git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Kaixin Wang <kxwang23@m.fudan.edu.cn>
	Mon, 9 Sep 2024 17:20:07 +0000 (01:20 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 17 Oct 2024 13:11:51 +0000 (15:11 +0200)
commit	92728fceefdaa2a0a3aae675f86193b006eeaa43
tree	f649ecec822a142b41ec0f63574b04aee5563368	tree
parent	f1c9b8dc7693fd9cad7c2c9ad56978c919020043	commit \| diff

ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition

[ Upstream commit e51aded92d42784313ba16c12f4f88cc4f973bbb ]

In the switchtec_ntb_add function, it can call switchtec_ntb_init_sndev
function, then &sndev->check_link_status_work is bound with
check_link_status_work. switchtec_ntb_link_notification may be called
to start the work.

If we remove the module which will call switchtec_ntb_remove to make
cleanup, it will free sndev through kfree(sndev), while the work
mentioned above will be used. The sequence of operations that may lead
to a UAF bug is as follows:

CPU0                                 CPU1

                        | check_link_status_work
switchtec_ntb_remove    |
kfree(sndev);           |
                        | if (sndev->link_force_down)
                        | // use sndev

Fix it by ensuring that the work is canceled before proceeding with
the cleanup in switchtec_ntb_remove.

Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Sasha Levin <sashal@kernel.org>