diff options
author | Chun-Yi Lee <jlee@suse.com> | 2024-03-05 16:20:48 +0800 |
---|---|---|
committer | Sasha Levin <sashal@kernel.org> | 2024-03-26 18:22:34 -0400 |
commit | ad80c34944d7175fa1f5c7a55066020002921a99 (patch) | |
tree | 1a6641051a8a12f6479b3177016fd27371c26330 /scripts/faddr2line | |
parent | 8eea2ea62b459cebffd20d5d5121becbec838291 (diff) | |
download | linux-stable-ad80c34944d7175fa1f5c7a55066020002921a99.tar.gz linux-stable-ad80c34944d7175fa1f5c7a55066020002921a99.tar.bz2 linux-stable-ad80c34944d7175fa1f5c7a55066020002921a99.zip |
aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
[ Upstream commit f98364e926626c678fb4b9004b75cacf92ff0662 ]
This patch is against CVE-2023-6270. The description of cve is:
A flaw was found in the ATA over Ethernet (AoE) driver in the Linux
kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on
`struct net_device`, and a use-after-free can be triggered by racing
between the free on the struct and the access through the `skbtxq`
global queue. This could lead to a denial of service condition or
potential code execution.
In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial
code is finished. But the net_device ifp will still be used in
later tx()->dev_queue_xmit() in kthread. Which means that the
dev_put(ifp) should NOT be called in the success path of skb
initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into
use-after-free because the net_device is freed.
This patch removed the dev_put(ifp) in the success path in
aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270
Fixes: 7562f876cd93 ("[NET]: Rework dev_base via list_head (v3)")
Signed-off-by: Chun-Yi Lee <jlee@suse.com>
Link: https://lore.kernel.org/r/20240305082048.25526-1-jlee@suse.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'scripts/faddr2line')
0 files changed, 0 insertions, 0 deletions