From: Greg KH <gregkh@linuxfoundation.org>
To: jianqi.ren.cn@windriver.com
Cc: stable@vger.kernel.org, kxwang23@m.fudan.edu.cn,
alexandre.belloni@bootlin.com, patches@lists.linux.dev,
pgaj@cadence.com, linux-i3c@lists.infradead.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 6.1.y] i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition
Date: Fri, 3 Jan 2025 15:25:26 +0100 [thread overview]
Message-ID: <2025010340-unearned-snare-fa78@gregkh> (raw)
In-Reply-To: <20250103070420.64714-1-jianqi.ren.cn@windriver.com>
On Fri, Jan 03, 2025 at 03:04:20PM +0800, jianqi.ren.cn@windriver.com wrote:
> From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
>
> [ Upstream commit 609366e7a06d035990df78f1562291c3bf0d4a12 ]
>
> In the cdns_i3c_master_probe function, &master->hj_work is bound with
> cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call
> cnds_i3c_master_demux_ibis function to start the work.
>
> If we remove the module which will call cdns_i3c_master_remove to
> make cleanup, it will free master->base through i3c_master_unregister
> while the work mentioned above will be used. The sequence of operations
> that may lead to a UAF bug is as follows:
>
> CPU0 CPU1
>
> | cdns_i3c_master_hj
> cdns_i3c_master_remove |
> i3c_master_unregister(&master->base) |
> device_unregister(&master->dev) |
> device_release |
> //free master->base |
> | i3c_master_do_daa(&master->base)
> | //use master->base
>
> Fix it by ensuring that the work is canceled before proceeding with
> the cleanup in cdns_i3c_master_remove.
>
> Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
> Link: https://lore.kernel.org/r/20240911153544.848398-1-kxwang23@m.fudan.edu.cn
> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
> Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Wait, why are you all submitting stable patches again? I thought I
asked you to change how you all did this AND discuss it with me after
you came up with a plan on how to move forward.
What happened to all of that? I'm dropping this, and the other
submission you sent as nothing seems to have changed :(
greg k-h
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
next prev parent reply other threads:[~2025-01-03 15:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-03 7:04 [PATCH 6.1.y] i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition jianqi.ren.cn
2025-01-03 14:24 ` Greg KH
2025-01-03 14:25 ` Greg KH [this message]
-- strict thread matches above, loose matches on Subject: below --
2025-01-06 2:29 jianqi.ren.cn
2025-01-06 7:18 ` Greg KH
2024-12-11 10:11 jianqi.ren.cn
2024-12-10 8:20 jianqi.ren.cn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025010340-unearned-snare-fa78@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=alexandre.belloni@bootlin.com \
--cc=jianqi.ren.cn@windriver.com \
--cc=kxwang23@m.fudan.edu.cn \
--cc=linux-i3c@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=patches@lists.linux.dev \
--cc=pgaj@cadence.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).