• Í
    sfc: fix use after free when disabling sriov · ebe41da5
    Íñigo Huguet 提交于
    Use after free is detected by kfence when disabling sriov. What was read
    after being freed was vf->pci_dev: it was freed from pci_disable_sriov
    and later read in efx_ef10_sriov_free_vf_vports, called from
    efx_ef10_sriov_free_vf_vswitching.
    
    Set the pointer to NULL at release time to not trying to read it later.
    
    Reproducer and dmesg log (note that kfence doesn't detect it every time):
    $ echo 1 > /sys/class/net/enp65s0f0np0/device/sriov_numvfs
    $ echo 0 > /sys/class/net/enp65s0f0np0/device/sriov_numvfs
    
     BUG: KFENCE: use-after-free read in efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc]
    
     Use-after-free read at 0x00000000ff3c1ba5 (in kfence-#224):
      efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc]
      efx_ef10_pci_sriov_disable+0x38/0x70 [sfc]
      efx_pci_sriov_configure+0x24/0x40 [sfc]
      sriov_numvfs_store+0xfe/0x140
      kernfs_fop_write_iter+0x11c/0x1b0
      new_sync_write+0x11f/0x1b0
      vfs_write+0x1eb/0x280
      ksys_write+0x5f/0xe0
      do_syscall_64+0x5c/0x80
      entry_SYSCALL_64_after_hwframe+0x44/0xae
    
     kfence-#224: 0x00000000edb8ef95-0x00000000671f5ce1, size=2792, cache=kmalloc-4k
    
     allocated by task 6771 on cpu 10 at 3137.860196s:
      pci_alloc_dev+0x21/0x60
      pci_iov_add_virtfn+0x2a2/0x320
      sriov_enable+0x212/0x3e0
      efx_ef10_sriov_configure+0x67/0x80 [sfc]
      efx_pci_sriov_configure+0x24/0x40 [sfc]
      sriov_numvfs_store+0xba/0x140
      kernfs_fop_write_iter+0x11c/0x1b0
      new_sync_write+0x11f/0x1b0
      vfs_write+0x1eb/0x280
      ksys_write+0x5f/0xe0
      do_syscall_64+0x5c/0x80
      entry_SYSCALL_64_after_hwframe+0x44/0xae
    
     freed by task 6771 on cpu 12 at 3170.991309s:
      device_release+0x34/0x90
      kobject_cleanup+0x3a/0x130
      pci_iov_remove_virtfn+0xd9/0x120
      sriov_disable+0x30/0xe0
      efx_ef10_pci_sriov_disable+0x57/0x70 [sfc]
      efx_pci_sriov_configure+0x24/0x40 [sfc]
      sriov_numvfs_store+0xfe/0x140
      kernfs_fop_write_iter+0x11c/0x1b0
      new_sync_write+0x11f/0x1b0
      vfs_write+0x1eb/0x280
      ksys_write+0x5f/0xe0
      do_syscall_64+0x5c/0x80
      entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    Fixes: 3c5eb876 ("sfc: create vports for VFs and assign random MAC addresses")
    Reported-by: NYanghang Liu <yanghliu@redhat.com>
    Signed-off-by: NÍñigo Huguet <ihuguet@redhat.com>
    Acked-by: NMartin Habets <habetsm.xilinx@gmail.com>
    Link: https://lore.kernel.org/r/20220712062642.6915-1-ihuguet@redhat.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
    ebe41da5
ef10_sriov.c 20.1 KB