Patch "i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition" has been added to the 6.6-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     i3c-master-cdns-fix-use-after-free-vulnerability-in-.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit ef8b13097e68ed986151663c7ad5fc6656cb9d02
Author: Kaixin Wang <kxwang23@xxxxxxxxxxxxxx>
Date:   Wed Sep 11 23:35:44 2024 +0800

    i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition
    
    [ Upstream commit 609366e7a06d035990df78f1562291c3bf0d4a12 ]
    
    In the cdns_i3c_master_probe function, &master->hj_work is bound with
    cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call
    cnds_i3c_master_demux_ibis function to start the work.
    
    If we remove the module which will call cdns_i3c_master_remove to
    make cleanup, it will free master->base through i3c_master_unregister
    while the work mentioned above will be used. The sequence of operations
    that may lead to a UAF bug is as follows:
    
    CPU0                                      CPU1
    
                                         | cdns_i3c_master_hj
    cdns_i3c_master_remove               |
    i3c_master_unregister(&master->base) |
    device_unregister(&master->dev)      |
    device_release                       |
    //free master->base                  |
                                         | i3c_master_do_daa(&master->base)
                                         | //use master->base
    
    Fix it by ensuring that the work is canceled before proceeding with
    the cleanup in cdns_i3c_master_remove.
    
    Signed-off-by: Kaixin Wang <kxwang23@xxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20240911153544.848398-1-kxwang23@xxxxxxxxxxxxxx
    Signed-off-by: Alexandre Belloni <alexandre.belloni@xxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/i3c/master/i3c-master-cdns.c b/drivers/i3c/master/i3c-master-cdns.c
index fa5aaaf446181..d8426847c2837 100644
--- a/drivers/i3c/master/i3c-master-cdns.c
+++ b/drivers/i3c/master/i3c-master-cdns.c
@@ -1666,6 +1666,7 @@ static void cdns_i3c_master_remove(struct platform_device *pdev)
 {
 	struct cdns_i3c_master *master = platform_get_drvdata(pdev);
 
+	cancel_work_sync(&master->hj_work);
 	i3c_master_unregister(&master->base);
 
 	clk_disable_unprepare(master->sysclk);




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux