From ed644a1262a3a668ce4fb81a9be42c05cc4683fa Mon Sep 17 00:00:00 2001 From: Jiri Slaby <jslaby@suse.cz> Date: Apr 20 2023 11:00:25 +0000 Subject: 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition (bsc#1012628). --- diff --git a/patches.kernel.org/6.2.12-047-9p-xen-Fix-use-after-free-bug-in-xen_9pfs_fron.patch b/patches.kernel.org/6.2.12-047-9p-xen-Fix-use-after-free-bug-in-xen_9pfs_fron.patch new file mode 100644 index 0000000..526a18b --- /dev/null +++ b/patches.kernel.org/6.2.12-047-9p-xen-Fix-use-after-free-bug-in-xen_9pfs_fron.patch @@ -0,0 +1,62 @@ +From: Zheng Wang <zyytlz.wz@163.com> +Date: Mon, 13 Mar 2023 22:43:25 +0800 +Subject: [PATCH] 9p/xen : Fix use after free bug in xen_9pfs_front_remove due + to race condition +References: bsc#1012628 +Patch-mainline: 6.2.12 +Git-commit: ea4f1009408efb4989a0f139b70fb338e7f687d0 + +[ Upstream commit ea4f1009408efb4989a0f139b70fb338e7f687d0 ] + +In xen_9pfs_front_probe, it calls xen_9pfs_front_alloc_dataring +to init priv->rings and bound &ring->work with p9_xen_response. + +When it calls xen_9pfs_front_event_handler to handle IRQ requests, +it will finally call schedule_work to start the work. + +When we call xen_9pfs_front_remove to remove the driver, there +may be a sequence as follows: + +Fix it by finishing the work before cleanup in xen_9pfs_front_free. + +Note that, this bug is found by static analysis, which might be +false positive. + +CPU0 CPU1 + + |p9_xen_response +xen_9pfs_front_remove| + xen_9pfs_front_free| +kfree(priv) | +//free priv | + |p9_tag_lookup + |//use priv->client + +Fixes: 71ebd71921e4 ("xen/9pfs: connect to the backend") +Signed-off-by: Zheng Wang <zyytlz.wz@163.com> +Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com> +Signed-off-by: Eric Van Hensbergen <ericvh@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/9p/trans_xen.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c +index c64050e8..1fffe2be 100644 +--- a/net/9p/trans_xen.c ++++ b/net/9p/trans_xen.c +@@ -280,6 +280,10 @@ static void xen_9pfs_front_free(struct xen_9pfs_front_priv *priv) + write_unlock(&xen_9pfs_lock); + + for (i = 0; i < priv->num_rings; i++) { ++ struct xen_9pfs_dataring *ring = &priv->rings[i]; ++ ++ cancel_work_sync(&ring->work); ++ + if (!priv->rings[i].intf) + break; + if (priv->rings[i].irq > 0) +-- +2.35.3 + diff --git a/series.conf b/series.conf index ecec66c..8315efb 100644 --- a/series.conf +++ b/series.conf @@ -2274,6 +2274,7 @@ patches.kernel.org/6.2.12-044-dmaengine-apple-admac-Handle-global-interrupt-.patch patches.kernel.org/6.2.12-045-dmaengine-apple-admac-Set-src_addr_widths-capa.patch patches.kernel.org/6.2.12-046-dmaengine-apple-admac-Fix-current_tx-not-getti.patch + patches.kernel.org/6.2.12-047-9p-xen-Fix-use-after-free-bug-in-xen_9pfs_fron.patch ######################################################## # Build fixes that apply to the vanilla kernel too.