http://bugzilla.suse.com/show_bug.cgi?id=1210685 Bug ID: 1210685 Summary: Use after free bug in emac_remove due to race condition Classification: openSUSE Product: openSUSE Distribution Version: Leap 16.0 Hardware: x86-64 OS: All Status: NEW Severity: Major Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: hackerzheng666@gmail.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- n emac_probe, &adpt->work_thread is bound with emac_work_thread. Then it will be started by timeout handler emac_tx_timeout or a IRQ handler emac_isr. If we remove the driver which will call emac_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows: Fix it by finishing the work before cleanup in the emac_remove and disable timeout response. CPU0 CPU1 |emac_work_thread emac_remove | free_netdev | kfree(netdev); | |emac_reinit_locked |emac_mac_down |//use netdev This bug has been submitted to upstream and got fixed in [1] [1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=6b... This is a bug reported by me and has been merged in following releases: Linux kernel 4.14 Linux kernel 4.19 Linux kernel 5.4 Linux kernel 5.10 Linux kernel 5.15 Linux kernel 6.1 Linux kernel 6.2 Also,this has been fixed in SUSE [2] Could you please assign CVE for this? [2] https://lists.suse.com/pipermail/sle-security-updates/2023-April/014436.html -- You are receiving this mail because: You are the assignee for the bug.