Bug ID 1210685
Summary Use after free bug in emac_remove due to race condition
Classification openSUSE
Product openSUSE Distribution
Version Leap 16.0
Hardware x86-64
OS All
Status NEW
Severity Major
Priority P5 - None
Component Kernel
Assignee kernel-bugs@opensuse.org
Reporter hackerzheng666@gmail.com
QA Contact qa-bugs@suse.de
Target Milestone ---
Found By ---
Blocker --- 

n emac_probe, &adpt->work_thread is bound with
emac_work_thread. Then it will be started by timeout
handler emac_tx_timeout or a IRQ handler emac_isr.

If we remove the driver which will call emac_remove
  to make cleanup, there may be a unfinished work.

The possible sequence is as follows:

Fix it by finishing the work before cleanup in the emac_remove
and disable timeout response.

CPU0                  CPU1

                    |emac_work_thread
emac_remove         |
free_netdev         |
kfree(netdev);      |
                    |emac_reinit_locked
                    |emac_mac_down
                    |//use netdev

This bug has been submitted to upstream and got fixed in [1]

[1]
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=6b6bc5b8bd2d

This is a bug reported by me and has been merged in following releases:

Linux kernel 4.14
Linux kernel 4.19
Linux kernel 5.4
Linux kernel 5.10
Linux kernel 5.15
Linux kernel 6.1
Linux kernel 6.2

Also,this has been fixed in SUSE [2]

Could you please assign CVE for this?

[2]
https://lists.suse.com/pipermail/sle-security-updates/2023-April/014436.html

You are receiving this mail because: