| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20251001-jk-iwl-net-2025-10-01-v1-8-49fa99e86600@intel.com>
Date: Wed, 01 Oct 2025 17:14:18 -0700
From: Jacob Keller <jacob.e.keller@...el.com>
To: Przemek Kitszel <przemyslaw.kitszel@...el.com>,
Andrew Lunn <andrew+netdev@...n.ch>,
"David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
Emil Tantilov <emil.s.tantilov@...el.com>,
Pavan Kumar Linga <pavan.kumar.linga@...el.com>,
Alexander Lobakin <aleksander.lobakin@...el.com>,
Willem de Bruijn <willemb@...gle.com>,
Sridhar Samudrala <sridhar.samudrala@...el.com>,
Phani Burra <phani.r.burra@...el.com>,
Piotr Kwapulinski <piotr.kwapulinski@...el.com>,
Simon Horman <horms@...nel.org>, Radoslaw Tyl <radoslawx.tyl@...el.com>,
Jedrzej Jagielski <jedrzej.jagielski@...el.com>,
Mateusz Polchlopek <mateusz.polchlopek@...el.com>
Cc: Anton Nadezhdin <anton.nadezhdin@...el.com>,
Konstantin Ilichev <konstantin.ilichev@...el.com>,
Milena Olech <milena.olech@...el.com>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, Jacob Keller <jacob.e.keller@...el.com>,
Koichiro Den <den@...inux.co.jp>, Rinitha S <sx.rinitha@...el.com>,
Aleksandr Loktionov <aleksandr.loktionov@...el.com>,
Paul Menzel <pmenzel@...gen.mpg.de>
Subject: [PATCH net 8/8] ixgbe: fix too early devlink_free() in
ixgbe_remove()
From: Koichiro Den <den@...inux.co.jp>
Since ixgbe_adapter is embedded in devlink, calling devlink_free()
prematurely in the ixgbe_remove() path can lead to UAF. Move devlink_free()
to the end.
KASAN report:
BUG: KASAN: use-after-free in ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe]
Read of size 8 at addr ffff0000adf813e0 by task bash/2095
CPU: 1 UID: 0 PID: 2095 Comm: bash Tainted: G S 6.17.0-rc2-tnguy.net-queue+ #1 PREEMPT(full)
[...]
Call trace:
show_stack+0x30/0x90 (C)
dump_stack_lvl+0x9c/0xd0
print_address_description.constprop.0+0x90/0x310
print_report+0x104/0x1f0
kasan_report+0x88/0x180
__asan_report_load8_noabort+0x20/0x30
ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe]
ixgbe_clear_interrupt_scheme+0xf8/0x130 [ixgbe]
ixgbe_remove+0x2d0/0x8c0 [ixgbe]
pci_device_remove+0xa0/0x220
device_remove+0xb8/0x170
device_release_driver_internal+0x318/0x490
device_driver_detach+0x40/0x68
unbind_store+0xec/0x118
drv_attr_store+0x64/0xb8
sysfs_kf_write+0xcc/0x138
kernfs_fop_write_iter+0x294/0x440
new_sync_write+0x1fc/0x588
vfs_write+0x480/0x6a0
ksys_write+0xf0/0x1e0
__arm64_sys_write+0x70/0xc0
invoke_syscall.constprop.0+0xcc/0x280
el0_svc_common.constprop.0+0xa8/0x248
do_el0_svc+0x44/0x68
el0_svc+0x54/0x160
el0t_64_sync_handler+0xa0/0xe8
el0t_64_sync+0x1b0/0x1b8
Fixes: a0285236ab93 ("ixgbe: add initial devlink support")
Signed-off-by: Koichiro Den <den@...inux.co.jp>
Tested-by: Rinitha S <sx.rinitha@...el.com>
Reviewed-by: Jedrzej Jagielski <jedrzej.jagielski@...el.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@...el.com>
Reviewed-by: Paul Menzel <pmenzel@...gen.mpg.de>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
index 6218bdb7f941..86b9caece104 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
@@ -12091,7 +12091,6 @@ static void ixgbe_remove(struct pci_dev *pdev)
devl_port_unregister(&adapter->devlink_port);
devl_unlock(adapter->devlink);
- devlink_free(adapter->devlink);
ixgbe_stop_ipsec_offload(adapter);
ixgbe_clear_interrupt_scheme(adapter);
@@ -12127,6 +12126,8 @@ static void ixgbe_remove(struct pci_dev *pdev)
if (disable_dev)
pci_disable_device(pdev);
+
+ devlink_free(adapter->devlink);
}
/**
--
2.51.0.rc1.197.g6d975e95c9d7
Powered by blists - more mailing lists