From: Dan Carpenter <dan.carpenter@linaro.org>
Date: Mon, 3 Mar 2025 12:02:12 +0000 (+0300)
Subject: net: Prevent use after free in netif_napi_set_irq_locked()
X-Git-Tag: v6.15-rc1~160^2~171
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f252f23ab657cd224cb8334ba69966396f3f629b;p=thirdparty%2Flinux.git

net: Prevent use after free in netif_napi_set_irq_locked()

The cpu_rmap_put() will call kfree() when the last reference is dropped
so it could result in a use after free when we dereference the same
pointer the next line.  Move the cpu_rmap_put() after the dereference.

Fixes: bd7c00605ee0 ("net: move aRFS rmap management and CPU affinity to core")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/5a9c53a4-5487-4b8c-9ffa-d8e5343aaaaf@stanley.mountain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---

diff --git a/net/core/dev.c b/net/core/dev.c
index 5c9d2bd29e156..2dc705604509e 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -7072,8 +7072,8 @@ void netif_napi_set_irq_locked(struct napi_struct *napi, int irq)
 put_rmap:
 #ifdef CONFIG_RFS_ACCEL
 	if (napi->dev->rx_cpu_rmap_auto) {
-		cpu_rmap_put(napi->dev->rx_cpu_rmap);
 		napi->dev->rx_cpu_rmap->obj[napi->napi_rmap_idx] = NULL;
+		cpu_rmap_put(napi->dev->rx_cpu_rmap);
 		napi->napi_rmap_idx = -1;
 	}
 #endif