 2023-08-16 18:10:54 +02:00
veth.c veth: Ensure eth header is in skb's linear part 2022-04-20 09:08:31 +02:00
virtio_net.c virtio_net: bugfix overflow inside xdp_linearize_page() 2023-04-26 11:18:55 +02:00
vrf.c vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit 2021-12-08 08:46:54 +01:00
vsockmon.c
vxlan.c vxlan: fix error return code in vxlan_fdb_append 2022-04-27 13:15:30 +02:00
xen-netfront.c xen/netfront: force data bouncing when backend is untrusted 2022-07-07 17:31:18 +02:00