6.1-stable patches

added patches:
	hsi-ssi_protocol-fix-use-after-free-vulnerability-in-ssi_protocol-driver-due-to-race-condition.patch

diff --git a/queue-6.1/hsi-ssi_protocol-fix-use-after-free-vulnerability-in-ssi_protocol-driver-due-to-race-condition.patch b/queue-6.1/hsi-ssi_protocol-fix-use-after-free-vulnerability-in-ssi_protocol-driver-due-to-race-condition.patch
new file mode 100644 (file)
index 0000000..ecb6bf5
--- /dev/null
+++ b/queue-6.1/hsi-ssi_protocol-fix-use-after-free-vulnerability-in-ssi_protocol-driver-due-to-race-condition.patch
@@ -0,0 +1,49 @@
+From e3f88665a78045fe35c7669d2926b8d97b892c11 Mon Sep 17 00:00:00 2001
+From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
+Date: Wed, 18 Sep 2024 20:07:50 +0800
+Subject: HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
+
+From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
+
+commit e3f88665a78045fe35c7669d2926b8d97b892c11 upstream.
+
+In the ssi_protocol_probe() function, &ssi->work is bound with
+ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function
+within the ssip_pn_ops structure is capable of starting the
+work.
+
+If we remove the module which will call ssi_protocol_remove()
+to make a cleanup, it will free ssi through kfree(ssi),
+while the work mentioned above will be used. The sequence
+of operations that may lead to a UAF bug is as follows:
+
+CPU0                                    CPU1
+
+                        | ssip_xmit_work
+ssi_protocol_remove     |
+kfree(ssi);             |
+                        | struct hsi_client *cl = ssi->cl;
+                        | // use ssi
+
+Fix it by ensuring that the work is canceled before proceeding
+with the cleanup in ssi_protocol_remove().
+
+Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
+Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20240918120749.1730-1-kxwang23@m.fudan.edu.cn
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hsi/clients/ssi_protocol.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/hsi/clients/ssi_protocol.c
++++ b/drivers/hsi/clients/ssi_protocol.c
+@@ -403,6 +403,7 @@ static void ssip_reset(struct hsi_client
+       del_timer(&ssi->rx_wd);
+       del_timer(&ssi->tx_wd);
+       del_timer(&ssi->keep_alive);
++      cancel_work_sync(&ssi->work);
+       ssi->main_state = 0;
+       ssi->send_state = 0;
+       ssi->recv_state = 0;

diff --git a/queue-6.1/series b/queue-6.1/series
index 44b67fa0ac2942545451a42aa21d2377920a5628..6c078ceddccd6443cfee7a16d0aff3f72c925cef 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -161,3 +161,4 @@ arm64-errata-add-newer-arm-cores-to-the-spectre_bhb_loop_affected-lists.patch
 acpi-platform-profile-fix-cfi-violation-when-accessing-sysfs-files.patch
 x86-e820-fix-handling-of-subpage-regions-when-calculating-nosave-ranges-in-e820__register_nosave_regions.patch
 bluetooth-hci_uart-fix-another-race-during-initialization.patch
+hsi-ssi_protocol-fix-use-after-free-vulnerability-in-ssi_protocol-driver-due-to-race-condition.patch