Re: [PATCH net] ice: arfs: fix use-after-free when freeing @rx_cpu_rmap
From: Ivan Vecera
Date: Mon Apr 04 2022 - 11:01:54 EST
On Mon, 4 Apr 2022 15:28:32 +0200
Alexander Lobakin <alexandr.lobakin@xxxxxxxxx> wrote:
> The CI testing bots triggered the following splat:
>
> ...
> This is due to that free_irq_cpu_rmap() is always being called
> *after* (devm_)free_irq() and thus it tries to work with IRQ descs
> already freed. For example, on device reset the driver frees the
> rmap right before allocating a new one (the splat above).
> Make rmap creation and freeing function symmetrical with
> {request,free}_irq() calls i.e. do that on ifup/ifdown instead
> of device probe/remove/resume. These operations can be performed
> independently from the actual device aRFS configuration.
> Also, make sure ice_vsi_free_irq() clears IRQ affinity notifiers
> only when aRFS is disabled -- otherwise, CPU rmap sets and clears
> its own and they must not be touched manually.
>
> Fixes: 28bf26724fdb0 ("ice: Implement aRFS")
> Co-developed-by: Ivan Vecera <ivecera@xxxxxxxxxx>
> Signed-off-by: Ivan Vecera <ivecera@xxxxxxxxxx>
> Signed-off-by: Alexander Lobakin <alexandr.lobakin@xxxxxxxxx>
> ---
> Netdev folks, some more urgent stuff, would like to have this in
> -net directly.
>
> Ivan, I probably should've waited for your response regarding
> signatures, hope you'll approve this one :p Feel free to review
> and/or test.
That's ok, Alex. You did it the way I prefer :-P.
Will test.
Ivan