Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/drivers/net
History
Ke Xiao d3f4cb674d i40e: fix use-after-free in i40e_aqc_add_filters() 
[ Upstream commit 6a15584e99db8918b60e507539c7446375dcf366 ]

Commit 3116f59c12bd ("i40e: fix use-after-free in
i40e_sync_filters_subtask()") avoided use-after-free issues,
by increasing refcount during update the VSI filter list to
the HW. However, it missed the unicast situation.

When deleting an unicast FDB entry, the i40e driver will release
the mac_filter, and i40e_service_task will concurrently request
firmware to add the mac_filter, which will lead to the following
use-after-free issue.

Fix again for both netdev->uc and netdev->mc.

BUG: KASAN: use-after-free in i40e_aqc_add_filters+0x55c/0x5b0 [i40e]
Read of size 2 at addr ffff888eb3452d60 by task kworker/8:7/6379

CPU: 8 PID: 6379 Comm: kworker/8:7 Kdump: loaded Tainted: G
Workqueue: i40e i40e_service_task [i40e]
Call Trace:
 dump_stack+0x71/0xab
 print_address_description+0x6b/0x290
 kasan_report+0x14a/0x2b0
 i40e_aqc_add_filters+0x55c/0x5b0 [i40e]
 i40e_sync_vsi_filters+0x1676/0x39c0 [i40e]
 i40e_service_task+0x1397/0x2bb0 [i40e]
 process_one_work+0x56a/0x11f0
 worker_thread+0x8f/0xf40
 kthread+0x2a0/0x390
 ret_from_fork+0x1f/0x40

Allocated by task 21948:
 kasan_kmalloc+0xa6/0xd0
 kmem_cache_alloc_trace+0xdb/0x1c0
 i40e_add_filter+0x11e/0x520 [i40e]
 i40e_addr_sync+0x37/0x60 [i40e]
 __hw_addr_sync_dev+0x1f5/0x2f0
 i40e_set_rx_mode+0x61/0x1e0 [i40e]
 dev_uc_add_excl+0x137/0x190
 i40e_ndo_fdb_add+0x161/0x260 [i40e]
 rtnl_fdb_add+0x567/0x950
 rtnetlink_rcv_msg+0x5db/0x880
 netlink_rcv_skb+0x254/0x380
 netlink_unicast+0x454/0x610
 netlink_sendmsg+0x747/0xb00
 sock_sendmsg+0xe2/0x120
 __sys_sendto+0x1ae/0x290
 __x64_sys_sendto+0xdd/0x1b0
 do_syscall_64+0xa0/0x370
 entry_SYSCALL_64_after_hwframe+0x65/0xca

Freed by task 21948:
 __kasan_slab_free+0x137/0x190
 kfree+0x8b/0x1b0
 __i40e_del_filter+0x116/0x1e0 [i40e]
 i40e_del_mac_filter+0x16c/0x300 [i40e]
 i40e_addr_unsync+0x134/0x1b0 [i40e]
 __hw_addr_sync_dev+0xff/0x2f0
 i40e_set_rx_mode+0x61/0x1e0 [i40e]
 dev_uc_del+0x77/0x90
 rtnl_fdb_del+0x6a5/0x860
 rtnetlink_rcv_msg+0x5db/0x880
 netlink_rcv_skb+0x254/0x380
 netlink_unicast+0x454/0x610
 netlink_sendmsg+0x747/0xb00
 sock_sendmsg+0xe2/0x120
 __sys_sendto+0x1ae/0x290
 __x64_sys_sendto+0xdd/0x1b0
 do_syscall_64+0xa0/0x370
 entry_SYSCALL_64_after_hwframe+0x65/0xca

Fixes: 3116f59c12bd ("i40e: fix use-after-free in i40e_sync_filters_subtask()")
Fixes: 41c445ff0f48 ("i40e: main driver core")
Signed-off-by: Ke Xiao <xiaoke@sangfor.com.cn>
Signed-off-by: Ding Hui <dinghui@sangfor.com.cn>
Cc: Di Zhu <zhudi2@huawei.com>
Reviewed-by: Jan Sokolowski <jan.sokolowski@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-11-18 12:12:07 +01:00
..
appletalk Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
arcnet arcnet: restoring support for multiple Sohard Arcnet cards 2024-11-18 12:11:39 +01:00
bonding bonding: stop the device in bond_setup_by_slave() 2024-11-18 11:43:19 +01:00
caif Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
can can: dev: can_restart(): fix race condition between controller restart and netif_carrier_on() 2024-11-18 11:42:49 +01:00
dropdump Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
dsa net: dsa: lan9303: consequently nested-lock physical MDIO 2024-11-18 11:43:30 +01:00
ethernet i40e: fix use-after-free in i40e_aqc_add_filters() 2024-11-18 12:12:07 +01:00
fddi Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
fjes Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
hamradio Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
hippi Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
hyperv hv_netvsc: rndis_filter needs to select NLS 2024-11-18 12:11:39 +01:00
ieee802154 net: ieee802154: adf7242: Fix some potential buffer overflow in adf7242_stats_show() 2024-11-18 10:58:29 +01:00
ipa Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ipvlan ipvlan: add ipvlan_route_v6_outbound() helper 2024-11-18 11:43:19 +01:00
mdio Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
netdevsim Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
pcs Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
phy net: phylink: initialize carrier state at creation 2024-11-18 11:43:30 +01:00
plip Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ppp ppp: limit MRU to 64K 2024-11-18 11:43:19 +01:00
slip Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
team team: Fix use-after-free when an option instance allocation fails 2024-11-18 12:11:57 +01:00
usb net: usb: qmi_wwan: claim interface 4 for ZTE MF290 2024-11-18 12:11:57 +01:00
vmxnet3 Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
vxlan Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
wan Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
wimax Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
wireguard wireguard: use DEV_STATS_INC() 2024-11-18 12:10:54 +01:00
wireless wifi: ath11k: fix htt pktlog locking 2024-11-18 11:43:25 +01:00
xen-netback xen-netback: use default TX queue size for vifs 2024-11-08 11:25:45 +01:00
bareudp.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
dummy.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
eql.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
geneve.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
gtp.c gtp: fix fragmentation needed check with gso 2024-11-18 10:58:30 +01:00
ifb.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
Kconfig Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
LICENSE.SRC Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
loopback.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
macsec.c net: macsec: indicate next pn update when offloading 2024-11-08 11:25:46 +01:00
macvlan.c macvlan: Don't propagate promisc change to lower dev in passthru 2024-11-18 11:43:20 +01:00
macvtap.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
Makefile Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
mdio.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
mii.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
net_failover.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
netconsole.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
nlmon.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ntb_netdev.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
rionet.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
sb1000.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
Space.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
sungem_phy.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
tap.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
thunderbolt.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
tun.c tun: prevent negative ifindex 2024-11-08 11:26:10 +01:00
veth.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
virtio_net.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
vrf.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
vsockmon.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
xen-netfront.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00