Patch "igb: Do not free q_vector unless new one was allocated" has been added to the 4.19-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 25 Dec 2022 11:49:40 -0500

This is a note to let you know that I've just added the patch titled

    igb: Do not free q_vector unless new one was allocated

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     igb-do-not-free-q_vector-unless-new-one-was-allocate.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 08fcb24a4e311d89644e6eb5e7ed3bbaa33d1951
Author: Kees Cook <keescook@xxxxxxxxxxxx>
Date:   Tue Oct 18 02:25:24 2022 -0700

    igb: Do not free q_vector unless new one was allocated
    
    [ Upstream commit 0668716506ca66f90d395f36ccdaebc3e0e84801 ]
    
    Avoid potential use-after-free condition under memory pressure. If the
    kzalloc() fails, q_vector will be freed but left in the original
    adapter->q_vector[v_idx] array position.
    
    Cc: Jesse Brandeburg <jesse.brandeburg@xxxxxxxxx>
    Cc: Tony Nguyen <anthony.l.nguyen@xxxxxxxxx>
    Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>
    Cc: Eric Dumazet <edumazet@xxxxxxxxxx>
    Cc: Jakub Kicinski <kuba@xxxxxxxxxx>
    Cc: Paolo Abeni <pabeni@xxxxxxxxxx>
    Cc: intel-wired-lan@xxxxxxxxxxxxxxxx
    Cc: netdev@xxxxxxxxxxxxxxx
    Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
    Reviewed-by: Michael J. Ruhl <michael.j.ruhl@xxxxxxxxx>
    Reviewed-by: Jacob Keller <jacob.e.keller@xxxxxxxxx>
    Tested-by: Gurucharan <gurucharanx.g@xxxxxxxxx> (A Contingent worker at Intel)
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
index 3d2dd15859cb..87f98170ac93 100644
--- a/drivers/net/ethernet/intel/igb/igb_main.c
+++ b/drivers/net/ethernet/intel/igb/igb_main.c
@@ -1211,8 +1211,12 @@ static int igb_alloc_q_vector(struct igb_adapter *adapter,
 	if (!q_vector) {
 		q_vector = kzalloc(size, GFP_KERNEL);
 	} else if (size > ksize(q_vector)) {
-		kfree_rcu(q_vector, rcu);
-		q_vector = kzalloc(size, GFP_KERNEL);
+		struct igb_q_vector *new_q_vector;
+
+		new_q_vector = kzalloc(size, GFP_KERNEL);
+		if (new_q_vector)
+			kfree_rcu(q_vector, rcu);
+		q_vector = new_q_vector;
 	} else {
 		memset(q_vector, 0, size);
 	}






