diff --git a/patches.suse/memstick-r592-Fix-UAF-bug-in-r592_remove-due-to-race.patch b/patches.suse/memstick-r592-Fix-UAF-bug-in-r592_remove-due-to-race.patch new file mode 100644 index 0000000..8f5bd85 --- /dev/null +++ b/patches.suse/memstick-r592-Fix-UAF-bug-in-r592_remove-due-to-race.patch @@ -0,0 +1,53 @@ +From 63264422785021704c39b38f65a78ab9e4a186d7 Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Wed, 8 Mar 2023 00:43:38 +0800 +Subject: [PATCH] memstick: r592: Fix UAF bug in r592_remove due to race condition +Git-commit: 63264422785021704c39b38f65a78ab9e4a186d7 +Patch-mainline: v6.4-rc1 +References: bsc#1211449 + +In r592_probe, dev->detect_timer was bound with r592_detect_timer. +In r592_irq function, the timer function will be invoked by mod_timer. + +If we remove the module which will call hantro_release to make cleanup, +there may be a unfinished work. The possible sequence is as follows, +which will cause a typical UAF bug. + +Fix it by canceling the work before cleanup in r592_remove. + +CPU0 CPU1 + + |r592_detect_timer +r592_remove | + memstick_free_host| + put_device; | + kfree(host); | + | + | queue_work + | &host->media_checker //use + +Signed-off-by: Zheng Wang +Link: https://lore.kernel.org/r/20230307164338.1246287-1-zyytlz.wz@163.com +Signed-off-by: Ulf Hansson +Acked-by: Takashi Iwai + +--- + drivers/memstick/host/r592.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c +index 1d35d147552d..42bfc46842b8 100644 +--- a/drivers/memstick/host/r592.c ++++ b/drivers/memstick/host/r592.c +@@ -829,7 +829,7 @@ static void r592_remove(struct pci_dev *pdev) + /* Stop the processing thread. + That ensures that we won't take any more requests */ + kthread_stop(dev->io_thread); +- ++ del_timer_sync(&dev->detect_timer); + r592_enable_device(dev, false); + + while (!error && dev->req) { +-- +2.35.3 + diff --git a/series.conf b/series.conf index 2d9dddf..fda682d 100644 --- a/series.conf +++ b/series.conf @@ -19861,6 +19861,7 @@ patches.suse/mtd-core-fix-nvmem-error-reporting.patch patches.suse/mtd-core-fix-error-path-for-nvmem-provider.patch patches.suse/mtd-spi-nor-Fix-a-trivial-typo.patch + patches.suse/memstick-r592-Fix-UAF-bug-in-r592_remove-due-to-race.patch patches.suse/mmc-sdhci-of-esdhc-fix-quirk-to-ignore-command-inhib.patch patches.suse/mailbox-zynqmp-Fix-IPI-isr-handling.patch patches.suse/mailbox-zynqmp-Fix-typo-in-IPI-documentation.patch