On 4/8/2023 7:00 AM, Ding Hui wrote:
We do netif_napi_add() for all allocated q_vectors[], but potentially
do netif_napi_del() for part of them, then kfree q_vectors and lefted
invalid pointers at dev->napi_list.
If num_active_queues is changed to less than allocated q_vectors[] by
by unexpected, when iavf_remove, we might see UAF in free_netdev like this:
[ 4093.900222] ==================================================================
[ 4093.900230] BUG: KASAN: use-after-free in free_netdev+0x308/0x390
[ 4093.900232] Read of size 8 at addr ffff88b4dc145640 by task test-iavf-1.sh/6699
...
Fix it by letting netif_napi_del() match to netif_napi_add().
Should this have a Fixes:?