1.7 KiB
CVE-2024-44932
Description
In the Linux kernel, the following vulnerability has been resolved:idpf: fix UAFs when destroying the queuesThe second tagged commit started sometimes (very rarely, but possible)throwing WARNs fromnet/core/page_pool.c:page_pool_disable_direct_recycling().Turned out idpf frees interrupt vectors with embedded NAPIs beforefreeing the queues making page_pools' NAPI pointers lead to freedmemory before these pools are destroyed by libeth.It's not clear whether there are other accesses to the freed vectorswhen destroying the queues, but anyway, we usually free queue/interruptvectors only when the queues are destroyed and the NAPIs are guaranteedto not be referenced anywhere.Invert the allocation and freeing logic making queue/interrupt vectorsbe allocated first and freed last. Vectors don't require queues to bepresent, so this is safe. Additionally, this change allows to removethat useless queue->q_vector pointer cleanup, as vectors are stillvalid when freeing the queues (+ both are freed within one function,so it's not clear why nullify the pointers at all).
POC
Reference
No PoCs from references.