From patchwork Tue May 9 20:10:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1779119 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=XXmW62+G; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4QG8Rc4FLyz214c for ; Wed, 10 May 2023 06:10:51 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1pwTfW-0004yW-Ex; Tue, 09 May 2023 20:10:42 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1pwTfU-0004y8-Lb for kernel-team@lists.ubuntu.com; Tue, 09 May 2023 20:10:40 +0000 Received: from mail-ej1-f69.google.com (mail-ej1-f69.google.com [209.85.218.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id EDB503F232 for ; Tue, 9 May 2023 20:10:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1683663039; bh=CB+UC2iZk+phf7WIATv7t/bCDbxCfb25ZpCD+wkdnbY=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=XXmW62+GQefZgjjXaoLJ9E/TaV41uMWRDsZefM2EwQXIP7vNnBvnPHeezNstPUAiA WCYYaMlFRldoc50rAdIqeJ5Am7vCjuTOdU2cg9GabXLCxAFH1E8SySP/YO2Hb7vSsn ZexLHNQ/7UlgqJmCRh9sxlGc6oz+BDP3FKmWSfz6+Zb3nybKI1gIS1ioOekKAUCF4+ +tCr5iTl81WZdRGPmEPx4NYRwULDOb1nzqm6/Gl9fUbQQK853ly0mq9/DDioOuh8fe iZSr2Asz83Z2M+sf61sSU/K3UdrmVf/GZW9ilrUyO0OqE75USrVWspooq1cc9qbZyZ dUoHEP0Z7x70Q== Received: by mail-ej1-f69.google.com with SMTP id a640c23a62f3a-965b73d8b7eso604241766b.2 for ; Tue, 09 May 2023 13:10:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683663039; x=1686255039; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CB+UC2iZk+phf7WIATv7t/bCDbxCfb25ZpCD+wkdnbY=; b=gT0iRgI00pHYFt2vF8dq7yMi0eWQVLCejmlbqaIzsSq/ao8qAk2XvE+ozh9ghtDBTz p79Xveo4hNq3u6Oy6yfAkK6Xts02uOxXNba2QJ2EDwSq8djqAT9aqvBSCXv7USVQliLR D2zYPjFBQ3AFYWXKs5i7O9dn/QKV/Dsl1D6mb3wGbI/KkHK2eB+fL9rowFS/4h+fnkg7 pgk/s2szlKlX02pLuVdL51rkTe+UP8SCH1IRNUXmhBq3+JAK+6e7AUqdr50E01WzjZ46 loRvv/NCDIjP5EywkoEVqF7DAqRHr8gJKs5dLlWpLVyfRQaevLV5dTVRKbOe/n4KJ10M FpPA== X-Gm-Message-State: AC+VfDzi0uXAiXQOD5sJE+1iijLouSIfKmbeL+W/xt1cLb+qgn1T5owz rTQWVWfH67odTA3Vc68S41to1ZQ+w4Qhm8MmJyQJnVuPO5lmuJGjIgSkCK4wT7jVY8ccy7SSg2J V//UuRqYq4Qu/5xY27h21YwLvS2l5P8hDP4mlfsYlRXj0xTypVw== X-Received: by 2002:a17:907:6d0b:b0:969:19db:11db with SMTP id sa11-20020a1709076d0b00b0096919db11dbmr5795442ejc.40.1683663039293; Tue, 09 May 2023 13:10:39 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7Lw51lf864ZK8QQpFsIKwJopDicxYA1v6uVwRVxfYulA3aC31UyAYCGjVfKoeQwNpCtLMgfA== X-Received: by 2002:a17:907:6d0b:b0:969:19db:11db with SMTP id sa11-20020a1709076d0b00b0096919db11dbmr5795434ejc.40.1683663039076; Tue, 09 May 2023 13:10:39 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id e2-20020a170906c00200b009697aa5acfcsm1702660ejz.122.2023.05.09.13.10.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 May 2023 13:10:38 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][OEM-5.17/OEM-6.0][PATCH 1/1] xirc2ps_cs: Fix use after free bug in xirc2ps_detach Date: Tue, 9 May 2023 16:10:01 -0400 Message-Id: <20230509201001.53351-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230509201001.53351-1-yuxuan.luo@canonical.com> References: <20230509201001.53351-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Zheng Wang In xirc2ps_probe, the local->tx_timeout_task was bounded with xirc2ps_tx_timeout_task. When timeout occurs, it will call xirc_tx_timeout->schedule_work to start the work. When we call xirc2ps_detach to remove the driver, there may be a sequence as follows: Stop responding to timeout tasks and complete scheduled tasks before cleanup in xirc2ps_detach, which will fix the problem. CPU0 CPU1 |xirc2ps_tx_timeout_task xirc2ps_detach | free_netdev | kfree(dev); | | | do_reset | //use dev Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Zheng Wang Signed-off-by: David S. Miller (cherry picked from commit e8d20c3ded59a092532513c9bd030d1ea66f5f44) CVE-2023-1670 Signed-off-by: Yuxuan Luo --- drivers/net/ethernet/xircom/xirc2ps_cs.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/ethernet/xircom/xirc2ps_cs.c b/drivers/net/ethernet/xircom/xirc2ps_cs.c index fd5288ff53b53..e3438cef5f9c6 100644 --- a/drivers/net/ethernet/xircom/xirc2ps_cs.c +++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c @@ -503,6 +503,11 @@ static void xirc2ps_detach(struct pcmcia_device *link) { struct net_device *dev = link->priv; + struct local_info *local = netdev_priv(dev); + + netif_carrier_off(dev); + netif_tx_disable(dev); + cancel_work_sync(&local->tx_timeout_task); dev_dbg(&link->dev, "detach\n");