* [PATCH 6.1.y] i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition
@ 2024-12-10 8:20 jianqi.ren.cn
2024-12-10 19:24 ` Sasha Levin
0 siblings, 1 reply; 10+ messages in thread
From: jianqi.ren.cn @ 2024-12-10 8:20 UTC (permalink / raw)
To: gregkh, kxwang23; +Cc: pgaj, alexandre.belloni, linux-i3c, linux-kernel, stable
From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
[ Upstream commit 609366e7a06d035990df78f1562291c3bf0d4a12 ]
In the cdns_i3c_master_probe function, &master->hj_work is bound with
cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call
cnds_i3c_master_demux_ibis function to start the work.
If we remove the module which will call cdns_i3c_master_remove to
make cleanup, it will free master->base through i3c_master_unregister
while the work mentioned above will be used. The sequence of operations
that may lead to a UAF bug is as follows:
CPU0 CPU1
| cdns_i3c_master_hj
cdns_i3c_master_remove |
i3c_master_unregister(&master->base) |
device_unregister(&master->dev) |
device_release |
//free master->base |
| i3c_master_do_daa(&master->base)
| //use master->base
Fix it by ensuring that the work is canceled before proceeding with
the cleanup in cdns_i3c_master_remove.
Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
Link: https://lore.kernel.org/r/20240911153544.848398-1-kxwang23@m.fudan.edu.cn
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
---
drivers/i3c/master/i3c-master-cdns.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/i3c/master/i3c-master-cdns.c b/drivers/i3c/master/i3c-master-cdns.c
index b9cfda6ae9ae..4473c0b1ae2e 100644
--- a/drivers/i3c/master/i3c-master-cdns.c
+++ b/drivers/i3c/master/i3c-master-cdns.c
@@ -1668,6 +1668,7 @@ static int cdns_i3c_master_remove(struct platform_device *pdev)
struct cdns_i3c_master *master = platform_get_drvdata(pdev);
int ret;
+ cancel_work_sync(&master->hj_work);
ret = i3c_master_unregister(&master->base);
if (ret)
return ret;
--
2.25.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 6.1.y] i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition
2024-12-10 8:20 jianqi.ren.cn
@ 2024-12-10 19:24 ` Sasha Levin
0 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2024-12-10 19:24 UTC (permalink / raw)
To: stable; +Cc: jianqi.ren.cn, Sasha Levin
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 609366e7a06d035990df78f1562291c3bf0d4a12
WARNING: Author mismatch between patch and upstream commit:
Backport author: <jianqi.ren.cn@windriver.com>
Commit author: Kaixin Wang <kxwang23@m.fudan.edu.cn>
Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: ea0256e393e0)
6.1.y | Not found
Note: The patch differs from the upstream commit:
---
1: 609366e7a06d0 < -: ------------- i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition
-: ------------- > 1: 4827cea76d760 i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y | Success | Success |
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 6.1.y] i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition
@ 2024-12-11 10:11 jianqi.ren.cn
2024-12-11 16:32 ` Sasha Levin
0 siblings, 1 reply; 10+ messages in thread
From: jianqi.ren.cn @ 2024-12-11 10:11 UTC (permalink / raw)
To: kxwang23, gregkh
Cc: alexandre.belloni, patches, pgaj, linux-i3c, linux-kernel, stable
From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
[ Upstream commit 609366e7a06d035990df78f1562291c3bf0d4a12 ]
In the cdns_i3c_master_probe function, &master->hj_work is bound with
cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call
cnds_i3c_master_demux_ibis function to start the work.
If we remove the module which will call cdns_i3c_master_remove to
make cleanup, it will free master->base through i3c_master_unregister
while the work mentioned above will be used. The sequence of operations
that may lead to a UAF bug is as follows:
CPU0 CPU1
| cdns_i3c_master_hj
cdns_i3c_master_remove |
i3c_master_unregister(&master->base) |
device_unregister(&master->dev) |
device_release |
//free master->base |
| i3c_master_do_daa(&master->base)
| //use master->base
Fix it by ensuring that the work is canceled before proceeding with
the cleanup in cdns_i3c_master_remove.
Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
Link: https://lore.kernel.org/r/20240911153544.848398-1-kxwang23@m.fudan.edu.cn
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
---
drivers/i3c/master/i3c-master-cdns.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/i3c/master/i3c-master-cdns.c b/drivers/i3c/master/i3c-master-cdns.c
index b9cfda6ae9ae..4473c0b1ae2e 100644
--- a/drivers/i3c/master/i3c-master-cdns.c
+++ b/drivers/i3c/master/i3c-master-cdns.c
@@ -1668,6 +1668,7 @@ static int cdns_i3c_master_remove(struct platform_device *pdev)
struct cdns_i3c_master *master = platform_get_drvdata(pdev);
int ret;
+ cancel_work_sync(&master->hj_work);
ret = i3c_master_unregister(&master->base);
if (ret)
return ret;
--
2.25.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 6.1.y] i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition
2024-12-11 10:11 jianqi.ren.cn
@ 2024-12-11 16:32 ` Sasha Levin
0 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2024-12-11 16:32 UTC (permalink / raw)
To: stable; +Cc: jianqi.ren.cn, Sasha Levin
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 609366e7a06d035990df78f1562291c3bf0d4a12
WARNING: Author mismatch between patch and upstream commit:
Backport author: <jianqi.ren.cn@windriver.com>
Commit author: Kaixin Wang <kxwang23@m.fudan.edu.cn>
Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: ea0256e393e0)
6.1.y | Not found
Note: The patch differs from the upstream commit:
---
1: 609366e7a06d0 < -: ------------- i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition
-: ------------- > 1: 60a42e2236b35 i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y | Success | Success |
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 6.1.y] i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition
@ 2025-01-03 7:04 jianqi.ren.cn
2025-01-03 14:24 ` Greg KH
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: jianqi.ren.cn @ 2025-01-03 7:04 UTC (permalink / raw)
To: stable
Cc: kxwang23, alexandre.belloni, patches, pgaj, linux-i3c,
linux-kernel, gregkh
From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
[ Upstream commit 609366e7a06d035990df78f1562291c3bf0d4a12 ]
In the cdns_i3c_master_probe function, &master->hj_work is bound with
cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call
cnds_i3c_master_demux_ibis function to start the work.
If we remove the module which will call cdns_i3c_master_remove to
make cleanup, it will free master->base through i3c_master_unregister
while the work mentioned above will be used. The sequence of operations
that may lead to a UAF bug is as follows:
CPU0 CPU1
| cdns_i3c_master_hj
cdns_i3c_master_remove |
i3c_master_unregister(&master->base) |
device_unregister(&master->dev) |
device_release |
//free master->base |
| i3c_master_do_daa(&master->base)
| //use master->base
Fix it by ensuring that the work is canceled before proceeding with
the cleanup in cdns_i3c_master_remove.
Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
Link: https://lore.kernel.org/r/20240911153544.848398-1-kxwang23@m.fudan.edu.cn
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
---
drivers/i3c/master/i3c-master-cdns.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/i3c/master/i3c-master-cdns.c b/drivers/i3c/master/i3c-master-cdns.c
index b9cfda6ae9ae..4473c0b1ae2e 100644
--- a/drivers/i3c/master/i3c-master-cdns.c
+++ b/drivers/i3c/master/i3c-master-cdns.c
@@ -1668,6 +1668,7 @@ static int cdns_i3c_master_remove(struct platform_device *pdev)
struct cdns_i3c_master *master = platform_get_drvdata(pdev);
int ret;
+ cancel_work_sync(&master->hj_work);
ret = i3c_master_unregister(&master->base);
if (ret)
return ret;
--
2.25.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 6.1.y] i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition
2025-01-03 7:04 jianqi.ren.cn
@ 2025-01-03 14:24 ` Greg KH
2025-01-03 14:25 ` Greg KH
2025-01-03 14:55 ` Sasha Levin
2 siblings, 0 replies; 10+ messages in thread
From: Greg KH @ 2025-01-03 14:24 UTC (permalink / raw)
To: jianqi.ren.cn
Cc: stable, kxwang23, alexandre.belloni, patches, pgaj, linux-i3c,
linux-kernel
On Fri, Jan 03, 2025 at 03:04:20PM +0800, jianqi.ren.cn@windriver.com wrote:
> From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
>
> [ Upstream commit 609366e7a06d035990df78f1562291c3bf0d4a12 ]
>
> In the cdns_i3c_master_probe function, &master->hj_work is bound with
> cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call
> cnds_i3c_master_demux_ibis function to start the work.
>
> If we remove the module which will call cdns_i3c_master_remove to
> make cleanup, it will free master->base through i3c_master_unregister
> while the work mentioned above will be used. The sequence of operations
> that may lead to a UAF bug is as follows:
>
> CPU0 CPU1
>
> | cdns_i3c_master_hj
> cdns_i3c_master_remove |
> i3c_master_unregister(&master->base) |
> device_unregister(&master->dev) |
> device_release |
> //free master->base |
> | i3c_master_do_daa(&master->base)
> | //use master->base
>
> Fix it by ensuring that the work is canceled before proceeding with
> the cleanup in cdns_i3c_master_remove.
>
> Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
> Link: https://lore.kernel.org/r/20240911153544.848398-1-kxwang23@m.fudan.edu.cn
> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
> Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
> ---
> drivers/i3c/master/i3c-master-cdns.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/i3c/master/i3c-master-cdns.c b/drivers/i3c/master/i3c-master-cdns.c
> index b9cfda6ae9ae..4473c0b1ae2e 100644
> --- a/drivers/i3c/master/i3c-master-cdns.c
> +++ b/drivers/i3c/master/i3c-master-cdns.c
> @@ -1668,6 +1668,7 @@ static int cdns_i3c_master_remove(struct platform_device *pdev)
> struct cdns_i3c_master *master = platform_get_drvdata(pdev);
> int ret;
>
> + cancel_work_sync(&master->hj_work);
> ret = i3c_master_unregister(&master->base);
> if (ret)
> return ret;
> --
> 2.25.1
>
>
Does not apply to 6.1.y :(
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 6.1.y] i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition
2025-01-03 7:04 jianqi.ren.cn
2025-01-03 14:24 ` Greg KH
@ 2025-01-03 14:25 ` Greg KH
2025-01-03 14:55 ` Sasha Levin
2 siblings, 0 replies; 10+ messages in thread
From: Greg KH @ 2025-01-03 14:25 UTC (permalink / raw)
To: jianqi.ren.cn
Cc: stable, kxwang23, alexandre.belloni, patches, pgaj, linux-i3c,
linux-kernel
On Fri, Jan 03, 2025 at 03:04:20PM +0800, jianqi.ren.cn@windriver.com wrote:
> From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
>
> [ Upstream commit 609366e7a06d035990df78f1562291c3bf0d4a12 ]
>
> In the cdns_i3c_master_probe function, &master->hj_work is bound with
> cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call
> cnds_i3c_master_demux_ibis function to start the work.
>
> If we remove the module which will call cdns_i3c_master_remove to
> make cleanup, it will free master->base through i3c_master_unregister
> while the work mentioned above will be used. The sequence of operations
> that may lead to a UAF bug is as follows:
>
> CPU0 CPU1
>
> | cdns_i3c_master_hj
> cdns_i3c_master_remove |
> i3c_master_unregister(&master->base) |
> device_unregister(&master->dev) |
> device_release |
> //free master->base |
> | i3c_master_do_daa(&master->base)
> | //use master->base
>
> Fix it by ensuring that the work is canceled before proceeding with
> the cleanup in cdns_i3c_master_remove.
>
> Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
> Link: https://lore.kernel.org/r/20240911153544.848398-1-kxwang23@m.fudan.edu.cn
> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
> Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Wait, why are you all submitting stable patches again? I thought I
asked you to change how you all did this AND discuss it with me after
you came up with a plan on how to move forward.
What happened to all of that? I'm dropping this, and the other
submission you sent as nothing seems to have changed :(
greg k-h
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 6.1.y] i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition
2025-01-03 7:04 jianqi.ren.cn
2025-01-03 14:24 ` Greg KH
2025-01-03 14:25 ` Greg KH
@ 2025-01-03 14:55 ` Sasha Levin
2 siblings, 0 replies; 10+ messages in thread
From: Sasha Levin @ 2025-01-03 14:55 UTC (permalink / raw)
To: stable; +Cc: jianqi.ren.cn, Sasha Levin
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 609366e7a06d035990df78f1562291c3bf0d4a12
WARNING: Author mismatch between patch and upstream commit:
Backport author: <jianqi.ren.cn@windriver.com>
Commit author: Kaixin Wang<kxwang23@m.fudan.edu.cn>
Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: ea0256e393e0)
6.1.y | Not found
Note: The patch differs from the upstream commit:
---
Failed to apply patch cleanly.
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y | Failed | N/A |
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 6.1.y] i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition
@ 2025-01-06 2:29 jianqi.ren.cn
2025-01-06 7:18 ` Greg KH
0 siblings, 1 reply; 10+ messages in thread
From: jianqi.ren.cn @ 2025-01-06 2:29 UTC (permalink / raw)
To: stable
Cc: kxwang23, alexandre.belloni, patches, pgaj, linux-i3c,
linux-kernel, gregkh
From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
[ Upstream commit 609366e7a06d035990df78f1562291c3bf0d4a12 ]
In the cdns_i3c_master_probe function, &master->hj_work is bound with
cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call
cnds_i3c_master_demux_ibis function to start the work.
If we remove the module which will call cdns_i3c_master_remove to
make cleanup, it will free master->base through i3c_master_unregister
while the work mentioned above will be used. The sequence of operations
that may lead to a UAF bug is as follows:
CPU0 CPU1
| cdns_i3c_master_hj
cdns_i3c_master_remove |
i3c_master_unregister(&master->base) |
device_unregister(&master->dev) |
device_release |
//free master->base |
| i3c_master_do_daa(&master->base)
| //use master->base
Fix it by ensuring that the work is canceled before proceeding with
the cleanup in cdns_i3c_master_remove.
Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
Link: https://lore.kernel.org/r/20240911153544.848398-1-kxwang23@m.fudan.edu.cn
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
---
drivers/i3c/master/i3c-master-cdns.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/i3c/master/i3c-master-cdns.c b/drivers/i3c/master/i3c-master-cdns.c
index 35b90bb686ad..c5a37f58079a 100644
--- a/drivers/i3c/master/i3c-master-cdns.c
+++ b/drivers/i3c/master/i3c-master-cdns.c
@@ -1667,6 +1667,7 @@ static int cdns_i3c_master_remove(struct platform_device *pdev)
{
struct cdns_i3c_master *master = platform_get_drvdata(pdev);
+ cancel_work_sync(&master->hj_work);
i3c_master_unregister(&master->base);
clk_disable_unprepare(master->sysclk);
--
2.25.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 6.1.y] i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition
2025-01-06 2:29 [PATCH 6.1.y] i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition jianqi.ren.cn
@ 2025-01-06 7:18 ` Greg KH
0 siblings, 0 replies; 10+ messages in thread
From: Greg KH @ 2025-01-06 7:18 UTC (permalink / raw)
To: jianqi.ren.cn
Cc: stable, kxwang23, alexandre.belloni, patches, pgaj, linux-i3c,
linux-kernel
On Mon, Jan 06, 2025 at 10:29:39AM +0800, jianqi.ren.cn@windriver.com wrote:
> From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
>
> [ Upstream commit 609366e7a06d035990df78f1562291c3bf0d4a12 ]
Again, sorry, but no, I will not take any more stable backports from
your company at this point in time. Please go tell your managers this
as somehow the previous emails from me seem to have been ignored.
greg k-h
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2025-01-06 7:18 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-06 2:29 [PATCH 6.1.y] i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition jianqi.ren.cn
2025-01-06 7:18 ` Greg KH
-- strict thread matches above, loose matches on Subject: below --
2025-01-03 7:04 jianqi.ren.cn
2025-01-03 14:24 ` Greg KH
2025-01-03 14:25 ` Greg KH
2025-01-03 14:55 ` Sasha Levin
2024-12-11 10:11 jianqi.ren.cn
2024-12-11 16:32 ` Sasha Levin
2024-12-10 8:20 jianqi.ren.cn
2024-12-10 19:24 ` Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox