Bug ID | 1210685 |
---|---|
Summary | Use after free bug in emac_remove due to race condition |
Classification | openSUSE |
Product | openSUSE Distribution |
Version | Leap 16.0 |
Hardware | x86-64 |
OS | All |
Status | NEW |
Severity | Major |
Priority | P5 - None |
Component | Kernel |
Assignee | kernel-bugs@opensuse.org |
Reporter | hackerzheng666@gmail.com |
QA Contact | qa-bugs@suse.de |
Target Milestone | --- |
Found By | --- |
Blocker | --- |
n emac_probe, &adpt->work_thread is bound with emac_work_thread. Then it will be started by timeout handler emac_tx_timeout or a IRQ handler emac_isr. If we remove the driver which will call emac_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows: Fix it by finishing the work before cleanup in the emac_remove and disable timeout response. CPU0 CPU1 |emac_work_thread emac_remove | free_netdev | kfree(netdev); | |emac_reinit_locked |emac_mac_down |//use netdev This bug has been submitted to upstream and got fixed in [1] [1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=6b6bc5b8bd2d This is a bug reported by me and has been merged in following releases: Linux kernel 4.14 Linux kernel 4.19 Linux kernel 5.4 Linux kernel 5.10 Linux kernel 5.15 Linux kernel 6.1 Linux kernel 6.2 Also,this has been fixed in SUSE [2] Could you please assign CVE for this? [2] https://lists.suse.com/pipermail/sle-security-updates/2023-April/014436.html