Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp2605690rwr; Fri, 21 Apr 2023 11:08:12 -0700 (PDT) X-Google-Smtp-Source: AKy350b6VHEbxmtzRrL9RKTNYkoDkUevGlAezow+rKy/eI+uZUKiDmUHYqYpO6+U8zIyyjZO2ZgG X-Received: by 2002:a05:6a00:1c95:b0:5e4:f141:568b with SMTP id y21-20020a056a001c9500b005e4f141568bmr6732573pfw.3.1682100492487; Fri, 21 Apr 2023 11:08:12 -0700 (PDT) Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i19-20020aa796f3000000b0063b1739532esi4958599pfq.139.2023.04.21.11.07.58; Fri, 21 Apr 2023 11:08:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="X/jtg1gs"; arc=fail (signature failed); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229950AbjDUR6x (ORCPT + 99 others); Fri, 21 Apr 2023 13:58:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56902 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229476AbjDUR6s (ORCPT ); Fri, 21 Apr 2023 13:58:48 -0400 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6AB62E7C; Fri, 21 Apr 2023 10:58:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1682099927; x=1713635927; h=message-id:date:subject:to:cc:references:from: in-reply-to:content-transfer-encoding:mime-version; bh=AjKk9NGKXfyQqiQh+4jGp3nRrLduwFyRSDtYd+hN5QU=; b=X/jtg1gsqZIHg8DqJyvMkMNbPr2HbEYtBz6k9Q5Yff806RraLqoiquoa WM0WqhqQ+tLtNN64MLm9OLchePuqyaQ89y5oLYW+vX853ZkwHkRlxyJdc ujJoohCgiWnfv9syIlGgM7v+lAxxMIE5kErRs/p+XoN03t9qRt8yNDRHw BY+wS4TSxeUxhUUw1Jz0Xeuu9LyQCLgZKAxSgzxK+t3mxRJGQ3JOTW9Pt ix8Et3lz83uxsJJmsac5gDZcvN8ombtvMGrGxY+wYy8WS27hmyLbIzobl flxqTyWRischXkaSthuKM0gZcbZK9rUB0vrUNQUUnFYIVy4//8GvarMvz Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10687"; a="343532891" X-IronPort-AV: E=Sophos;i="5.99,214,1677571200"; d="scan'208";a="343532891" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Apr 2023 10:58:46 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10687"; a="724918624" X-IronPort-AV: E=Sophos;i="5.99,214,1677571200"; d="scan'208";a="724918624" Received: from fmsmsx602.amr.corp.intel.com ([10.18.126.82]) by orsmga001.jf.intel.com with ESMTP; 21 Apr 2023 10:58:46 -0700 Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx602.amr.corp.intel.com (10.18.126.82) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Fri, 21 Apr 2023 10:58:45 -0700 Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23 via Frontend Transport; Fri, 21 Apr 2023 10:58:45 -0700 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.176) by edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.23; Fri, 21 Apr 2023 10:58:45 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mso2WUI6mlCG08vl1GHzn37MWWFCw/Jdta0avlmja4IxnYExT7Rx0aHAtSj1B/TC90sFdtoy6vYbAbcSHB82DzIQIpCD6R6hc+S5WF004hQYWcrizSkzdHlYU3JHbgyVz71m0dLin3hSh+5ve4wokuM5uMtG2z8nQrwyB+fMx5/ujSEzD2qfzk+PMwtvjY/wUc66dcAu9O0J9N5mx4yaTl4Qnhxt93qmDBgNE71iDNr/5w2DJMfyv+9Y/nNm+yUCNWnyr/AGZs3RutnvEoVnmwmE0/QbdVod5DSP6A4uRDlhfvzjtt2rezJoj9WcjAT//nJzF4bcgzImbG99jlkvXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WG/OigtxRR9aodivGy4F6x5d15c2GcXce2aAtDUAujQ=; b=iGo5CSW+pKAokHaJwqAS/2/QeFILZpkKwtmzo56euSkc7EoyRFHzVlxDmsna41+fsqeHGrrauFa1Bvj1dN7qD5rUx/6giYvlmV1pxQuQ3BCRsRjpnkniEUYHgeYTo5YJn3OcqVphiQbOvPihOX+MnM8YikooDV/En96kDTJuc8li1GkRWNIQVC5x7R1UdJ//DCRipN2Y6nTDsOuFoGIAK0gb9iJHJQ0sQES39MOiXzCtPan5AU2vb/s+yRJXyH1Ks55ATePAiZxcd/M3WWaMzqGqWge8v4NoKRr+1Ou7VTQdhd6MZpgv1OcN03omr1r79StnqWZi/Vzyh8ht+JhW5w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; Received: from CO1PR11MB5042.namprd11.prod.outlook.com (2603:10b6:303:99::14) by IA1PR11MB6124.namprd11.prod.outlook.com (2603:10b6:208:3ec::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6319.22; Fri, 21 Apr 2023 17:58:42 +0000 Received: from CO1PR11MB5042.namprd11.prod.outlook.com ([fe80::503:fbbc:de8b:476d]) by CO1PR11MB5042.namprd11.prod.outlook.com ([fe80::503:fbbc:de8b:476d%5]) with mapi id 15.20.6319.022; Fri, 21 Apr 2023 17:58:42 +0000 Message-ID: <7b1a31f2-3ab3-1c50-ae47-f004fe321fca@intel.com> Date: Fri, 21 Apr 2023 10:58:38 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Re: [Intel-wired-lan] [PATCH net v2 1/2] iavf: Fix use-after-free in free_netdev Content-Language: en-US To: Ding Hui , , , , , , , CC: , , , , , , , , , , , References: <20230419150709.24810-1-dinghui@sangfor.com.cn> <20230419150709.24810-2-dinghui@sangfor.com.cn> From: "Chittim, Madhu" In-Reply-To: <20230419150709.24810-2-dinghui@sangfor.com.cn> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit X-ClientProxiedBy: SJ0PR03CA0275.namprd03.prod.outlook.com (2603:10b6:a03:39e::10) To CO1PR11MB5042.namprd11.prod.outlook.com (2603:10b6:303:99::14) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CO1PR11MB5042:EE_|IA1PR11MB6124:EE_ X-MS-Office365-Filtering-Correlation-Id: 3ef8b303-ce20-46f9-89d5-08db42920ade X-LD-Processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: IF0JOe9/UiXE2+KkqDytpY2VGBdHKTs9PpjxwCBdusr9qDaVVUn4RA1bCh1hQJQeydymYin+B4qALO0T6u7ioORHaak/9/GRqlVTQMXhBd1+7mNkhLqbTDvj30U6ZvjgfDdy0B3AUQHDWfQ3V68KGclK6BO5LqnMu5z8ZVq8kbGm/t3TjKmun0NcnnKBe1fRFCPRiBX5u1JQpvlN0FKxf12jmIja3tctqmo27HPoBDjOfYAJjSX7rHDuBWeNPeXPcWqrWYYL5G6ngxFHG7SNcvGxfqUa5eTEjkKDQmkeTtQ7NrLLm5FhJbjAgNTU2w0rjrIllqMz6dl4gNVKCcgW6F3uNcazGOHWz3zBdbEAlzu1cjLeBAhex/L+o99GUsd4ofASYw0rOXFZg7ftmlpZu5cZVNVyAyGYYQ0BI/ohjen6exu3Wx15AzoTlSVBjyW9Q6iz/Sh8XOAkmTjBO5+zpZ/OxtVGAJCHphWgh6HniL9U3znxx62GLrZcseA8PXLzCQAOyx2ZIL83gDXdzEnq4K4ZzQumOvvZbvw1VBaySv3dABi5ATXDd6O5HvJf1iYb1uQ5YqUUXKaQs7brjgtsg9EPF4Bq60l5C0571XrJR0+F/c124msjNXLEoILt1JwiHTXnM5V7m7lJFrSGM+xbSg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CO1PR11MB5042.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(346002)(366004)(136003)(376002)(396003)(39860400002)(451199021)(84970400001)(31686004)(4326008)(316002)(6636002)(66946007)(66476007)(66556008)(36756003)(53546011)(6512007)(6506007)(26005)(82960400001)(38100700002)(2616005)(186003)(83380400001)(5660300002)(8676002)(41300700001)(6486002)(478600001)(2906002)(6666004)(8936002)(31696002)(7416002)(86362001)(45980500001)(43740500002);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?Z29USWIwVHhxQ1Jta2xxYTlpc24wNUFYUS9rb3l5S1phZ1hZTmJQTlJLQzYx?= =?utf-8?B?Y1gvZUxybUFza3J2amIyQmRUTGVtT2o2ZlhHNXhMUmw5ay92V0VnYmxDWDU3?= =?utf-8?B?aUVEazgyL2JRRVdIUGlUN0tGQ1c4RkQrWG1JV2k2UCtXa1NKTGg2RkVCZHBE?= =?utf-8?B?TFh5aGRHcFdyNE15bjdRVnRaN3FFc2VFSWdreE40bDRoUDQ2MWxNYkYraG1W?= =?utf-8?B?aTkyYTVOYTJISmJiMFdWUVVaWlRNdmpCUHJYWVFIZTFoSmZTTVQ1Y0ZGOHRQ?= =?utf-8?B?QVhCMURvT0ZWYVpkYy9TT3BVWVZTeE01Umt0ZmRrVHRLYXZjWjNCMy9McHpk?= =?utf-8?B?Ukk1b1E3RXpHRWxQZk9KU3pGYXlpaTMyU1l1VEUybS93YmJ0UjQ3VVlhd1cx?= =?utf-8?B?WU5iUGxBL3hnNHQ3eEhHYXdlTC9FYlV5aG5lcFFBazRucU1TOGFHWW9jREoz?= =?utf-8?B?eE5KcldseEdwc3plWE5FSmxGUTBpRUprdFBnSTFmVnBvRVdjZUt6YkFPSitR?= =?utf-8?B?UXE4U21ydjFUQlV4UTlqcno4R0YzaW9ack5jaEc0VGZFWFlha0pHUUVaamo4?= =?utf-8?B?Q291MlZpcm1mUzFMOU1qN1QxdWxTeFBLdkdsTzNkMWlra200OU9XblNybTNE?= =?utf-8?B?T0dvUXpjQ0FBZHluMGREeDYxME5LaWZCOWlCbWFSeEMrMytqV2tzZ2QxOXlm?= =?utf-8?B?c09NNmVzMEJ4Z1k2dTYvZUpBVitRVHNwWTVWQk5iOE5vT0dVR201NzVYNUpU?= =?utf-8?B?VFFJVXVUWm40UEdyV0J4VndGa05TK3E3eFQ4ODNidFBjMFhqaWE0ODNsWkFH?= =?utf-8?B?MkJSc1crL3BwNklTMFNyem0zbG85U2FnVE0waSszR2VEQ05XbzdvNEx5dGZE?= =?utf-8?B?eUZVblBwR2ttaGFBd0FxOXdVbTdSK0puNlY4Y2tTRkQ5eGI4REpaVlFvNDRj?= =?utf-8?B?b1k3WWRCcTF6Qks1bmxhdzJwckt6SndwcTJLa1pQbkcvcW9HaTd2RHBiZEtJ?= =?utf-8?B?TnpvOXNCMXdncUFDMFpvaGRlOTdueFgrbFlFd2dQcGZ4elhWV2FscThrRjdq?= =?utf-8?B?a1JnakN2NFp0Y00zTWNNTXhlU09ZQzZHdUFDT0cwNkJjSFZpdmFZM3dXM0Rn?= =?utf-8?B?dldkT0sxWmswMkM3VHI5TWZEOXc0NloyNFpQRHY4aWp1b3lzbXVzK2wxY1lH?= =?utf-8?B?Y3Eya096RmhvQjVRejhwbGJrT2V1TEtTVThzRW1hUHFMeUgyT3BnL1RSbTVu?= =?utf-8?B?amMvTnVDbjlldEp0MTcyTXdVcHd2S0dYSzF5TE5IcWh3eVlzWXRGaGlGR0dt?= =?utf-8?B?bVpERXY1RWhsbDFwYVpPcHFlSFE2VExhVXVyOXVlTUo1b21XVmhsUTgwY1l2?= =?utf-8?B?RDM0ZFpJZTduMUdabjd1MmlTRFpXams1SHJ1dk9pSjhqTkYvaTc4ZW5ySDlt?= =?utf-8?B?ZmVuQkJIdDlnNWRudXgrSUpEdjdNWUVpY2d4WU5PanVTcG1MTzNUNjJMRlNX?= =?utf-8?B?QWU2RVlmTGw5dzVJY0lqSWxaUGhvM0t4RGo3azA4S1Z4aUF1dkQ0c2UwMHlD?= =?utf-8?B?WlpsMzdUdkdQYU5YV1JML1h0dHlnMHpDYTBKR2FEK0NSMUVEM2p2SGpXRnRo?= =?utf-8?B?eml5bjNKdTBwMUM2clI2eEpFK1ZUbUhJS2V1VXpNbXp1TzJza2ppZFZhUkJ2?= =?utf-8?B?TDJ0STduWStKa0oxbjZ2REt1QnIrZmFuUjhic3huc3BsTU5ZOGRUUkI2b2Fw?= =?utf-8?B?c0FFRmZPU3FLQkd6SEphL1gwL21Ycmx1V3pzUksrMVhZSS81QWxLeFJKTHBK?= =?utf-8?B?YXp4NU45bitFZWEzSTRWOEFRVUdPT3hpTVdnd2FYWHJWUzR2K0RmYjU1enlw?= =?utf-8?B?QTkwSElCY3pxYktqMzZjVitYYUp6dkFLTFVWTjBmVGNvL29na3RtWGZtZi9P?= =?utf-8?B?TUVWSG8vVTNsY2d1OVNOY0M5a1lDdzZhVktXWUJhYzhGNDlMMXJFM2JxM01U?= =?utf-8?B?YXMyWmd3c3ZsNzZZUG4wTGw4SG1XWkNidC9iVy9hR29yTjdabnlTS1Q1cmdo?= =?utf-8?B?anQrSWRnUXFRemhMZ2hNVHErejQ0NThYTW13QlZkT0dlR0prSEhzWE1tU1pm?= =?utf-8?Q?nr7I0ib716tF9QJFDGVEZpfQX?= X-MS-Exchange-CrossTenant-Network-Message-Id: 3ef8b303-ce20-46f9-89d5-08db42920ade X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5042.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Apr 2023 17:58:42.1524 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: YLRafnIIwen+xB+a/WZMAEHNL2FQvcYWB2LITxmMQDcd9CwfcAZO2vZpiZO32tRZ5Bo2sg8Wh7EsKHK6wOw3zA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR11MB6124 X-OriginatorOrg: intel.com X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/19/2023 8:07 AM, Ding Hui wrote: > We do netif_napi_add() for all allocated q_vectors[], but potentially > do netif_napi_del() for part of them, then kfree q_vectors and leave > invalid pointers at dev->napi_list. > > Reproducer: > > [root@host ~]# cat repro.sh > #!/bin/bash > > pf_dbsf="0000:41:00.0" > vf0_dbsf="0000:41:02.0" > g_pids=() > > function do_set_numvf() > { > echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs > sleep $((RANDOM%3+1)) > echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs > sleep $((RANDOM%3+1)) > } > > function do_set_channel() > { > local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) > [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } > ifconfig $nic 192.168.18.5 netmask 255.255.255.0 > ifconfig $nic up > ethtool -L $nic combined 1 > ethtool -L $nic combined 4 > sleep $((RANDOM%3)) > } > > function on_exit() > { > local pid > for pid in "${g_pids[@]}"; do > kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null > done > g_pids=() > } > > trap "on_exit; exit" EXIT > > while :; do do_set_numvf ; done & > g_pids+=($!) > while :; do do_set_channel ; done & > g_pids+=($!) > > wait > > Result: > > [ 4093.900222] ================================================================== > [ 4093.900230] BUG: KASAN: use-after-free in free_netdev+0x308/0x390 > [ 4093.900232] Read of size 8 at addr ffff88b4dc145640 by task repro.sh/6699 > [ 4093.900233] > [ 4093.900236] CPU: 10 PID: 6699 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 > [ 4093.900238] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021 > [ 4093.900239] Call Trace: > [ 4093.900244] dump_stack+0x71/0xab > [ 4093.900249] print_address_description+0x6b/0x290 > [ 4093.900251] ? free_netdev+0x308/0x390 > [ 4093.900252] kasan_report+0x14a/0x2b0 > [ 4093.900254] free_netdev+0x308/0x390 > [ 4093.900261] iavf_remove+0x825/0xd20 [iavf] > [ 4093.900265] pci_device_remove+0xa8/0x1f0 > [ 4093.900268] device_release_driver_internal+0x1c6/0x460 > [ 4093.900271] pci_stop_bus_device+0x101/0x150 > [ 4093.900273] pci_stop_and_remove_bus_device+0xe/0x20 > [ 4093.900275] pci_iov_remove_virtfn+0x187/0x420 > [ 4093.900277] ? pci_iov_add_virtfn+0xe10/0xe10 > [ 4093.900278] ? pci_get_subsys+0x90/0x90 > [ 4093.900280] sriov_disable+0xed/0x3e0 > [ 4093.900282] ? bus_find_device+0x12d/0x1a0 > [ 4093.900290] i40e_free_vfs+0x754/0x1210 [i40e] > [ 4093.900298] ? i40e_reset_all_vfs+0x880/0x880 [i40e] > [ 4093.900299] ? pci_get_device+0x7c/0x90 > [ 4093.900300] ? pci_get_subsys+0x90/0x90 > [ 4093.900306] ? pci_vfs_assigned.part.7+0x144/0x210 > [ 4093.900309] ? __mutex_lock_slowpath+0x10/0x10 > [ 4093.900315] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] > [ 4093.900318] sriov_numvfs_store+0x214/0x290 > [ 4093.900320] ? sriov_totalvfs_show+0x30/0x30 > [ 4093.900321] ? __mutex_lock_slowpath+0x10/0x10 > [ 4093.900323] ? __check_object_size+0x15a/0x350 > [ 4093.900326] kernfs_fop_write+0x280/0x3f0 > [ 4093.900329] vfs_write+0x145/0x440 > [ 4093.900330] ksys_write+0xab/0x160 > [ 4093.900332] ? __ia32_sys_read+0xb0/0xb0 > [ 4093.900334] ? fput_many+0x1a/0x120 > [ 4093.900335] ? filp_close+0xf0/0x130 > [ 4093.900338] do_syscall_64+0xa0/0x370 > [ 4093.900339] ? page_fault+0x8/0x30 > [ 4093.900341] entry_SYSCALL_64_after_hwframe+0x65/0xca > [ 4093.900357] RIP: 0033:0x7f16ad4d22c0 > [ 4093.900359] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24 > [ 4093.900360] RSP: 002b:00007ffd6491b7f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 > [ 4093.900362] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f16ad4d22c0 > [ 4093.900363] RDX: 0000000000000002 RSI: 0000000001a41408 RDI: 0000000000000001 > [ 4093.900364] RBP: 0000000001a41408 R08: 00007f16ad7a1780 R09: 00007f16ae1f2700 > [ 4093.900364] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000002 > [ 4093.900365] R13: 0000000000000001 R14: 00007f16ad7a0620 R15: 0000000000000001 > [ 4093.900367] > [ 4093.900368] Allocated by task 820: > [ 4093.900371] kasan_kmalloc+0xa6/0xd0 > [ 4093.900373] __kmalloc+0xfb/0x200 > [ 4093.900376] iavf_init_interrupt_scheme+0x63b/0x1320 [iavf] > [ 4093.900380] iavf_watchdog_task+0x3d51/0x52c0 [iavf] > [ 4093.900382] process_one_work+0x56a/0x11f0 > [ 4093.900383] worker_thread+0x8f/0xf40 > [ 4093.900384] kthread+0x2a0/0x390 > [ 4093.900385] ret_from_fork+0x1f/0x40 > [ 4093.900387] 0xffffffffffffffff > [ 4093.900387] > [ 4093.900388] Freed by task 6699: > [ 4093.900390] __kasan_slab_free+0x137/0x190 > [ 4093.900391] kfree+0x8b/0x1b0 > [ 4093.900394] iavf_free_q_vectors+0x11d/0x1a0 [iavf] > [ 4093.900397] iavf_remove+0x35a/0xd20 [iavf] > [ 4093.900399] pci_device_remove+0xa8/0x1f0 > [ 4093.900400] device_release_driver_internal+0x1c6/0x460 > [ 4093.900401] pci_stop_bus_device+0x101/0x150 > [ 4093.900402] pci_stop_and_remove_bus_device+0xe/0x20 > [ 4093.900403] pci_iov_remove_virtfn+0x187/0x420 > [ 4093.900404] sriov_disable+0xed/0x3e0 > [ 4093.900409] i40e_free_vfs+0x754/0x1210 [i40e] > [ 4093.900415] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] > [ 4093.900416] sriov_numvfs_store+0x214/0x290 > [ 4093.900417] kernfs_fop_write+0x280/0x3f0 > [ 4093.900418] vfs_write+0x145/0x440 > [ 4093.900419] ksys_write+0xab/0x160 > [ 4093.900420] do_syscall_64+0xa0/0x370 > [ 4093.900421] entry_SYSCALL_64_after_hwframe+0x65/0xca > [ 4093.900422] 0xffffffffffffffff > [ 4093.900422] > [ 4093.900424] The buggy address belongs to the object at ffff88b4dc144200 > which belongs to the cache kmalloc-8k of size 8192 > [ 4093.900425] The buggy address is located 5184 bytes inside of > 8192-byte region [ffff88b4dc144200, ffff88b4dc146200) > [ 4093.900425] The buggy address belongs to the page: > [ 4093.900427] page:ffffea00d3705000 refcount:1 mapcount:0 mapping:ffff88bf04415c80 index:0x0 compound_mapcount: 0 > [ 4093.900430] flags: 0x10000000008100(slab|head) > [ 4093.900433] raw: 0010000000008100 dead000000000100 dead000000000200 ffff88bf04415c80 > [ 4093.900434] raw: 0000000000000000 0000000000030003 00000001ffffffff 0000000000000000 > [ 4093.900434] page dumped because: kasan: bad access detected > [ 4093.900435] > [ 4093.900435] Memory state around the buggy address: > [ 4093.900436] ffff88b4dc145500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > [ 4093.900437] ffff88b4dc145580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > [ 4093.900438] >ffff88b4dc145600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > [ 4093.900438] ^ > [ 4093.900439] ffff88b4dc145680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > [ 4093.900440] ffff88b4dc145700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > [ 4093.900440] ================================================================== > > Although the patch #2 (of 2) can avoid the issuse triggered by this > repro.sh, there still are other potential risks that if num_active_queues > is changed to less than allocated q_vectors[] by unexpected, the > mismatched netif_napi_add/del() can also casue UAF. > > Since we actually call netif_napi_add() for all allocated q_vectors > unconditionally in iavf_alloc_q_vectors(), so we should fix it by > letting netif_napi_del() match to netif_napi_add(). > > Fixes: 5eae00c57f5e ("i40evf: main driver core") > Signed-off-by: Ding Hui > Cc: Donglin Peng > Cc: Huang Cun > Acked-by: Michal Kubiak > Reviewed-by: Simon Horman Reviewed-by: Madhu Chittim