CVE-2022-49626

In the Linux kernel, the following vulnerability has been resolved:

sfc: fix use after free when disabling sriov

Use after free is detected by kfence when disabling sriov. What was read after being freed was vf->pcidev: it was freed from pcidisablesriov and later read in efxef10sriovfreevfvports, called from efxef10sriovfreevf_vswitching.

Set the pointer to NULL at release time to not trying to read it later.

Reproducer and dmesg log (note that kfence doesn't detect it every time): $ echo 1 > /sys/class/net/enp65s0f0np0/device/sriovnumvfs $ echo 0 > /sys/class/net/enp65s0f0np0/device/sriovnumvfs

BUG: KFENCE: use-after-free read in efxef10sriovfreevf_vswitching+0x82/0x170 [sfc]

Use-after-free read at 0x00000000ff3c1ba5 (in kfence-#224): efxef10sriovfreevfvswitching+0x82/0x170 [sfc] efxef10pcisriovdisable+0x38/0x70 [sfc] efxpcisriovconfigure+0x24/0x40 [sfc] sriovnumvfsstore+0xfe/0x140 kernfsfopwriteiter+0x11c/0x1b0 newsyncwrite+0x11f/0x1b0 vfswrite+0x1eb/0x280 ksyswrite+0x5f/0xe0 dosyscall64+0x5c/0x80 entrySYSCALL64after_hwframe+0x44/0xae

kfence-#224: 0x00000000edb8ef95-0x00000000671f5ce1, size=2792, cache=kmalloc-4k

allocated by task 6771 on cpu 10 at 3137.860196s: pciallocdev+0x21/0x60 pciiovaddvirtfn+0x2a2/0x320 sriovenable+0x212/0x3e0 efxef10sriovconfigure+0x67/0x80 [sfc] efxpcisriovconfigure+0x24/0x40 [sfc] sriovnumvfsstore+0xba/0x140 kernfsfopwriteiter+0x11c/0x1b0 newsyncwrite+0x11f/0x1b0 vfswrite+0x1eb/0x280 ksyswrite+0x5f/0xe0 dosyscall64+0x5c/0x80 entrySYSCALL64after_hwframe+0x44/0xae

freed by task 6771 on cpu 12 at 3170.991309s: devicerelease+0x34/0x90 kobjectcleanup+0x3a/0x130 pciiovremovevirtfn+0xd9/0x120 sriovdisable+0x30/0xe0 efxef10pcisriovdisable+0x57/0x70 [sfc] efxpcisriovconfigure+0x24/0x40 [sfc] sriovnumvfsstore+0xfe/0x140 kernfsfopwriteiter+0x11c/0x1b0 newsyncwrite+0x11f/0x1b0 vfswrite+0x1eb/0x280 ksyswrite+0x5f/0xe0 dosyscall64+0x5c/0x80 entrySYSCALL64afterhwframe+0x44/0xae