Patch "9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition" has been added to the 6.1-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     9p-xen-fix-use-after-free-bug-in-xen_9pfs_front_remo.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 0805c7c8aa041cda7c9e04d4638b161d9e563fd7
Author: Zheng Wang <zyytlz.wz@xxxxxxx>
Date:   Mon Mar 13 22:43:25 2023 +0800

    9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition
    
    [ Upstream commit ea4f1009408efb4989a0f139b70fb338e7f687d0 ]
    
    In xen_9pfs_front_probe, it calls xen_9pfs_front_alloc_dataring
    to init priv->rings and bound &ring->work with p9_xen_response.
    
    When it calls xen_9pfs_front_event_handler to handle IRQ requests,
    it will finally call schedule_work to start the work.
    
    When we call xen_9pfs_front_remove to remove the driver, there
    may be a sequence as follows:
    
    Fix it by finishing the work before cleanup in xen_9pfs_front_free.
    
    Note that, this bug is found by static analysis, which might be
    false positive.
    
    CPU0                  CPU1
    
                         |p9_xen_response
    xen_9pfs_front_remove|
      xen_9pfs_front_free|
    kfree(priv)          |
    //free priv          |
                         |p9_tag_lookup
                         |//use priv->client
    
    Fixes: 71ebd71921e4 ("xen/9pfs: connect to the backend")
    Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
    Reviewed-by: Michal Swiatkowski <michal.swiatkowski@xxxxxxxxxxxxxxx>
    Signed-off-by: Eric Van Hensbergen <ericvh@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
index 75c03a82baf38..68027e4fb4216 100644
--- a/net/9p/trans_xen.c
+++ b/net/9p/trans_xen.c
@@ -278,6 +278,10 @@ static void xen_9pfs_front_free(struct xen_9pfs_front_priv *priv)
 	write_unlock(&xen_9pfs_lock);
 
 	for (i = 0; i < priv->num_rings; i++) {
+		struct xen_9pfs_dataring *ring = &priv->rings[i];
+
+		cancel_work_sync(&ring->work);
+
 		if (!priv->rings[i].intf)
 			break;
 		if (priv->rings[i].irq > 0)



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux