Patch "aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts" has been added to the 6.6-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     aoe-fix-the-potential-use-after-free-problem-in-aoec.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit c5c4c1eb2e5ea66bece25bfee85a78416b1dc90d
Author: Chun-Yi Lee <jlee@xxxxxxxx>
Date:   Tue Mar 5 16:20:48 2024 +0800

    aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
    
    [ Upstream commit f98364e926626c678fb4b9004b75cacf92ff0662 ]
    
    This patch is against CVE-2023-6270. The description of cve is:
    
      A flaw was found in the ATA over Ethernet (AoE) driver in the Linux
      kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on
      `struct net_device`, and a use-after-free can be triggered by racing
      between the free on the struct and the access through the `skbtxq`
      global queue. This could lead to a denial of service condition or
      potential code execution.
    
    In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial
    code is finished. But the net_device ifp will still be used in
    later tx()->dev_queue_xmit() in kthread. Which means that the
    dev_put(ifp) should NOT be called in the success path of skb
    initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into
    use-after-free because the net_device is freed.
    
    This patch removed the dev_put(ifp) in the success path in
    aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().
    
    Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270
    Fixes: 7562f876cd93 ("[NET]: Rework dev_base via list_head (v3)")
    Signed-off-by: Chun-Yi Lee <jlee@xxxxxxxx>
    Link: https://lore.kernel.org/r/20240305082048.25526-1-jlee@xxxxxxxx
    Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/block/aoe/aoecmd.c b/drivers/block/aoe/aoecmd.c
index d7317425be510..cc9077b588d7e 100644
--- a/drivers/block/aoe/aoecmd.c
+++ b/drivers/block/aoe/aoecmd.c
@@ -419,13 +419,16 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu
 	rcu_read_lock();
 	for_each_netdev_rcu(&init_net, ifp) {
 		dev_hold(ifp);
-		if (!is_aoe_netif(ifp))
-			goto cont;
+		if (!is_aoe_netif(ifp)) {
+			dev_put(ifp);
+			continue;
+		}
 
 		skb = new_skb(sizeof *h + sizeof *ch);
 		if (skb == NULL) {
 			printk(KERN_INFO "aoe: skb alloc failure\n");
-			goto cont;
+			dev_put(ifp);
+			continue;
 		}
 		skb_put(skb, sizeof *h + sizeof *ch);
 		skb->dev = ifp;
@@ -440,9 +443,6 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu
 		h->major = cpu_to_be16(aoemajor);
 		h->minor = aoeminor;
 		h->cmd = AOECMD_CFG;
-
-cont:
-		dev_put(ifp);
 	}
 	rcu_read_unlock();
 }
diff --git a/drivers/block/aoe/aoenet.c b/drivers/block/aoe/aoenet.c
index 63773a90581dd..1e66c7a188a12 100644
--- a/drivers/block/aoe/aoenet.c
+++ b/drivers/block/aoe/aoenet.c
@@ -64,6 +64,7 @@ tx(int id) __must_hold(&txlock)
 			pr_warn("aoe: packet could not be sent on %s.  %s\n",
 				ifp ? ifp->name : "netif",
 				"consider increasing tx_queue_len");
+		dev_put(ifp);
 		spin_lock_irq(&txlock);
 	}
 	return 0;




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux