* [Intel-wired-lan][PATCH iwl-net] idpf: fix UAF in RDMA core aux dev deinitialization
@ 2025-08-12 0:19 Joshua Hay
2025-08-12 12:52 ` Vadim Fedorenko
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Joshua Hay @ 2025-08-12 0:19 UTC (permalink / raw)
To: intel-wired-lan; +Cc: netdev, larysa.zaremba, Joshua Hay, Aleksandr Loktionov
Free the adev->id before auxiliary_device_uninit. The call to uninit
triggers the release callback, which frees the iadev memory containing the
adev. The previous flow results in a UAF during rmmod due to the adev->id
access.
[264939.604077] ==================================================================
[264939.604093] BUG: KASAN: slab-use-after-free in idpf_idc_deinit_core_aux_device+0xe4/0x100 [idpf]
[264939.604134] Read of size 4 at addr ff1100109eb6eaf8 by task rmmod/17842
...
[264939.604635] Allocated by task 17597:
[264939.604643] kasan_save_stack+0x20/0x40
[264939.604654] kasan_save_track+0x14/0x30
[264939.604663] __kasan_kmalloc+0x8f/0xa0
[264939.604672] idpf_idc_init_aux_core_dev+0x4bd/0xb60 [idpf]
[264939.604700] idpf_idc_init+0x55/0xd0 [idpf]
[264939.604726] process_one_work+0x658/0xfe0
[264939.604742] worker_thread+0x6e1/0xf10
[264939.604750] kthread+0x382/0x740
[264939.604762] ret_from_fork+0x23a/0x310
[264939.604772] ret_from_fork_asm+0x1a/0x30
[264939.604785] Freed by task 17842:
[264939.604790] kasan_save_stack+0x20/0x40
[264939.604799] kasan_save_track+0x14/0x30
[264939.604808] kasan_save_free_info+0x3b/0x60
[264939.604820] __kasan_slab_free+0x37/0x50
[264939.604830] kfree+0xf1/0x420
[264939.604840] device_release+0x9c/0x210
[264939.604850] kobject_put+0x17c/0x4b0
[264939.604860] idpf_idc_deinit_core_aux_device+0x4f/0x100 [idpf]
[264939.604886] idpf_vc_core_deinit+0xba/0x3a0 [idpf]
[264939.604915] idpf_remove+0xb0/0x7c0 [idpf]
[264939.604944] pci_device_remove+0xab/0x1e0
[264939.604955] device_release_driver_internal+0x371/0x530
[264939.604969] driver_detach+0xbf/0x180
[264939.604981] bus_remove_driver+0x11b/0x2a0
[264939.604991] pci_unregister_driver+0x2a/0x250
[264939.605005] __do_sys_delete_module.constprop.0+0x2eb/0x540
[264939.605014] do_syscall_64+0x64/0x2c0
[264939.605024] entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fixes: f4312e6bfa2a ("idpf: implement core RDMA auxiliary dev create, init, and destroy")
Signed-off-by: Joshua Hay <joshua.a.hay@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
---
drivers/net/ethernet/intel/idpf/idpf_idc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/idpf/idpf_idc.c b/drivers/net/ethernet/intel/idpf/idpf_idc.c
index 4d2905103215..7e20a07e98e5 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_idc.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_idc.c
@@ -247,10 +247,10 @@ static void idpf_unplug_aux_dev(struct auxiliary_device *adev)
if (!adev)
return;
+ ida_free(&idpf_idc_ida, adev->id);
+
auxiliary_device_delete(adev);
auxiliary_device_uninit(adev);
-
- ida_free(&idpf_idc_ida, adev->id);
}
/**
--
2.39.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Intel-wired-lan][PATCH iwl-net] idpf: fix UAF in RDMA core aux dev deinitialization
2025-08-12 0:19 [Intel-wired-lan][PATCH iwl-net] idpf: fix UAF in RDMA core aux dev deinitialization Joshua Hay
@ 2025-08-12 12:52 ` Vadim Fedorenko
2025-08-29 17:23 ` [Intel-wired-lan] [PATCH " Salin, Samuel
2025-08-29 21:07 ` [Intel-wired-lan][PATCH " Jacob Keller
2 siblings, 0 replies; 4+ messages in thread
From: Vadim Fedorenko @ 2025-08-12 12:52 UTC (permalink / raw)
To: Joshua Hay, intel-wired-lan; +Cc: netdev, larysa.zaremba, Aleksandr Loktionov
On 12/08/2025 01:19, Joshua Hay wrote:
> Free the adev->id before auxiliary_device_uninit. The call to uninit
> triggers the release callback, which frees the iadev memory containing the
> adev. The previous flow results in a UAF during rmmod due to the adev->id
> access.
>
> [264939.604077] ==================================================================
> [264939.604093] BUG: KASAN: slab-use-after-free in idpf_idc_deinit_core_aux_device+0xe4/0x100 [idpf]
> [264939.604134] Read of size 4 at addr ff1100109eb6eaf8 by task rmmod/17842
>
> ...
>
> [264939.604635] Allocated by task 17597:
> [264939.604643] kasan_save_stack+0x20/0x40
> [264939.604654] kasan_save_track+0x14/0x30
> [264939.604663] __kasan_kmalloc+0x8f/0xa0
> [264939.604672] idpf_idc_init_aux_core_dev+0x4bd/0xb60 [idpf]
> [264939.604700] idpf_idc_init+0x55/0xd0 [idpf]
> [264939.604726] process_one_work+0x658/0xfe0
> [264939.604742] worker_thread+0x6e1/0xf10
> [264939.604750] kthread+0x382/0x740
> [264939.604762] ret_from_fork+0x23a/0x310
> [264939.604772] ret_from_fork_asm+0x1a/0x30
>
> [264939.604785] Freed by task 17842:
> [264939.604790] kasan_save_stack+0x20/0x40
> [264939.604799] kasan_save_track+0x14/0x30
> [264939.604808] kasan_save_free_info+0x3b/0x60
> [264939.604820] __kasan_slab_free+0x37/0x50
> [264939.604830] kfree+0xf1/0x420
> [264939.604840] device_release+0x9c/0x210
> [264939.604850] kobject_put+0x17c/0x4b0
> [264939.604860] idpf_idc_deinit_core_aux_device+0x4f/0x100 [idpf]
> [264939.604886] idpf_vc_core_deinit+0xba/0x3a0 [idpf]
> [264939.604915] idpf_remove+0xb0/0x7c0 [idpf]
> [264939.604944] pci_device_remove+0xab/0x1e0
> [264939.604955] device_release_driver_internal+0x371/0x530
> [264939.604969] driver_detach+0xbf/0x180
> [264939.604981] bus_remove_driver+0x11b/0x2a0
> [264939.604991] pci_unregister_driver+0x2a/0x250
> [264939.605005] __do_sys_delete_module.constprop.0+0x2eb/0x540
> [264939.605014] do_syscall_64+0x64/0x2c0
> [264939.605024] entry_SYSCALL_64_after_hwframe+0x76/0x7e
>
> Fixes: f4312e6bfa2a ("idpf: implement core RDMA auxiliary dev create, init, and destroy")
> Signed-off-by: Joshua Hay <joshua.a.hay@intel.com>
> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
> ---
> drivers/net/ethernet/intel/idpf/idpf_idc.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/intel/idpf/idpf_idc.c b/drivers/net/ethernet/intel/idpf/idpf_idc.c
> index 4d2905103215..7e20a07e98e5 100644
> --- a/drivers/net/ethernet/intel/idpf/idpf_idc.c
> +++ b/drivers/net/ethernet/intel/idpf/idpf_idc.c
> @@ -247,10 +247,10 @@ static void idpf_unplug_aux_dev(struct auxiliary_device *adev)
> if (!adev)
> return;
>
> + ida_free(&idpf_idc_ida, adev->id);
> +
> auxiliary_device_delete(adev);
> auxiliary_device_uninit(adev);
> -
> - ida_free(&idpf_idc_ida, adev->id);
> }
>
> /**
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: [Intel-wired-lan] [PATCH iwl-net] idpf: fix UAF in RDMA core aux dev deinitialization
2025-08-12 0:19 [Intel-wired-lan][PATCH iwl-net] idpf: fix UAF in RDMA core aux dev deinitialization Joshua Hay
2025-08-12 12:52 ` Vadim Fedorenko
@ 2025-08-29 17:23 ` Salin, Samuel
2025-08-29 21:07 ` [Intel-wired-lan][PATCH " Jacob Keller
2 siblings, 0 replies; 4+ messages in thread
From: Salin, Samuel @ 2025-08-29 17:23 UTC (permalink / raw)
To: Hay, Joshua A, intel-wired-lan@lists.osuosl.org
Cc: netdev@vger.kernel.org, Zaremba, Larysa, Hay, Joshua A,
Loktionov, Aleksandr
> -----Original Message-----
> From: Intel-wired-lan <intel-wired-lan-bounces@osuosl.org> On Behalf Of
> Joshua Hay
> Sent: Monday, August 11, 2025 5:19 PM
> To: intel-wired-lan@lists.osuosl.org
> Cc: netdev@vger.kernel.org; Zaremba, Larysa <larysa.zaremba@intel.com>;
> Hay, Joshua A <joshua.a.hay@intel.com>; Loktionov, Aleksandr
> <aleksandr.loktionov@intel.com>
> Subject: [Intel-wired-lan] [PATCH iwl-net] idpf: fix UAF in RDMA core aux dev
> deinitialization
>
> Free the adev->id before auxiliary_device_uninit. The call to uninit triggers the
> release callback, which frees the iadev memory containing the adev. The
> previous flow results in a UAF during rmmod due to the adev->id access.
>
> [264939.604077]
> ==================================================================
> [264939.604093] BUG: KASAN: slab-use-after-free in
> idpf_idc_deinit_core_aux_device+0xe4/0x100 [idpf] [264939.604134] Read
> of size 4 at addr ff1100109eb6eaf8 by task rmmod/17842
>
> ...
>
> [264939.604635] Allocated by task 17597:
> [264939.604643] kasan_save_stack+0x20/0x40 [264939.604654]
> kasan_save_track+0x14/0x30 [264939.604663] __kasan_kmalloc+0x8f/0xa0
> [264939.604672] idpf_idc_init_aux_core_dev+0x4bd/0xb60 [idpf]
> [264939.604700] idpf_idc_init+0x55/0xd0 [idpf] [264939.604726]
> process_one_work+0x658/0xfe0 [264939.604742]
> worker_thread+0x6e1/0xf10 [264939.604750] kthread+0x382/0x740
> [264939.604762] ret_from_fork+0x23a/0x310 [264939.604772]
> ret_from_fork_asm+0x1a/0x30
>
> [264939.604785] Freed by task 17842:
> [264939.604790] kasan_save_stack+0x20/0x40 [264939.604799]
> kasan_save_track+0x14/0x30 [264939.604808]
> kasan_save_free_info+0x3b/0x60 [264939.604820]
> __kasan_slab_free+0x37/0x50 [264939.604830] kfree+0xf1/0x420
> [264939.604840] device_release+0x9c/0x210 [264939.604850]
> kobject_put+0x17c/0x4b0 [264939.604860]
> idpf_idc_deinit_core_aux_device+0x4f/0x100 [idpf] [264939.604886]
> idpf_vc_core_deinit+0xba/0x3a0 [idpf] [264939.604915]
> idpf_remove+0xb0/0x7c0 [idpf] [264939.604944]
> pci_device_remove+0xab/0x1e0 [264939.604955]
> device_release_driver_internal+0x371/0x530
> [264939.604969] driver_detach+0xbf/0x180 [264939.604981]
> bus_remove_driver+0x11b/0x2a0 [264939.604991]
> pci_unregister_driver+0x2a/0x250 [264939.605005]
> __do_sys_delete_module.constprop.0+0x2eb/0x540
> [264939.605014] do_syscall_64+0x64/0x2c0 [264939.605024]
> entry_SYSCALL_64_after_hwframe+0x76/0x7e
>
> Fixes: f4312e6bfa2a ("idpf: implement core RDMA auxiliary dev create, init,
> and destroy")
> Signed-off-by: Joshua Hay <joshua.a.hay@intel.com>
> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
> ---
> 2.39.2
Tested-by: Samuel Salin <Samuel.salin@intel.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Intel-wired-lan][PATCH iwl-net] idpf: fix UAF in RDMA core aux dev deinitialization
2025-08-12 0:19 [Intel-wired-lan][PATCH iwl-net] idpf: fix UAF in RDMA core aux dev deinitialization Joshua Hay
2025-08-12 12:52 ` Vadim Fedorenko
2025-08-29 17:23 ` [Intel-wired-lan] [PATCH " Salin, Samuel
@ 2025-08-29 21:07 ` Jacob Keller
2 siblings, 0 replies; 4+ messages in thread
From: Jacob Keller @ 2025-08-29 21:07 UTC (permalink / raw)
To: Joshua Hay, intel-wired-lan; +Cc: netdev, larysa.zaremba, Aleksandr Loktionov
[-- Attachment #1.1: Type: text/plain, Size: 3029 bytes --]
On 8/11/2025 5:19 PM, Joshua Hay wrote:
> Free the adev->id before auxiliary_device_uninit. The call to uninit
> triggers the release callback, which frees the iadev memory containing the
> adev. The previous flow results in a UAF during rmmod due to the adev->id
> access.
>
> [264939.604077] ==================================================================
> [264939.604093] BUG: KASAN: slab-use-after-free in idpf_idc_deinit_core_aux_device+0xe4/0x100 [idpf]
> [264939.604134] Read of size 4 at addr ff1100109eb6eaf8 by task rmmod/17842
>
> ...
>
> [264939.604635] Allocated by task 17597:
> [264939.604643] kasan_save_stack+0x20/0x40
> [264939.604654] kasan_save_track+0x14/0x30
> [264939.604663] __kasan_kmalloc+0x8f/0xa0
> [264939.604672] idpf_idc_init_aux_core_dev+0x4bd/0xb60 [idpf]
> [264939.604700] idpf_idc_init+0x55/0xd0 [idpf]
> [264939.604726] process_one_work+0x658/0xfe0
> [264939.604742] worker_thread+0x6e1/0xf10
> [264939.604750] kthread+0x382/0x740
> [264939.604762] ret_from_fork+0x23a/0x310
> [264939.604772] ret_from_fork_asm+0x1a/0x30
>
> [264939.604785] Freed by task 17842:
> [264939.604790] kasan_save_stack+0x20/0x40
> [264939.604799] kasan_save_track+0x14/0x30
> [264939.604808] kasan_save_free_info+0x3b/0x60
> [264939.604820] __kasan_slab_free+0x37/0x50
> [264939.604830] kfree+0xf1/0x420
> [264939.604840] device_release+0x9c/0x210
> [264939.604850] kobject_put+0x17c/0x4b0
> [264939.604860] idpf_idc_deinit_core_aux_device+0x4f/0x100 [idpf]
> [264939.604886] idpf_vc_core_deinit+0xba/0x3a0 [idpf]
> [264939.604915] idpf_remove+0xb0/0x7c0 [idpf]
> [264939.604944] pci_device_remove+0xab/0x1e0
> [264939.604955] device_release_driver_internal+0x371/0x530
> [264939.604969] driver_detach+0xbf/0x180
> [264939.604981] bus_remove_driver+0x11b/0x2a0
> [264939.604991] pci_unregister_driver+0x2a/0x250
> [264939.605005] __do_sys_delete_module.constprop.0+0x2eb/0x540
> [264939.605014] do_syscall_64+0x64/0x2c0
> [264939.605024] entry_SYSCALL_64_after_hwframe+0x76/0x7e
>
> Fixes: f4312e6bfa2a ("idpf: implement core RDMA auxiliary dev create, init, and destroy")
> Signed-off-by: Joshua Hay <joshua.a.hay@intel.com>
> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
> ---
> drivers/net/ethernet/intel/idpf/idpf_idc.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/intel/idpf/idpf_idc.c b/drivers/net/ethernet/intel/idpf/idpf_idc.c
> index 4d2905103215..7e20a07e98e5 100644
> --- a/drivers/net/ethernet/intel/idpf/idpf_idc.c
> +++ b/drivers/net/ethernet/intel/idpf/idpf_idc.c
> @@ -247,10 +247,10 @@ static void idpf_unplug_aux_dev(struct auxiliary_device *adev)
> if (!adev)
> return;
>
> + ida_free(&idpf_idc_ida, adev->id);
> +
> auxiliary_device_delete(adev);
> auxiliary_device_uninit(adev);
> -
> - ida_free(&idpf_idc_ida, adev->id);
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
> }
>
> /**
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-08-29 21:07 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-12 0:19 [Intel-wired-lan][PATCH iwl-net] idpf: fix UAF in RDMA core aux dev deinitialization Joshua Hay
2025-08-12 12:52 ` Vadim Fedorenko
2025-08-29 17:23 ` [Intel-wired-lan] [PATCH " Salin, Samuel
2025-08-29 21:07 ` [Intel-wired-lan][PATCH " Jacob Keller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).