mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-01 14:44:12 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/memstick/host
History
Zheng Wang 6326442278 memstick: r592: Fix UAF bug in r592_remove due to race condition 
In r592_probe, dev->detect_timer was bound with r592_detect_timer.
In r592_irq function, the timer function will be invoked by mod_timer.

If we remove the module which will call hantro_release to make cleanup,
there may be a unfinished work. The possible sequence is as follows,
which will cause a typical UAF bug.

Fix it by canceling the work before cleanup in r592_remove.

CPU0                  CPU1

                    |r592_detect_timer
r592_remove         |
  memstick_free_host|
  put_device;       |
  kfree(host);      |
                    |
                    | queue_work
                    |   &host->media_checker //use

Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Link: https://lore.kernel.org/r/20230307164338.1246287-1-zyytlz.wz@163.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
2023-03-23 11:30:19 +01:00
..
jmb38x_ms.c memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host() 2021-10-12 10:24:39 +02:00
Kconfig memstick: Fix Kconfig indentation 2019-11-21 12:25:59 +01:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
r592.c memstick: r592: Fix UAF bug in r592_remove due to race condition 2023-03-23 11:30:19 +01:00
r592.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
rtsx_pci_ms.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 17 2019-05-21 11:28:46 +02:00
rtsx_usb_ms.c memstick: rtsx_usb_ms: fix UAF 2021-06-14 13:57:39 +02:00
tifm_ms.c memstick: switch from 'pci_' to 'dma_' API 2021-08-24 16:59:39 +02:00