Patch "net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition" has been added to the 6.1-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-seeq-fix-use-after-free-vulnerability-in-ether3-.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 149c2c8fcabda66d18e805fc1dd08408148d6d26
Author: Kaixin Wang <kxwang23@xxxxxxxxxxxxxx>
Date:   Sun Sep 15 22:40:46 2024 +0800

    net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition
    
    [ Upstream commit b5109b60ee4fcb2f2bb24f589575e10cc5283ad4 ]
    
    In the ether3_probe function, a timer is initialized with a callback
    function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is
    started, there is a risk of a race condition if the module or device
    is removed, triggering the ether3_remove function to perform cleanup.
    The sequence of operations that may lead to a UAF bug is as follows:
    
    CPU0                                    CPU1
    
                          |  ether3_ledoff
    ether3_remove         |
      free_netdev(dev);   |
      put_devic           |
      kfree(dev);         |
     |  ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);
                          | // use dev
    
    Fix it by ensuring that the timer is canceled before proceeding with
    the cleanup in ether3_remove.
    
    Fixes: 6fd9c53f7186 ("net: seeq: Convert timers to use timer_setup()")
    Signed-off-by: Kaixin Wang <kxwang23@xxxxxxxxxxxxxx>
    Link: https://patch.msgid.link/20240915144045.451-1-kxwang23@xxxxxxxxxxxxxx
    Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/ethernet/seeq/ether3.c b/drivers/net/ethernet/seeq/ether3.c
index c672f92d65e97..9319a2675e7b6 100644
--- a/drivers/net/ethernet/seeq/ether3.c
+++ b/drivers/net/ethernet/seeq/ether3.c
@@ -847,9 +847,11 @@ static void ether3_remove(struct expansion_card *ec)
 {
 	struct net_device *dev = ecard_get_drvdata(ec);
 
+	ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);
 	ecard_set_drvdata(ec, NULL);
 
 	unregister_netdev(dev);
+	del_timer_sync(&priv(dev)->timer);
 	free_netdev(dev);
 	ecard_release_resources(ec);
 }