On Fri, Feb 09, 2024 at 01:43:42PM +0100, Damian Muszynski wrote:
> During the PCI AER system's error recovery process, the kernel driver
> may encounter a race condition with freeing the reset_data structure's
> memory. If the device restart will take more than 10 seconds the function
> scheduling that restart will exit due to a timeout, and the reset_data
> structure will be freed. However, this data structure is used for
> completion notification after the restart is completed, which leads
> to a UAF bug.
>
> This results in a KFENCE bug notice.
>
> BUG: KFENCE: use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat]
> Use-after-free read at 0x00000000bc56fddf (in kfence-#142):
> adf_device_reset_worker+0x38/0xa0 [intel_qat]
> process_one_work+0x173/0x340
>
> To resolve this race condition, the memory associated to the container
> of the work_struct is freed on the worker if the timeout expired,
> otherwise on the function that schedules the worker.
> The timeout detection can be done by checking if the caller is
> still waiting for completion or not by using completion_done() function.
>
> Fixes: d8cba25d2c68 ("crypto: qat - Intel(R) QAT driver framework")
> Cc: <stable@xxxxxxxxxxxxxxx>
> Signed-off-by: Damian Muszynski <damian.muszynski@xxxxxxxxx>
> Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@xxxxxxxxx>
> ---
> drivers/crypto/intel/qat/qat_common/adf_aer.c | 22 ++++++++++++++-----
> 1 file changed, 16 insertions(+), 6 deletions(-)
Patch applied. Thanks.
--
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
