Re: [PATCH] net: thunderx: prevent concurrent data re-writing by nicvf_set_rx_mode

From: David Miller
Date: Sun Jun 10 2018 - 15:36:08 EST


From: Vadim Lomovtsev <Vadim.Lomovtsev@xxxxxxxxxxxxxxxxxx>
Date: Fri, 8 Jun 2018 02:27:59 -0700

> + /* Save message data locally to prevent them from
> + * being overwritten by next ndo_set_rx_mode call().
> + */
> + spin_lock(&nic->rx_mode_wq_lock);
> + mode = vf_work->mode;
> + mc = vf_work->mc;
> + vf_work->mc = NULL;
> + spin_unlock(&nic->rx_mode_wq_lock);

At the moment you drop this lock, the memory behind 'mc' can be
freed up by:

> + spin_lock(&nic->rx_mode_wq_lock);
> + kfree(nic->rx_mode_work.mc);

And you'll crash when you dereference it above via
__nicvf_set_rx_mode_task().