From patchwork Fri Feb 7 16:55:32 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Panov X-Patchwork-Id: 13972880 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 86FE7C021A7 for ; Thu, 13 Feb 2025 07:34:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=wX4hU/j5AyjUgbFF83NbxUYRGJp+bW6MpkZwogQJnvE=; b=pX7ydS1vLyH0XL wrUrmDjNi2u5MYuKQbDpegp86zDx6klkhSYC42tlPAscPRgmd++uQhtANz/6qdkVLZUsAPauodedV Ra5zRlktuD9qBY4tLHeenFg6ehZvPkWg235iI94kQeSAvSCKSLzZlvzGB9mWSguVxQQ7JXEhQClAY B99vO2TpADcSkLvweXGX+N3ctikJGheZKk5z789YHmE0cDsL5vZuuGeAuuoleLmiyOvYqgzaCwEpH PctpiZ14pLeCdw2O+DNlf/hTGGZrgA4jFMiFrVhUtp7nLG5YMHUOQVI+4wFosdyihygWY865Mrj5p tjb7PAqZyR2T4T0GoZ/A==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1tiTjo-0000000A6uw-0gKr; Thu, 13 Feb 2025 07:34:20 +0000 Received: from mail-gw01.astralinux.ru ([37.230.196.243]) by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1tgRdq-0000000ANPK-1Dgf for linux-i3c@lists.infradead.org; Fri, 07 Feb 2025 16:55:48 +0000 Received: from gca-sc-a-srv-ksmg01.astralinux.ru (localhost [127.0.0.1]) by mail-gw01.astralinux.ru (Postfix) with ESMTP id 178DC24D4C; Fri, 7 Feb 2025 19:55:39 +0300 (MSK) Received: from new-mail.astralinux.ru (gca-yc-ruca-srv-mail05.astralinux.ru [10.177.185.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail-gw01.astralinux.ru (Postfix) with ESMTPS; Fri, 7 Feb 2025 19:55:37 +0300 (MSK) Received: from rbta-msk-lt-156703.astralinux.ru (unknown [10.177.20.117]) by new-mail.astralinux.ru (Postfix) with ESMTPA id 4YqKpv34m9z1c051; Fri, 7 Feb 2025 19:55:35 +0300 (MSK) From: Alexey Panov To: stable@vger.kernel.org, Greg Kroah-Hartman Cc: Alexey Panov , Alexandre Belloni , linux-i3c@lists.infradead.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, Kaixin Wang Subject: [PATCH 6.1] i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition Date: Fri, 7 Feb 2025 19:55:32 +0300 Message-Id: <20250207165532.29963-1-apanov@astralinux.ru> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-KSMG-AntiPhishing: NotDetected, bases: 2025/02/07 15:20:00 X-KSMG-AntiSpam-Auth: dkim=none X-KSMG-AntiSpam-Envelope-From: apanov@astralinux.ru X-KSMG-AntiSpam-Info: LuaCore: 50 0.3.50 df4aeb250ed63fd3baa80a493fa6caee5dd9e10f, {Tracking_uf_ne_domains}, {Tracking_internal2}, {Tracking_from_domain_doesnt_match_to}, new-mail.astralinux.ru:7.1.1;lore.kernel.org:7.1.1;astralinux.ru:7.1.1;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1;127.0.0.199:7.1.2, FromAlignment: s X-KSMG-AntiSpam-Interceptor-Info: scan successful X-KSMG-AntiSpam-Lua-Profiles: 190876 [Feb 07 2025] X-KSMG-AntiSpam-Method: none X-KSMG-AntiSpam-Rate: 0 X-KSMG-AntiSpam-Status: not_detected X-KSMG-AntiSpam-Version: 6.1.1.7 X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 2.1.0.7854, bases: 2025/02/07 12:24:00 #27143140 X-KSMG-AntiVirus-Status: NotDetected, skipped X-KSMG-LinksScanning: NotDetected, bases: 2025/02/07 15:21:00 X-KSMG-Message-Action: skipped X-KSMG-Rule-ID: 1 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20250207_085546_497976_4BA51142 X-CRM114-Status: UNSURE ( 9.57 ) X-CRM114-Notice: Please train this message. X-Mailman-Approved-At: Wed, 12 Feb 2025 23:33:10 -0800 X-BeenThere: linux-i3c@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-i3c" Errors-To: linux-i3c-bounces+linux-i3c=archiver.kernel.org@lists.infradead.org From: Kaixin Wang [ Upstream commit 609366e7a06d035990df78f1562291c3bf0d4a12 ] In the cdns_i3c_master_probe function, &master->hj_work is bound with cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call cnds_i3c_master_demux_ibis function to start the work. If we remove the module which will call cdns_i3c_master_remove to make cleanup, it will free master->base through i3c_master_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | cdns_i3c_master_hj cdns_i3c_master_remove | i3c_master_unregister(&master->base) | device_unregister(&master->dev) | device_release | //free master->base | | i3c_master_do_daa(&master->base) | //use master->base Fix it by ensuring that the work is canceled before proceeding with the cleanup in cdns_i3c_master_remove. Signed-off-by: Kaixin Wang Link: https://lore.kernel.org/r/20240911153544.848398-1-kxwang23@m.fudan.edu.cn Signed-off-by: Alexandre Belloni Signed-off-by: Alexey Panov --- Backport fix for CVE-2024-50061 drivers/i3c/master/i3c-master-cdns.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/i3c/master/i3c-master-cdns.c b/drivers/i3c/master/i3c-master-cdns.c index 35b90bb686ad..c5a37f58079a 100644 --- a/drivers/i3c/master/i3c-master-cdns.c +++ b/drivers/i3c/master/i3c-master-cdns.c @@ -1667,6 +1667,7 @@ static int cdns_i3c_master_remove(struct platform_device *pdev) { struct cdns_i3c_master *master = platform_get_drvdata(pdev); + cancel_work_sync(&master->hj_work); i3c_master_unregister(&master->base); clk_disable_unprepare(master->sysclk);