From: Jakub Kicinski <kuba@kernel.org>
To: Saeed Mahameed <saeed@kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>,
Paolo Abeni <pabeni@redhat.com>,
Eric Dumazet <edumazet@google.com>,
Saeed Mahameed <saeedm@nvidia.com>,
netdev@vger.kernel.org, Tariq Toukan <tariqt@nvidia.com>,
Eli Cohen <elic@nvidia.com>
Subject: Re: [net-next 01/14] lib: cpu_rmap: Avoid use after free on rmap->obj array entries
Date: Tue, 21 Mar 2023 20:38:36 -0700 [thread overview]
Message-ID: <20230321203836.5ab4951e@kernel.org> (raw)
In-Reply-To: <20230320175144.153187-2-saeed@kernel.org>
On Mon, 20 Mar 2023 10:51:31 -0700 Saeed Mahameed wrote:
> From: Eli Cohen <elic@nvidia.com>
>
> When calling irq_set_affinity_notifier() with NULL at the notify
> argument, it will cause freeing of the glue pointer in the
> corresponding array entry but will leave the pointer in the array. A
> subsequent call to free_irq_cpu_rmap() will try to free this entry again
> leading to possible use after free.
>
> Fix that by setting NULL to the array entry and checking that we have
> non-zero at the array entry when iterating over the array in
> free_irq_cpu_rmap().
Commit message needs some work. Are you trying to make double
free_irq_cpu_rmap() work fine because of callers? Are there problems
with error path of irq_cpu_rmap_add()? I can tell what you're trying
to prevent but not why.
> Fixes: c39649c331c7 ("lib: cpu_rmap: CPU affinity reverse-mapping")
What is this Fixes tag doing in a net-next patch :S
If it can be triggered it needs to go to net.
> Signed-off-by: Eli Cohen <elic@nvidia.com>
> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
> ---
> lib/cpu_rmap.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/lib/cpu_rmap.c b/lib/cpu_rmap.c
> index f08d9c56f712..e77f12bb3c77 100644
> --- a/lib/cpu_rmap.c
> +++ b/lib/cpu_rmap.c
> @@ -232,7 +232,8 @@ void free_irq_cpu_rmap(struct cpu_rmap *rmap)
>
> for (index = 0; index < rmap->used; index++) {
After looking at this code for 10min - isn't the problem that used
is never decremented on the error path?
I don't see a way to remove from the map so it can't be sparse.
> glue = rmap->obj[index];
> - irq_set_affinity_notifier(glue->notify.irq, NULL);
> + if (glue)
> + irq_set_affinity_notifier(glue->notify.irq, NULL);
> }
>
> cpu_rmap_put(rmap);
> @@ -268,6 +269,7 @@ static void irq_cpu_rmap_release(struct kref *ref)
> container_of(ref, struct irq_glue, notify.kref);
>
> cpu_rmap_put(glue->rmap);
> + glue->rmap->obj[glue->index] = NULL;
> kfree(glue);
> }
>
> @@ -297,6 +299,7 @@ int irq_cpu_rmap_add(struct cpu_rmap *rmap, int irq)
> rc = irq_set_affinity_notifier(irq, &glue->notify);
> if (rc) {
> cpu_rmap_put(glue->rmap);
> + rmap->obj[glue->index] = NULL;
> kfree(glue);
> }
> return rc;
next prev parent reply other threads:[~2023-03-22 3:38 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-20 17:51 [pull request][net-next 00/14] mlx5 updates 2023-03-20 Saeed Mahameed
2023-03-20 17:51 ` [net-next 01/14] lib: cpu_rmap: Avoid use after free on rmap->obj array entries Saeed Mahameed
2023-03-22 3:38 ` Jakub Kicinski [this message]
2023-03-22 9:43 ` Eli Cohen
2023-03-20 17:51 ` [net-next 02/14] lib: cpu_rmap: Use allocator for rmap entries Saeed Mahameed
2023-03-22 3:40 ` Jakub Kicinski
2023-03-22 3:50 ` Jakub Kicinski
2023-03-22 10:01 ` Eli Cohen
2023-03-22 10:01 ` Eli Cohen
2023-03-20 17:51 ` [net-next 03/14] lib: cpu_rmap: Add irq_cpu_rmap_remove to complement irq_cpu_rmap_add Saeed Mahameed
2023-03-22 3:46 ` Jakub Kicinski
2023-03-22 11:24 ` Eli Cohen
2023-03-22 18:45 ` Jakub Kicinski
2023-03-20 17:51 ` [net-next 04/14] net/mlx5e: Coding style fix, add empty line Saeed Mahameed
2023-03-20 17:51 ` [net-next 05/14] net/mlx5: Fix wrong comment Saeed Mahameed
2023-03-20 17:51 ` [net-next 06/14] net/mlx5: Modify struct mlx5_irq to use struct msi_map Saeed Mahameed
2023-03-20 17:51 ` [net-next 07/14] net/mlx5: Use newer affinity descriptor Saeed Mahameed
2023-03-20 17:51 ` [net-next 08/14] net/mlx5: Improve naming of pci function vectors Saeed Mahameed
2023-03-20 17:51 ` [net-next 09/14] net/mlx5: Refactor completion irq request/release code Saeed Mahameed
2023-03-20 17:51 ` [net-next 10/14] net/mlx5: Use dynamic msix vectors allocation Saeed Mahameed
2023-03-20 17:51 ` [net-next 11/14] net/mlx5: Move devlink registration before mlx5_load Saeed Mahameed
2023-03-20 17:51 ` [net-next 12/14] net/mlx5: Refactor calculation of required completion vectors Saeed Mahameed
2023-03-20 17:51 ` [net-next 13/14] net/mlx5: Use one completion vector if eth is disabled Saeed Mahameed
2023-03-20 17:51 ` [net-next 14/14] net/mlx5: Provide external API for allocating vectors Saeed Mahameed
2023-03-22 3:49 ` [pull request][net-next 00/14] mlx5 updates 2023-03-20 Jakub Kicinski
2023-03-22 20:24 ` Jacob Keller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230321203836.5ab4951e@kernel.org \
--to=kuba@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=elic@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=saeed@kernel.org \
--cc=saeedm@nvidia.com \
--cc=tariqt@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.