From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 249F6CA0ED3 for ; Mon, 2 Sep 2024 09:25:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=k8fNp4lPEgrhIlaN+v3O0Q3/cbsRJ7Y/SUZlytKJl78=; b=LJ94oy7Ky9fhm33G9xADyW4ItZ S5CDOkviDwvrbSiyxFxn6ZF0LwecmeIjIzsMd8ZWZbnQhy08LVSpX/9PueD98lvfRXWE4FGZtuNOM LZxaWYlffhlQIFGd3TmDMelyZKnczzpFwO3iN3Bg2y+kynASz8tJp7uubNrcoPD6sLPC6UAYKp9ci /CplaI6Pg1ddYIWDi4umph1wskWZ5hSf2zmf9wYFCsW/z2f+Bd0OKfkNBt+JbRzrRtF4hQhIXCBZ/ kxl3/F5xZv3y+j4jV7jvgfwaI9ZtZZgOiOScT3nZIhY1GpR7fjRYDHO+NDhQPQwkNM9dFkThASryi ut9eKbaQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1sl3JC-0000000Dh97-0Ksa; Mon, 02 Sep 2024 09:25:14 +0000 Received: from pandora.armlinux.org.uk ([2001:4d48:ad52:32c8:5054:ff:fe00:142]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1sl3HS-0000000Dgbr-3unb for linux-arm-kernel@lists.infradead.org; Mon, 02 Sep 2024 09:23:28 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=armlinux.org.uk; s=pandora-2019; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=k8fNp4lPEgrhIlaN+v3O0Q3/cbsRJ7Y/SUZlytKJl78=; b=lzrkKoqBk9ddfuYiQtaezmQCY9 qQH6VLJGsuaTvibz6mCM2E9uabi/UmI2NBr3jqZIfsGHTOqS82k4aeyDGpEZCs2sF2voB0R9FjoQk /Nc8uO6wF5RW1GjfkGRByItVtxpE6Q6Ptn84BGh0lTJX4B7vd77ZPie49HMycq4bCFQoImQZ4aoOo +Vthr5UiNlFXpf1FevZxIXuH9a6Fy6ul9uhETJk2nIKCN3wL84YCyxUEWzY7iFDs3yRlC/Qgb5yq4 Ih4JhokutM3IeqTvOiithyBNEcT/ZGP4yM2HUxCdimtYfiiHTVkwnpqv/7SGtJCAJmbS00llXWDzz XYyX7uog==; Received: from shell.armlinux.org.uk ([fd8f:7570:feb6:1:5054:ff:fe00:4ec]:46394) by pandora.armlinux.org.uk with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1sl3HF-0005tr-2y; Mon, 02 Sep 2024 10:23:13 +0100 Received: from linux by shell.armlinux.org.uk with local (Exim 4.96) (envelope-from ) id 1sl3H9-0001gG-1n; Mon, 02 Sep 2024 10:23:07 +0100 Date: Mon, 2 Sep 2024 10:23:07 +0100 From: "Russell King (Oracle)" To: Wentai Deng Cc: davem , edumazet , kuba , pabeni , linux-arm-kernel , netdev , linux-kernel , =?utf-8?B?5p2c6Zuq55uI?= <21210240012@m.fudan.edu.cn> Subject: Re: [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240902_022327_275539_8B400DE8 X-CRM114-Status: GOOD ( 12.33 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Mon, Sep 02, 2024 at 01:19:43PM +0800, Wentai Deng wrote: > In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows: > > > CPU0                            CPU1 > > >                             |   ether3_ledoff > ether3_remove               | >     free_netdev(dev);       | >     put_device              | >     kfree(dev);             | >                             |       ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2); >                             |       // use dev This is unreadable. > Request for Review: > > > We would appreciate your expert insight to confirm whether this vulnerability indeed poses a risk to the system, and if the proposed fix is appropriate. Please resend without the HTML junk in the plain text part. -- *** please note that I probably will only be occasionally responsive *** for an unknown period of time due to recent eye surgery making *** reading quite difficult. RMK's Patch system: https://www.armlinux.org.uk/developer/patches/ FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!