git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Duoming Zhou <duoming@zju.edu.cn>
	Sat, 15 Apr 2023 08:12:27 +0000 (16:12 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 26 Apr 2023 12:29:57 +0000 (14:29 +0200)
commit	7977bb80817b552d97bcc8a1ddf2b3029ca5b6a8
tree	233ea3103e581079aa252285c24bf13dc6c01d23	tree
parent	076574cd3276ea6114fbe1e830f442da7965b8dd	commit \| diff

cxgb4: fix use after free bugs caused by circular dependency problem

[ Upstream commit e50b9b9e8610d47b7c22529443e45a16b1ea3a15 ]

The flower_stats_timer can schedule flower_stats_work and
flower_stats_work can also arm the flower_stats_timer. The
process is shown below:

----------- timer schedules work ------------
ch_flower_stats_cb() //timer handler
  schedule_work(&adap->flower_stats_work);

----------- work arms timer ------------
ch_flower_stats_handler() //workqueue callback function
  mod_timer(&adap->flower_stats_timer, ...);

When the cxgb4 device is detaching, the timer and workqueue
could still be rearmed. The process is shown below:

  (cleanup routine)           | (timer and workqueue routine)
remove_one()                  |
  free_some_resources()       | ch_flower_stats_cb() //timer
    cxgb4_cleanup_tc_flower() |   schedule_work()
      del_timer_sync()        |
                              | ch_flower_stats_handler() //workqueue
                              |   mod_timer()
      cancel_work_sync()      |
  kfree(adapter) //FREE       | ch_flower_stats_cb() //timer
                              |   adap->flower_stats_work //USE

This patch changes del_timer_sync() to timer_shutdown_sync(),
which could prevent rearming of the timer from the workqueue.

Fixes: e0f911c81e93 ("cxgb4: fetch stats for offloaded tc flower flows")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Link: https://lore.kernel.org/r/20230415081227.7463-1-duoming@zju.edu.cn
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>