diff mbox series

[net-next,V2,01/15] lib: cpu_rmap: Avoid use after free on rmap->obj array entries

Message ID 20230324231341.29808-2-saeed@kernel.org (mailing list archive)
State Accepted
Commit 4e0473f1060aa49621d40a113afde24818101d37
Delegated to: Netdev Maintainers
Headers show
Series [net-next,V2,01/15] lib: cpu_rmap: Avoid use after free on rmap->obj array entries | expand

Checks

Context Check Description
netdev/series_format success Pull request is its own cover letter
netdev/tree_selection success Clearly marked for net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 20 this patch: 20
netdev/cc_maintainers success CCed 1 of 1 maintainers
netdev/build_clang success Errors and warnings before: 18 this patch: 18
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 20 this patch: 20
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 23 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Saeed Mahameed March 24, 2023, 11:13 p.m. UTC 
From: Eli Cohen <elic@nvidia.com>

When calling irq_set_affinity_notifier() with NULL at the notify
argument, it will cause freeing of the glue pointer in the
corresponding array entry but will leave the pointer in the array. A
subsequent call to free_irq_cpu_rmap() will try to free this entry again
leading to possible use after free.

Fix that by setting NULL to the array entry and checking that we have
non-zero at the array entry when iterating over the array in
free_irq_cpu_rmap().

The current code does not suffer from this since there are no cases
where irq_set_affinity_notifier(irq, NULL) (note the NULL passed for the
notify arg) is called, followed by a call to free_irq_cpu_rmap() so we
don't hit and issue. Subsequent patches in this series excersize this
flow, hence the required fix.

Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Eli Cohen <elic@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
---
 lib/cpu_rmap.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

patchwork-bot+netdevbpf@kernel.org March 29, 2023, 7 a.m. UTC | #1 
Hello:

This series was applied to netdev/net-next.git (main)
by Saeed Mahameed <saeedm@nvidia.com>:

On Fri, 24 Mar 2023 16:13:27 -0700 you wrote:
> From: Eli Cohen <elic@nvidia.com>
> 
> When calling irq_set_affinity_notifier() with NULL at the notify
> argument, it will cause freeing of the glue pointer in the
> corresponding array entry but will leave the pointer in the array. A
> subsequent call to free_irq_cpu_rmap() will try to free this entry again
> leading to possible use after free.
> 
> [...]

Here is the summary with links:
  - [net-next,V2,01/15] lib: cpu_rmap: Avoid use after free on rmap->obj array entries
    https://git.kernel.org/netdev/net-next/c/4e0473f1060a
  - [net-next,V2,02/15] lib: cpu_rmap: Use allocator for rmap entries
    https://git.kernel.org/netdev/net-next/c/9821d8d4628e
  - [net-next,V2,03/15] lib: cpu_rmap: Add irq_cpu_rmap_remove to complement irq_cpu_rmap_add
    https://git.kernel.org/netdev/net-next/c/71f0a2478605
  - [net-next,V2,04/15] net/mlx5e: Coding style fix, add empty line
    https://git.kernel.org/netdev/net-next/c/b94616d9c6fd
  - [net-next,V2,05/15] net/mlx5: Fix wrong comment
    https://git.kernel.org/netdev/net-next/c/40a252c123c7
  - [net-next,V2,06/15] net/mlx5: Modify struct mlx5_irq to use struct msi_map
    https://git.kernel.org/netdev/net-next/c/235a25fe28de
  - [net-next,V2,07/15] net/mlx5: Use newer affinity descriptor
    https://git.kernel.org/netdev/net-next/c/bbac70c74183
  - [net-next,V2,08/15] net/mlx5: Improve naming of pci function vectors
    https://git.kernel.org/netdev/net-next/c/8bebfd767909
  - [net-next,V2,09/15] net/mlx5: Refactor completion irq request/release code
    https://git.kernel.org/netdev/net-next/c/b48a0f72bc3e
  - [net-next,V2,10/15] net/mlx5: Use dynamic msix vectors allocation
    https://git.kernel.org/netdev/net-next/c/3354822cde5a
  - [net-next,V2,11/15] net/mlx5: Move devlink registration before mlx5_load
    https://git.kernel.org/netdev/net-next/c/fe578cbb2f05
  - [net-next,V2,12/15] net/mlx5: Refactor calculation of required completion vectors
    https://git.kernel.org/netdev/net-next/c/1dc85133c207
  - [net-next,V2,13/15] net/mlx5: Use one completion vector if eth is disabled
    https://git.kernel.org/netdev/net-next/c/b637ac5db0d0
  - [net-next,V2,14/15] net/mlx5: Provide external API for allocating vectors
    https://git.kernel.org/netdev/net-next/c/fb0a6a268dcd
  - [net-next,V2,15/15] vdpa/mlx5: Support interrupt bypassing
    (no matching commit)

You are awesome, thank you!
diff mbox series

Patch

diff --git a/lib/cpu_rmap.c b/lib/cpu_rmap.c
index f08d9c56f712..e77f12bb3c77 100644
--- a/lib/cpu_rmap.c
+++ b/lib/cpu_rmap.c
@@ -232,7 +232,8 @@  void free_irq_cpu_rmap(struct cpu_rmap *rmap)
 
 	for (index = 0; index < rmap->used; index++) {
 		glue = rmap->obj[index];
-		irq_set_affinity_notifier(glue->notify.irq, NULL);
+		if (glue)
+			irq_set_affinity_notifier(glue->notify.irq, NULL);
 	}
 
 	cpu_rmap_put(rmap);
@@ -268,6 +269,7 @@  static void irq_cpu_rmap_release(struct kref *ref)
 		container_of(ref, struct irq_glue, notify.kref);
 
 	cpu_rmap_put(glue->rmap);
+	glue->rmap->obj[glue->index] = NULL;
 	kfree(glue);
 }
 
@@ -297,6 +299,7 @@  int irq_cpu_rmap_add(struct cpu_rmap *rmap, int irq)
 	rc = irq_set_affinity_notifier(irq, &glue->notify);
 	if (rc) {
 		cpu_rmap_put(glue->rmap);
+		rmap->obj[glue->index] = NULL;
 		kfree(glue);
 	}
 	return rc;