cxgb4: fix use after free bugs caused by circular dependency problem
mainline inclusion from mainline-v6.3-rc1 commit e50b9b9e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7QE3L CVE: CVE-2023-4133 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e50b9b9e8610d47b7c22529443e45a16b1ea3a15 -------------------------------- The flower_stats_timer can schedule flower_stats_work and flower_stats_work can also arm the flower_stats_timer. The process is shown below: ----------- timer schedules work ------------ ch_flower_stats_cb() //timer handler schedule_work(&adap->flower_stats_work); ----------- work arms timer ------------ ch_flower_stats_handler() //workqueue callback function mod_timer(&adap->flower_stats_timer, ...); When the cxgb4 device is detaching, the timer and workqueue could still be rearmed. The process is shown below: (cleanup routine) | (timer and workqueue routine) remove_one() | free_some_resources() | ch_flower_stats_cb() //timer cxgb4_cleanup_tc_flower() | schedule_work() del_timer_sync() | | ch_flower_stats_handler() //workqueue | mod_timer() cancel_work_sync() | kfree(adapter) //FREE | ch_flower_stats_cb() //timer | adap->flower_stats_work //USE This patch changes del_timer_sync() to timer_shutdown_sync(), which could prevent rearming of the timer from the workqueue. Fixes: e0f911c8 ("cxgb4: fetch stats for offloaded tc flower flows") Signed-off-by: NDuoming Zhou <duoming@zju.edu.cn> Link: https://lore.kernel.org/r/20230415081227.7463-1-duoming@zju.edu.cnSigned-off-by: NPaolo Abeni <pabeni@redhat.com> Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com> (cherry picked from commit 6ff4dd3f)
Showing
想要评论请 注册 或 登录