> -----Original Message-----
> From: Intel-wired-lan <[email protected]> On Behalf Of
> Joshua Hay
> Sent: Monday, August 11, 2025 5:19 PM
> To: [email protected]
> Cc: [email protected]; Zaremba, Larysa <[email protected]>;
> Hay, Joshua A <[email protected]>; Loktionov, Aleksandr
> <[email protected]>
> Subject: [Intel-wired-lan] [PATCH iwl-net] idpf: fix UAF in RDMA core aux dev
> deinitialization
>
> Free the adev->id before auxiliary_device_uninit. The call to uninit triggers
> the
> release callback, which frees the iadev memory containing the adev. The
> previous flow results in a UAF during rmmod due to the adev->id access.
>
> [264939.604077]
> ==================================================================
> [264939.604093] BUG: KASAN: slab-use-after-free in
> idpf_idc_deinit_core_aux_device+0xe4/0x100 [idpf] [264939.604134] Read
> of size 4 at addr ff1100109eb6eaf8 by task rmmod/17842
>
> ...
>
> [264939.604635] Allocated by task 17597:
> [264939.604643] kasan_save_stack+0x20/0x40 [264939.604654]
> kasan_save_track+0x14/0x30 [264939.604663] __kasan_kmalloc+0x8f/0xa0
> [264939.604672] idpf_idc_init_aux_core_dev+0x4bd/0xb60 [idpf]
> [264939.604700] idpf_idc_init+0x55/0xd0 [idpf] [264939.604726]
> process_one_work+0x658/0xfe0 [264939.604742]
> worker_thread+0x6e1/0xf10 [264939.604750] kthread+0x382/0x740
> [264939.604762] ret_from_fork+0x23a/0x310 [264939.604772]
> ret_from_fork_asm+0x1a/0x30
>
> [264939.604785] Freed by task 17842:
> [264939.604790] kasan_save_stack+0x20/0x40 [264939.604799]
> kasan_save_track+0x14/0x30 [264939.604808]
> kasan_save_free_info+0x3b/0x60 [264939.604820]
> __kasan_slab_free+0x37/0x50 [264939.604830] kfree+0xf1/0x420
> [264939.604840] device_release+0x9c/0x210 [264939.604850]
> kobject_put+0x17c/0x4b0 [264939.604860]
> idpf_idc_deinit_core_aux_device+0x4f/0x100 [idpf] [264939.604886]
> idpf_vc_core_deinit+0xba/0x3a0 [idpf] [264939.604915]
> idpf_remove+0xb0/0x7c0 [idpf] [264939.604944]
> pci_device_remove+0xab/0x1e0 [264939.604955]
> device_release_driver_internal+0x371/0x530
> [264939.604969] driver_detach+0xbf/0x180 [264939.604981]
> bus_remove_driver+0x11b/0x2a0 [264939.604991]
> pci_unregister_driver+0x2a/0x250 [264939.605005]
> __do_sys_delete_module.constprop.0+0x2eb/0x540
> [264939.605014] do_syscall_64+0x64/0x2c0 [264939.605024]
> entry_SYSCALL_64_after_hwframe+0x76/0x7e
>
> Fixes: f4312e6bfa2a ("idpf: implement core RDMA auxiliary dev create, init,
> and destroy")
> Signed-off-by: Joshua Hay <[email protected]>
> Reviewed-by: Aleksandr Loktionov <[email protected]>
> ---
> 2.39.2
Tested-by: Samuel Salin <[email protected]>
