10 Jan
2022
10 Jan
'22
10:10 a.m.
Hi!
commit 3116f59c12bd24c513194cd3acb3ec1f7d468954 upstream.
Using ifconfig command to delete the ipv6 address will cause the i40e network card driver to delete its internal mac_filter and i40e_service_task kernel thread will concurrently access the mac_filter. These two processes are not protected by lock so causing the following use-after-free problems.
Ok, but...
+static void netdev_hw_addr_refcnt(struct i40e_mac_filter *f,
struct net_device *netdev, int delta)+{
- struct netdev_hw_addr *ha;
- if (!f || !netdev)
return;- netdev_for_each_mc_addr(ha, netdev) {
if (ether_addr_equal(ha->addr, f->macaddr)) {ha->refcount += delta;if (ha->refcount <= 0)ha->refcount = 1;break;}- }
+}
What is going on here? Is refcount expected to underflow under normal operation? Should we at least have WARN_ON there?
Best regards, Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany