Re: [PATCH] sh: push-switch: reorder cleanup operations to avoid UAF bug

From: Geert Uytterhoeven
Date: Mon Aug 14 2023 - 04:43:07 EST

Next message: Aleksa Sarai: "[PATCH v2 5/5] selftests: improve vm.memfd_noexec sysctl tests"
Previous message: Hans de Goede: "Re: [PATCH] hp-bioscfg: Update steps how order list elements are evaluated"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Aug 2, 2023 at 5:46 AM Duoming Zhou <duoming@xxxxxxxxxx> wrote:
> The original code puts flush_work() before timer_shutdown_sync()
> in switch_drv_remove(). Although we use flush_work() to stop
> the worker, it could be re-scheduled in switch_timer. As a result,
> the UAF bug will happen. The detail is shown below:
>
> (cpu 0) | (cpu 1)
> switch_drv_remove() |
> flush_work() |
> ... | switch_timer //timer
> | schedule_work(&psw->work)
> timer_shutdown_sync() |
> ... | switch_work_handler //worker
> kfree(psw) //free |
> | psw->state = 0 //use
>
> This patch puts timer_shutdown_sync() before flush_work() to
> mitigate the bugs. As a result, the worker and timer could
> be stopped safely before the deallocate operations.
>
> Fixes: 9f5e8eee5cfe ("sh: generic push-switch framework.")
> Signed-off-by: Duoming Zhou <duoming@xxxxxxxxxx>

Reviewed-by: Geert Uytterhoeven <geert+renesas@xxxxxxxxx>

Gr{oetje,eeting}s,

Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds

Next message: Aleksa Sarai: "[PATCH v2 5/5] selftests: improve vm.memfd_noexec sysctl tests"
Previous message: Hans de Goede: "Re: [PATCH] hp-bioscfg: Update steps how order list elements are evaluated"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]