Patch "cxgb4: fix use after free bugs caused by circular dependency problem" has been added to the 6.2-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    cxgb4: fix use after free bugs caused by circular dependency problem

to the 6.2-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     cxgb4-fix-use-after-free-bugs-caused-by-circular-dep.patch
and it can be found in the queue-6.2 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit c3682915996077c0d7fa85097fec9ae2da73e8a3
Author: Duoming Zhou <duoming@xxxxxxxxxx>
Date:   Sat Apr 15 16:12:27 2023 +0800

    cxgb4: fix use after free bugs caused by circular dependency problem
    
    [ Upstream commit e50b9b9e8610d47b7c22529443e45a16b1ea3a15 ]
    
    The flower_stats_timer can schedule flower_stats_work and
    flower_stats_work can also arm the flower_stats_timer. The
    process is shown below:
    
    ----------- timer schedules work ------------
    ch_flower_stats_cb() //timer handler
      schedule_work(&adap->flower_stats_work);
    
    ----------- work arms timer ------------
    ch_flower_stats_handler() //workqueue callback function
      mod_timer(&adap->flower_stats_timer, ...);
    
    When the cxgb4 device is detaching, the timer and workqueue
    could still be rearmed. The process is shown below:
    
      (cleanup routine)           | (timer and workqueue routine)
    remove_one()                  |
      free_some_resources()       | ch_flower_stats_cb() //timer
        cxgb4_cleanup_tc_flower() |   schedule_work()
          del_timer_sync()        |
                                  | ch_flower_stats_handler() //workqueue
                                  |   mod_timer()
          cancel_work_sync()      |
      kfree(adapter) //FREE       | ch_flower_stats_cb() //timer
                                  |   adap->flower_stats_work //USE
    
    This patch changes del_timer_sync() to timer_shutdown_sync(),
    which could prevent rearming of the timer from the workqueue.
    
    Fixes: e0f911c81e93 ("cxgb4: fetch stats for offloaded tc flower flows")
    Signed-off-by: Duoming Zhou <duoming@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20230415081227.7463-1-duoming@xxxxxxxxxx
    Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c
index dd9be229819a5..d3541159487dd 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c
@@ -1135,7 +1135,7 @@ void cxgb4_cleanup_tc_flower(struct adapter *adap)
 		return;
 
 	if (adap->flower_stats_timer.function)
-		del_timer_sync(&adap->flower_stats_timer);
+		timer_shutdown_sync(&adap->flower_stats_timer);
 	cancel_work_sync(&adap->flower_stats_work);
 	rhashtable_destroy(&adap->flower_tbl);
 	adap->tc_flower_initialized = false;