Vulnerability Database

In the Linux kernel, the following vulnerability has been resolved:

net: netpoll: fix incorrect refcount handling causing incorrect cleanup

commit efa95b01da18 ("netpoll: fix use after free") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks.

Scenario causing lack of proper cleanup:

1. A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1

   • Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one.

2. Another netpoll is also associated with the same NIC and npinfo->refcnt += 1.

   • Now dev->npinfo->refcnt = 2;
   • There is just one npinfo associated to the netdev.

3. When the first netpolls goes to clean up:

   • The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt.
     • It basically calls RCU_INIT_POINTER(np->dev->npinfo, NULL);
   • Set dev->npinfo = NULL, without proper cleanup
   • No ->ndo_netpoll_cleanup() is either called

4. Now the second target tries to clean up

   • The second cleanup fails because np->dev->npinfo is already NULL.
     • In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance)

• This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak.

Revert commit efa95b01da18 ("netpoll: fix use after free") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior.