From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Kaixin Wang <kxwang23@m.fudan.edu.cn>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Sebastian Reichel <sebastian.reichel@collabora.com>,
Sasha Levin <sashal@kernel.org>,
sre@kernel.org
Subject: [PATCH AUTOSEL 5.10 3/6] HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
Date: Thu, 3 Apr 2025 20:07:46 -0400 [thread overview]
Message-ID: <20250404000751.2689430-3-sashal@kernel.org> (raw)
In-Reply-To: <20250404000751.2689430-1-sashal@kernel.org>
From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
[ Upstream commit e3f88665a78045fe35c7669d2926b8d97b892c11 ]
In the ssi_protocol_probe() function, &ssi->work is bound with
ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function
within the ssip_pn_ops structure is capable of starting the
work.
If we remove the module which will call ssi_protocol_remove()
to make a cleanup, it will free ssi through kfree(ssi),
while the work mentioned above will be used. The sequence
of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| ssip_xmit_work
ssi_protocol_remove |
kfree(ssi); |
| struct hsi_client *cl = ssi->cl;
| // use ssi
Fix it by ensuring that the work is canceled before proceeding
with the cleanup in ssi_protocol_remove().
Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20240918120749.1730-1-kxwang23@m.fudan.edu.cn
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hsi/clients/ssi_protocol.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/hsi/clients/ssi_protocol.c b/drivers/hsi/clients/ssi_protocol.c
index 96d0eccca3aa7..8f7c4fd100d62 100644
--- a/drivers/hsi/clients/ssi_protocol.c
+++ b/drivers/hsi/clients/ssi_protocol.c
@@ -403,6 +403,7 @@ static void ssip_reset(struct hsi_client *cl)
del_timer(&ssi->rx_wd);
del_timer(&ssi->tx_wd);
del_timer(&ssi->keep_alive);
+ cancel_work_sync(&ssi->work);
ssi->main_state = 0;
ssi->send_state = 0;
ssi->recv_state = 0;
--
2.39.5
next prev parent reply other threads:[~2025-04-04 0:08 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-04 0:07 [PATCH AUTOSEL 5.10 1/6] MIPS: cm: Detect CM quirks from device tree Sasha Levin
2025-04-04 0:07 ` [PATCH AUTOSEL 5.10 2/6] crypto: null - Use spin lock instead of mutex Sasha Levin
2025-04-04 0:07 ` Sasha Levin [this message]
2025-04-04 0:07 ` [PATCH AUTOSEL 5.10 4/6] clk: check for disabled clock-provider in of_clk_get_hw_from_clkspec() Sasha Levin
2025-04-04 0:07 ` [PATCH AUTOSEL 5.10 5/6] parisc: PDT: Fix missing prototype warning Sasha Levin
2025-04-04 0:07 ` [PATCH AUTOSEL 5.10 6/6] x86/Kconfig: Make CONFIG_PCI_CNB20LE_QUIRK depend on X86_32 Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250404000751.2689430-3-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=kxwang23@m.fudan.edu.cn \
--cc=linux-kernel@vger.kernel.org \
--cc=sebastian.reichel@collabora.com \
--cc=sre@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.