Patch "scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition" has been added to the 5.15-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     scsi-message-mptlan-fix-use-after-free-bug-in-mptlan.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 0c74ecea34bb987b37464ec1554b838484558eb6
Author: Zheng Wang <zyytlz.wz@xxxxxxx>
Date:   Sat Mar 18 16:16:35 2023 +0800

    scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition
    
    [ Upstream commit f486893288f3e9b171b836f43853a6426515d800 ]
    
    mptlan_probe() calls mpt_register_lan_device() which initializes the
    &priv->post_buckets_task workqueue. A call to
    mpt_lan_wake_post_buckets_task() will subsequently start the work.
    
    During driver unload in mptlan_remove() the following race may occur:
    
    CPU0                  CPU1
    
                        |mpt_lan_post_receive_buckets_work()
    mptlan_remove()     |
      free_netdev()     |
        kfree(dev);     |
                        |
                        | dev->mtu
                        |   //use
    
    Fix this by finishing the work prior to cleaning up in mptlan_remove().
    
    [mkp: we really should remove mptlan instead of attempting to fix it]
    
    Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
    Link: https://lore.kernel.org/r/20230318081635.796479-1-zyytlz.wz@xxxxxxx
    Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/message/fusion/mptlan.c b/drivers/message/fusion/mptlan.c
index 3261cac762def..ec3ee356078db 100644
--- a/drivers/message/fusion/mptlan.c
+++ b/drivers/message/fusion/mptlan.c
@@ -1427,7 +1427,9 @@ mptlan_remove(struct pci_dev *pdev)
 {
 	MPT_ADAPTER 		*ioc = pci_get_drvdata(pdev);
 	struct net_device	*dev = ioc->netdev;
+	struct mpt_lan_priv *priv = netdev_priv(dev);
 
+	cancel_delayed_work_sync(&priv->post_buckets_task);
 	if(dev != NULL) {
 		unregister_netdev(dev);
 		free_netdev(dev);



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux