proxmox-mirrors/mirror_ubuntu-kernels
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_ubuntu-kernels.git synced 2026-01-08 18:24:39 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b6d335a60d
mirror_ubuntu-kernels/drivers/net/ethernet
History
Letu Ren b6d335a60d igbvf: fix double free in igbvf_probe 
In `igbvf_probe`, if register_netdev() fails, the program will go to
label err_hw_init, and then to label err_ioremap. In free_netdev() which
is just below label err_ioremap, there is `list_for_each_entry_safe` and
`netif_napi_del` which aims to delete all entries in `dev->napi_list`.
The program has added an entry `adapter->rx_ring->napi` which is added by
`netif_napi_add` in igbvf_alloc_queues(). However, adapter->rx_ring has
been freed below label err_hw_init. So this a UAF.

In terms of how to patch the problem, we can refer to igbvf_remove() and
delete the entry before `adapter->rx_ring`.

The KASAN logs are as follows:

[   35.126075] BUG: KASAN: use-after-free in free_netdev+0x1fd/0x450
[   35.127170] Read of size 8 at addr ffff88810126d990 by task modprobe/366
[   35.128360]
[   35.128643] CPU: 1 PID: 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14
[   35.129789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[   35.131749] Call Trace:
[   35.132199]  dump_stack_lvl+0x59/0x7b
[   35.132865]  print_address_description+0x7c/0x3b0
[   35.133707]  ? free_netdev+0x1fd/0x450
[   35.134378]  __kasan_report+0x160/0x1c0
[   35.135063]  ? free_netdev+0x1fd/0x450
[   35.135738]  kasan_report+0x4b/0x70
[   35.136367]  free_netdev+0x1fd/0x450
[   35.137006]  igbvf_probe+0x121d/0x1a10 [igbvf]
[   35.137808]  ? igbvf_vlan_rx_add_vid+0x100/0x100 [igbvf]
[   35.138751]  local_pci_probe+0x13c/0x1f0
[   35.139461]  pci_device_probe+0x37e/0x6c0
[   35.165526]
[   35.165806] Allocated by task 366:
[   35.166414]  ____kasan_kmalloc+0xc4/0xf0
[   35.167117]  foo_kmem_cache_alloc_trace+0x3c/0x50 [igbvf]
[   35.168078]  igbvf_probe+0x9c5/0x1a10 [igbvf]
[   35.168866]  local_pci_probe+0x13c/0x1f0
[   35.169565]  pci_device_probe+0x37e/0x6c0
[   35.179713]
[   35.179993] Freed by task 366:
[   35.180539]  kasan_set_track+0x4c/0x80
[   35.181211]  kasan_set_free_info+0x1f/0x40
[   35.181942]  ____kasan_slab_free+0x103/0x140
[   35.182703]  kfree+0xe3/0x250
[   35.183239]  igbvf_probe+0x1173/0x1a10 [igbvf]
[   35.184040]  local_pci_probe+0x13c/0x1f0

Fixes: d4e0fe01a3 (igbvf: add new driver to support 82576 virtual functions)
Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Letu Ren <fantasquex@gmail.com>
Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
2021-12-15 11:09:21 -08:00
..
3com ethernet: replace netdev->dev_addr 16bit writes 2021-10-14 09:22:27 -07:00
8390 ethernet: 8390: remove direct netdev->dev_addr writes 2021-10-09 11:46:57 +01:00
actions ethernet: constify references to netdev->dev_addr in drivers 2021-10-14 09:22:11 -07:00
adaptec ethernet: adaptec: use eth_hw_addr_set() 2021-10-16 08:53:45 +01:00
aeroflex ethernet: aeroflex: use eth_hw_addr_set() 2021-10-16 08:53:45 +01:00
agere
alacritech ethernet: constify references to netdev->dev_addr in drivers 2021-10-14 09:22:11 -07:00
allwinner ethernet: use of_get_ethdev_address() 2021-10-07 13:39:51 +01:00
alteon ethernet: alteon: use eth_hw_addr_set() 2021-10-16 08:53:46 +01:00
altera net: altera: set a couple error code in probe() 2021-12-03 14:23:11 +00:00
amazon
amd Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-11-01 20:05:14 -07:00
apm ethernet: constify references to netdev->dev_addr in drivers 2021-10-14 09:22:11 -07:00
apple ethernet: replace netdev->dev_addr assignment loops 2021-10-14 09:22:25 -07:00
aquantia ethernet: aquantia: Try MAC address from device tree 2021-12-02 12:06:03 +00:00
arc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-10-14 16:50:14 -07:00
asix net: ax88796c: do not receive data in pointer 2021-11-22 14:32:05 +00:00
atheros net: convert users of bitmap_foo() to linkmode_foo() 2021-10-24 13:58:52 +01:00
broadcom net: bcmgenet: Fix NULL vs IS_ERR() checking 2021-12-13 14:32:08 +00:00
brocade ethernet: Remove redundant 'flush_workqueue()' calls 2021-10-10 11:33:15 +01:00
cadence net: macb: Fix mdio child node detection 2021-10-27 17:12:18 -07:00
calxeda ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
cavium net: liquidio: Make use of the helper macro kthread_run() 2021-10-22 11:10:10 -07:00
chelsio net: chelsio: cxgb4vf: Fix an error code in cxgb4vf_pci_probe() 2021-11-23 12:15:53 +00:00
cirrus ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
cisco ethernet: enic: use eth_hw_addr_set() 2021-10-16 08:53:46 +01:00
cortina ethernet: make use of eth_hw_addr_random() where appropriate 2021-10-14 09:22:15 -07:00
davicom ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
dec net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() 2021-11-18 12:03:17 +00:00
dlink ethernet: replace netdev->dev_addr 16bit writes 2021-10-14 09:22:27 -07:00
emulex ethernet: constify references to netdev->dev_addr in drivers 2021-10-14 09:22:11 -07:00
ezchip ethernet: use of_get_ethdev_address() 2021-10-07 13:39:51 +01:00
faraday ethernet: make more use of device_get_ethdev_address() 2021-10-07 13:39:51 +01:00
freescale net: fec: only clear interrupt of handling queue in fec_enet_rx_queue() 2021-12-07 21:39:39 -08:00
fujitsu ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
google gve: fix for null pointer dereference. 2021-12-07 20:57:17 -08:00
hisilicon net: hns3: fix race condition in debugfs 2021-12-12 16:20:50 +00:00
huawei treewide: Add missing includes masked by cgroup -> bpf dependency 2021-12-03 10:58:13 -08:00
i825xx ethernet: replace netdev->dev_addr assignment loops 2021-10-14 09:22:25 -07:00
ibm ibmvnic: drop bad optimization in reuse_tx_pools() 2021-12-02 12:09:19 +00:00
intel igbvf: fix double free in igbvf_probe 2021-12-15 11:09:21 -08:00
litex litex_liteeth: Fix a double free in the remove function 2021-11-07 21:51:17 +00:00
marvell net: mvpp2: fix XDP rx queues registering 2021-12-08 18:29:37 -08:00
mediatek ethernet: constify references to netdev->dev_addr in drivers 2021-10-14 09:22:11 -07:00
mellanox mlxsw: spectrum_router: Consolidate MAC profiles when possible 2021-12-14 12:56:10 +00:00
micrel ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
microchip lan743x: fix deadlock in lan743x_phy_link_status_change() 2021-11-24 18:19:58 -08:00
microsoft net: mana: Fix memory leak in mana_hwc_create_wq 2021-12-09 07:58:41 -08:00
moxa ethernet: use eth_hw_addr_set() for dev->addr_len cases 2021-10-05 13:16:48 +01:00
mscc net: mscc: ocelot: fix missing unlock on error in ocelot_hwstamp_set() 2021-11-29 20:20:34 -08:00
myricom ethernet: replace netdev->dev_addr assignment loops 2021-10-14 09:22:25 -07:00
natsemi natsemi: xtensa: fix section mismatch warnings 2021-11-30 18:13:37 -08:00
neterion Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-10-14 16:50:14 -07:00
netronome nfp: Fix memory leak in nfp_cpp_area_cache_add() 2021-12-09 07:53:33 -08:00
ni nixge: fix mac address error handling again 2021-11-22 15:05:48 +00:00
nvidia ethernet: forcedeth: remove direct netdev->dev_addr writes 2021-10-09 11:46:56 +01:00
nxp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-10-28 10:43:58 -07:00
oki-semi ethernet: use eth_hw_addr_set() for dev->addr_len cases 2021-10-05 13:16:48 +01:00
packetengines ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
pasemi ethernet: manually convert memcpy(dev_addr,..., sizeof(addr)) 2021-10-14 09:22:19 -07:00
pensando net: convert users of bitmap_foo() to linkmode_foo() 2021-10-24 13:58:52 +01:00
qlogic net/qla3xxx: fix an error code in ql_adapter_up() 2021-12-07 10:37:10 -08:00
qualcomm ethernet: make use of eth_hw_addr_random() where appropriate 2021-10-14 09:22:15 -07:00
rdc ethernet: replace netdev->dev_addr 16bit writes 2021-10-14 09:22:27 -07:00
realtek r8169: fix incorrect mac address assignment 2021-11-23 12:12:37 +00:00
renesas ethernet: renesas: use eth_hw_addr_set() 2021-10-19 12:41:47 +01:00
rocker ethernet: rocker: use eth_hw_addr_set() 2021-10-19 12:41:47 +01:00
samsung ethernet: sxgbe: use eth_hw_addr_set() 2021-10-19 12:41:48 +01:00
seeq ethernet: use eth_hw_addr_set() for dev->addr_len cases 2021-10-05 13:16:48 +01:00
sfc sfc: use swap() to make code cleaner 2021-11-05 10:14:38 +00:00
sgi ethernet: use eth_hw_addr_set() for dev->addr_len cases 2021-10-05 13:16:48 +01:00
silan ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
sis ethernet: sis900: fix indentation 2021-11-12 20:13:28 -08:00
smsc ethernet: smsc: use eth_hw_addr_set() 2021-10-19 12:41:48 +01:00
socionext ethernet: netsec: use eth_hw_addr_set() 2021-10-20 11:41:01 +01:00
stmicro net: stmmac: fix tc flower deletion for VLAN priority Rx steering 2021-12-14 12:32:19 +00:00
sun ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
synopsys ethernet: constify references to netdev->dev_addr in drivers 2021-10-14 09:22:11 -07:00
tehuti ethernet: tehuti: use eth_hw_addr_set() 2021-10-20 11:41:01 +01:00
ti net: ethernet: ti: add missing of_node_put before return 2021-12-13 14:54:54 +00:00
toshiba ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
tundra
via ethernet: via-velocity: use eth_hw_addr_set() 2021-10-20 11:41:01 +01:00
wiznet net: w5100: Make w5100_remove() return void 2021-10-18 12:59:12 +01:00
xilinx net: convert users of bitmap_foo() to linkmode_foo() 2021-10-24 13:58:52 +01:00
xircom ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
xscale net: ethernet: ixp4xx: Make use of dma_pool_zalloc() instead of dma_pool_alloc/memset() 2021-10-19 13:24:26 +01:00
dnet.c ethernet: manually convert memcpy(dev_addr,..., sizeof(addr)) 2021-10-14 09:22:19 -07:00
dnet.h
ec_bhf.c ethernet: ec_bhf: use eth_hw_addr_set() 2021-10-16 08:53:46 +01:00
ethoc.c ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
fealnx.c ethernet: use eth_hw_addr_set() in unmaintained drivers 2021-10-18 13:20:38 +01:00
jme.c ethernet: use eth_hw_addr_set() for dev->addr_len cases 2021-10-05 13:16:48 +01:00
jme.h
Kconfig net: ax88796c: ASIX AX88796C SPI Ethernet Adapter Driver 2021-10-21 16:28:41 -07:00
korina.c ethernet: use of_get_ethdev_address() 2021-10-07 13:39:51 +01:00
lantiq_etop.c net: ethernet: lantiq_etop: fix build errors/warnings 2021-11-15 14:08:52 +00:00
lantiq_xrx200.c net: lantiq_xrx200: Hardcode the burst length value 2021-10-29 12:15:35 +01:00
Makefile net: ax88796c: ASIX AX88796C SPI Ethernet Adapter Driver 2021-10-21 16:28:41 -07:00